{"id":246,"date":"2025-10-07T19:08:00","date_gmt":"2025-10-07T19:08:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=246"},"modified":"2025-12-28T17:58:01","modified_gmt":"2025-12-28T17:58:01","slug":"support-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=246","title":{"rendered":"Support- Hackthebox lab"},"content":{"rendered":"\n

I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Added target hostnames to \/etc\/hosts<\/code><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Looking through the SMB shares, I found one “support-tools” that is not default. Looking into the share with guest access, I found some files and one non standard looking binary “UserInfo.exe.zip”.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I used the tool dnSpy to do code analysis on the binary. I found a password and a key.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I used this post<\/a> to do this next step. This snippet is an interactive Python session that reverses a simple custom obfuscation to reveal a plaintext secret. It first base64-decodes pass_b64<\/code> into raw bytes, then XORs each byte with the corresponding byte from a repeating key (b\"armando\"<\/code>) using itertools.cycle<\/code>, and finally XORs the result with the constant 223<\/code> (e ^ k ^ 223<\/code>) to produce the original byte values. The bytes are then combined into a bytearray<\/code> and decoded to UTF-8, yielding the plaintext credential nvEfEK16^1aM4$e7AclUf8x$RtWxPW01%lmz<\/code>. This pattern (base64 + repeating-key XOR + fixed-value XOR) is a lightweight obfuscation method.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the credentials gathered for the ldap account, I checked them with Netexec and they were good!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Ran the BloodHoundCE ingestor to collect Active Directory objects and relationships from the domain. The resulting graph exposed privilege paths and group memberships useful for privilege escalation planning.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used ldapsearch<\/code> with the confirmed credentials to pull user\/group attributes and noted that additional useful data was stored in nonstandard fields (e.g., info). Those attributes helped reveal group memberships and service associations.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Found that the support<\/code> account belongs to the Remote Management Users group, indicating elevated remote administration capabilities. That group membership informed which remote management vectors to attempt next.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Authenticated to the target with Evil-WinRM using the support<\/code> account, giving an interactive Windows shell. This access provided a foothold for data collection and post-exploitation actions.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Analysis of ACLs and BloodHound output showed a GenericAll<\/code> from the Shared Support Accounts group to the DC.SUPPORT.HTB computer object. This means we can abuse resource-based constrained delegation to elevate our access to domain admin.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I uploaded PowerView, Powermad, and Rubeus for the attack and ran PowerView and Powermad.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I created a machine account, crafted an ACL granting that machine SID delegation rights, wrote it into a target computer\u2019s msDS-AllowedToActOnBehalfOfOtherIdentity<\/code> attribute, and thereby enabled the machine account to be trusted for Kerberos delegation to that target \u2014 allowing impersonation of users (including high-privileged accounts) domain takeover.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Collecting RC4 hash with Rubeus<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Successfully obtained a usable Kerberos ticket for a privileged account, which then allowed authenticated access to otherwise-restricted services.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Decoded the Base64-encoded ticket into its binary .kirbi<\/code>\/.ccache<\/code> form and then converted it to the format required by our tooling (e.g., ccache).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I then converted the ticket to (KRB5CCNAME) and used it with impacket-psexec -k -no-pass<\/code> to authenticate to dc.support.htb<\/code> as administrator@dc.support.htb<\/code>, found a writable ADMIN$<\/code> share, uploaded a payload and created a service.
Service started successfully and elevated to NT AUTHORITY\\SYSTEM<\/strong>, giving full system control on the domain controller.<\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller. Added target hostnames to \/etc\/hosts Looking through the SMB shares, I found one “support-tools” that is not default. Looking into the share with guest access, I […]<\/p>\n","protected":false},"author":1,"featured_media":247,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=246"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/246\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/246\/revisions\/329"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/247"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}