In this post, I would like to share a walkthrough of the Support Machine from Hack the Box

This room will be considered an Easy machine on Hack The Box

What will you gain from the Support machine?

For the user flag, you will need to

As for the root flag, you need to

Information Gathering on Support Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the Nmap result, I notice there are no port 80 open which I believe that we cannot access the website interface

Enumerate further on the SMB sharename for Support Machine

We can analyze the sharename folder by using the smbclient and there’s one sharename that caught my attention which is support-tools

Let’s access the sharename which we successfully have login by using the command above.

We managed to sight a few files that look interesting to explore and analyze further

Therefore, we can download a file into our attacker’s machine.

In order to read the file, we need to unzip the file.

After a while, we got some information from the result of our analysis from ida pro

We can retrieve the ldap password that has been decoded by using python

We can obtain the password to access the machine by using ldapsearch

However, we don’t have any username that we can use to login.

Finally, we have a winner when we run the crackmapexec where we can access the server using winrm

At last, we can login the sever as support

We can read the user flag by typing the command “type C:\Users\support\Desktop\user.txt

Escalate to Root Privileges Access

As we are aware that the machine is Windows Server, we can try using PowerMad.ps1 and PowerView.ps1

We are required to transfer the ps1 file format into the victim’s machine and need to execute the Import-Module command

Let’s create a new account with the password that we created together. Sadly, we got an error and we managed to fix it after a while.

It will look the same as shown above.

We can retrieve some information that we can use after this such as the objectsid

As a result, we are required to run the command above on the victim’s machine

Once that is completed, we can impersonate the administrator with the new account

We can access the machine as an administrator with wmiexec tool but the machine is given us back an connection error

Finally, we have managed to access the machine as an Administrator

We can read the root flag by typing the command “type C:\Users\Administrator\Desktop\root.txt

Extra Information

Leave a Reply

Your email address will not be published. Required fields are marked *