Support

https://cybergladius.com/htb-walkthrough-support/

Step 1

sudo nmap -sS -A 10.10.11.174

The scan returned the following results.

Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-27 23:23 BST
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 23:24 (0:00:00 remaining)
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 23:24 (0:00:00 remaining)
Stats: 0:01:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 23:24 (0:00:00 remaining)
Nmap scan report for 10.10.11.174
Host is up (0.021s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-10-27 22:23:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-10-27T22:23:44
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   35.40 ms 10.10.14.1
2   31.68 ms 10.10.11.174

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.38 seconds

An in-depth Nmap tells us this is a Window Server running an Active Directory(AD) Domain Controller(DC).

Step 2

Using the dig command we can find the servers name.

dig @10.10.11.174 +short support.htb any

The command returned the following.

10.10.11.174
dc.support.htb.
dc.support.htb. hostmaster.support.htb. 105 900 600 86400 3600

Step 3

Edit the config file to add the DNS of the Windows machine.

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 htb-l8pnobmjd3.htb-cloud.com htb-l8pnobmjd3
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

#HTB
10.10.11.174 dc.support.htb support.htb

Step 4

Lets run the following command to see the contents of the SMB file share.

smbclient -N -L \\\\10.10.11.174

The command returns the following.

Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Next we will connect to the support tools directory.

smbclient -N \\\\10.10.11.174\\support-tools

Once we are in the directory. Lets run the dir command to see all the files present.

Lets run the following commands in the SMB session.

SMB:> mask ""
SMB:> recurse ON
SMB:> prompt OFF
SMB:> mget *