Support - [HTB]

Cover Image for Support - [HTB]
Marmeus
Marmeus

Introduction

Support is an easy Windows machine from HackTheBox where the attacker will have to access an SMB service as anonymous in order to download a custom program with some custom encoded credentials on it. After decoding the credentials, it will have to enumerate LDAP, and find a password. After some password spraying, it will get access to the machine through Winrm. Finally, to become Administrator, the attacker will have to exploit the AD technique "Kerberos Resource-based Constrained Delegation: Computer Object Takeover".

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Reading the Nmap output, it is possible to spot the domain support.htb that can be added to /etc/hosts.

As can be seen, enumerating the SMB service as anonymous, the contents from support-tools can be read.

Inside there are several executable and compressed files.

The fileUserInfo.exe.zip seems promising because it is not known.

Performing some dynamic analysis by executing the binary on a Windows machine (connected to HTB's VPN), it seems that it is capable of retrieving information from the server, more precisely, usernames.

Exploitation

Analyzing the file UserInfo.exe with dnspy, you can obtain the function getPassword at UserInfo.Services/Protected.

This function decodes the base64 password and then performs an XOR operation with three operands. The password can be decoded using CyberChef.

Now you can retrieve data from the LDAP server.

Because this seems like a password, let's do some password spraying.

As a result, the user Support is allowed to use winrm remotely, obtaining the user flag.

Privilege Escalation

In order to enumerate the domain, let's use BloodHound.

After importing all the JSON files and analyzing the user "support", it appears that the user is a member of the "Shared support accounts" group, which has the "GenericAll" privilege, allowing to modify the Domain Controller by using the technique "Kerberos Resource-based Constrained Delegation: Computer Object Takeover".

Bloodhound

To become Administrator, it is necessary to execute the following commands.

Finally, to obtain the ticket, instead of using Rubeus, can be obtained remotely through getST.

Note: The spn can be anything.