In this post, I would like to share a walkthrough of the Support Machine from Hack the Box
This room will be considered an Easy machine on Hack The Box
What will you gain from the Support machine?
For the user flag, you will need to
As for the root flag, you need to
Information Gathering on Support Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap result, I notice there are no port 80 open which I believe that we cannot access the website interface
Enumerate further on the SMB sharename for Support Machine
We can analyze the sharename folder by using the smbclient and there’s one sharename that caught my attention which is support-tools
Let’s access the sharename which we successfully have login by using the command above.
We managed to sight a few files that look interesting to explore and analyze further
Therefore, we can download a file into our attacker’s machine.
In order to read the file, we need to unzip the file.
After a while, we got some information from the result of our analysis from ida pro
We can retrieve the ldap password that has been decoded by using python
However, we don’t have any username that we can use to login.
Finally, we have a winner when we run the crackmapexec where we can access the server using winrm
At last, we can login the sever as support
We can read the user flag by typing the command “type C:\Users\support\Desktop\user.txt“
Escalate to Root Privileges Access
As we are aware that the machine is Windows Server, we can try using PowerMad.ps1 and PowerView.ps1
We are required to transfer the ps1 file format into the victim’s machine and need to execute the Import-Module command
Let’s create a new account with the password that we created together. Sadly, we got an error and we managed to fix it after a while.
It will look the same as shown above.
We can retrieve some information that we can use after this such as the objectsid
As a result, we are required to run the command above on the victim’s machine
Once that is completed, we can impersonate the administrator with the new account
We can access the machine as an administrator with wmiexec tool but the machine is given us back an connection error
Finally, we have managed to access the machine as an Administrator
We can read the root flag by typing the command “type C:\Users\Administrator\Desktop\root.txt“
No responses yet