🎗️Support

HTB Support — Detailed Solution Notes Platform: Hack The Box | Machine: Support | OS: Windows (Active Directory) | Difficulty: Easy | Vulnerability Types: SMB Null Session, Hardcoded Credentials, LDAP Information Disclosure, & RBCD

🗺️ Attack Chain Summary

• Reconnaissance: An Nmap scan reveals standard Active Directory ports (Kerberos, LDAP, SMB) alongside port 5985 (WinRM).
• Initial Foothold (SMB/Reverse Engineering): An anonymous "Null Session" connection to the support-tools SMB share allows the download of a custom tool named UserInfo.exe. Extracting UTF-16 formatted strings (strings -el) reveals a base64 encoded password that, once decoded, provides the credentials for the support\ldap service account.
• Lateral Movement (LDAP & WinRM): Using the compromised LDAP credentials, the domain is queried (ldapsearch). A plaintext password (Ironside47pleasure40Watchful) is discovered in the info attribute of the support user's profile. Because this user belongs to the Remote Management Users group, an interactive shell is established via WinRM (Port 5985).
• Privilege Escalation (Root/System): BloodHound analysis reveals that the support user holds GenericAll privileges over the Domain Controller object. By leveraging the default MachineAccountQuota, a fake computer account (HACKERPC$) is created. A Resource-Based Constrained Delegation (RBCD) attack is executed, allowing the attacker to impersonate the Administrator and take full control of the system.

🧠 How Does a Hacker Think? — The Active Directory Ecosystem In Active Directory environments, the core vulnerabilities are often "Trust and Misconfiguration." Custom-built IT tools frequently hardcode credentials to speed up processes. LDAP directories act like massive phone books where careless administrators leave temporary passwords in plain sight. If a user has broad permissions like GenericAll over a Domain Controller, the very architecture of AD (such as RBCD) can be weaponized against itself.

1️⃣ Reconnaissance

Network Scanning The Nmap scan paints the profile of a typical Domain Controller:

• Ports 88 (Kerberos), 389/3268 (LDAP): Confirms the target is the heart of an Active Directory environment.
• Ports 139/445 (SMB): Message signing is required, but file shares can still be enumerated.
• Port 5985 (WinRM): Our gateway for remote command execution.

Environment Setup For Kerberos and Impacket tools to function correctly via name resolution, the target IP must be mapped to the domain in the local hosts file: echo "10.129.242.122 support.htb dc.support.htb" | sudo tee -a /etc/hosts

2️⃣ Initial Foothold: The SMB & Reverse Engineering Maneuver

Vulnerability Analysis SMB (Port 445) is tested for shares that do not require authentication (Null Session). The command smbclient -N -L //10.129.242.122 reveals a non-public folder named support-tools.

The Maneuver: UTF-16 String Extraction The archive UserInfo.exe.zip is downloaded from the share. This is a custom .NET application written by the IT team to query LDAP. .NET applications store strings in UTF-16 format rather than standard ASCII.

• The Extraction: Running strings -el UserInfo.exe dumps the wide-character strings from the binary.
• The Leak: The output reveals the username support\ldap and a base64/XOR-encoded string that decrypts to the password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz.

3️⃣ User Access: The LDAP Leak & WinRM Maneuver

The LDAP Query With the service account (support\ldap), the domain database is queried. A hacker focuses on attributes like info or description where administrators often leave notes.

• The Leak: Using ldapsearch to pull the support user's profile reveals a plaintext password in the info: field: Ironside47pleasure40Watchful.

The Maneuver: WinRM Shell The support user's profile indicates membership in the Remote Management Users group. Executing evil-winrm -i 10.129.242.122 -u support -p 'Ironside47pleasure40Watchful' grants an authorized PowerShell session on port 5985.

4️⃣ Privilege Escalation: The RBCD Maneuver

Identifying the Weakness BloodHound data confirms that the support user holds absolute power (GenericAll) over DC.SUPPORT.HTB (the Domain Controller itself).

The "Trojan Horse" Strategy (Adding a Computer Account) Under default AD settings, the MachineAccountQuota is 10, meaning even a low-privileged user can add computers to the domain.

• Using impacket-addcomputer, a fake computer named HACKERPC$ with a known password is created.

Delegation and Ticket Theft

• Delegating Authority: Leveraging the GenericAll right, the Domain Controller's msDS-AllowedToActOnBehalfOfOtherIdentity attribute is updated (impacket-rbcd). This tells the DC to allow HACKERPC$ to act on behalf of other users.
• Impersonation: Using HACKERPC$, a service ticket (TGT) is requested for the Administrator account from the Domain Controller (impacket-getST).
• Breaking the Door: The resulting .ccache ticket is loaded into the KRB5CCNAME environment variable (export KRB5CCNAME=Administrator.ccache). Finally, impacket-psexec is executed with the k -no-pass flags to present the Kerberos ticket to the system, granting NT AUTHORITY\SYSTEM access.

🛠️ Core Maneuvers Breakdown

• SMB Null Session
• UTF-16 String Extraction
• LDAP Information Disclosure
• Resource-Based Constrained Delegation (RBCD)

🔑 General Hacker Mindset Summary

• Custom Software is a Security Black Hole: If you find an internally developed tool (like UserInfo.exe), immediately look for hardcoded passwords or database connection strings.
• Look Beyond ASCII: In .NET architectures, strings are usually in UTF-16 format. If you don't use the correct filter (el), you will step right over the password.
• Description Fields are Goldmines: Sysadmins are lazy. Leaving passwords in LDAP info or description text fields is a common and fatal mistake.
• AD is a Graph, Follow the Paths: If an object has GenericAll over a DC, it means you can take over the system without a password (RBCD). The vulnerability isn't in the code; it's in the permission hierarchy.