Support: HTB Machine Writeup (Retired)
A series of CTF Writeups. Follow Along!
I start with an NMap scan. Found an SMB port.
My quick instincts forces me to see if any files can be accessed anonymously through the SMB service.
There is a file names UserInfo.exe.zip that stands out of the other commonly used files. I downloaded it. Inside the zip file there is an executable named UserInfo.exe
The UserInfo.exe looks like it is communicating with the domain to find out a user’s information. It accepts command line arguments including the first name or last name of the target user. On looking into the communication under Wireshark, I found that some credentials were passed in clear text.
This credential is valid and ldap queries can be performed through it.
I tried bloodhound enumeration after this but didn’t find anything. An LLM Model suggested me to perform enumeration through the ldapsearch utility and look for passwords.
Turns out that it was not wrong. I found a password for a user in its output.
This user could log in through the WinRM service, so I used evil-winrm to log in and got the user.txt
I turned to bloodhound again.
Under the Outbound Object Control section for the compromised user’s node shows that it has a Group Delegated Object Control. The user is a member of the Shared Support Account group and this group has a Generic All over the Domain Controller.
The best thing that I like about bloodhound is that it does not only share the path to misconfiguration but also the information on how to exploit it.
So, I followed the steps.
Bloodhound shows that since the group has a Shared Support Account over the DC so the user can perform the RBCD Attack (Role Based Contsrained Delegation).
This simply means that the compromised user can create a machine in the domain and configure the DC to allow the machine to act on behalf of it.
Once this is done, we can perform the S4U attack to request an Administrator’s Kerberos Ticket using Rubeus.
Since now we have the base64 encoded ticket, we can decode it and convert it to a normalized form which the impacket module can recognize. This can be done through the tickerConverter script from impacket. We can then use psexec to gain the Administrator shell on the DC.
