Support - HacktheBox (OSCP Prep) - TJ NULLS

Channel:

NoxLumens

Subscribers:

1,270

Published on March 6, 2024 4:00:01 PM ● Video Link: https://www.youtube.com/watch?v=aE8q5vrQrSI

Duration: 48:47

545 views

24

Correction: I checked AD and did find the "info" option in the list of Attributes in the "attribute editor" in Active Directory Users and Computers

Support kicked my butt. :) An example of a not so easy EASY box from HacktheBox. I mean sure, the attack was. I guess it's rated easy because it's well documented and there are tools to nearly automate it. Impacket for me was significantly easier than rubeus though

Support is an Easy difficulty Windows machine that features an SMB share that allows anonymous authentication. After connecting to the share, an executable file is discovered that is used to query the machine's LDAP server for available users. Through reverse engineering, network analysis or emulation, the password that the binary uses to bind the LDAP server is identified and can be used to make further LDAP queries. A user called support is identified in the users list, and the info field is found to contain his password, thus allowing for a WinRM connection to the machine. Once on the machine, domain information can be gathered through SharpHound , and BloodHound reveals that the Shared Support Accounts group that the support user is a member of, has GenericAll privileges on the Domain Controller. A Resource Based Constrained Delegation attack is performed, and a shell as NT Authority\System is received.

Skills Required
- Basic Windows Knowledge
- Basic active Directory Knowledge
- Basic LDAP Knowledge
- Basic Windows Enumeration

------------------

Skills Learned
- Connecting to an SMB share
- Quering an LDAP server for information
- Performing a Resource Based Constrained Delegation attack
------------------
Tools
- manual enumeration
- powershell
- impacket
- impacket-ticketor
- impacket-getST
- impacket-psexec
- impacket-smbexec
- rubeus
- powerhshell empire
- powerview.ps1
- powermad.ps1
- bloodhound
- bloodhound-python
- neo4j
------------------
Certifications:
Practical Network Penetration Tester (PNPT) : TCM Security - https://certifications.tcm-sec.com/pnpt/
Practical Junior Penetration Tester (PJPT): TCM Security - https://certifications.tcm-sec.com/pjpt/
Practical Junior Web Tester (PJWT): TCM Security - https://certifications.tcm-sec.com/pjwt/
Certified Ethical Hacker (CEH): EC-Council
--------------------
Socials:
Tryhackme: https://tryhackme.com/p/NoxLumens
Hackthebox: https://app.hackthebox.com/profile/179139
Twitch: https://twitch.tv/noxlumens