Hack The Box Fácil
Máquina Support - HTB
Publicado: 2026-02-22
🔒 Contenido Protegido
Esta máquina está activa. Introduce la contraseña para ver el writeup.
Contraseña incorrecta
Disclaimer
Nota: Por motivos de ética y para fomentar el aprendizaje, algunos datos sensibles (contraseñas y flags) han sido censurados parcial o completamente.
Reconocimiento
Para comenzar, vamos a crear nuestros directorios de trabajo.
\> mkt
\> ls
content exploits nmap script
Luego vamos con nmap, vamos a realizar un escaneo de puertos para ver que servicios tiene expuesto la maquina Support.
\> cd nmap
\> sudo nmap -p- -sS --min-rate 5000 -vvv -n -Pn 10.129.40.34 -oG AllPorts
\> extractPorts AllPorts
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: extractPorts.tmp
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │
2 │ [*] Extracting information...
3 │
4 │ [*] IP Address: 10.129.40.34
5 │ [*] Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49686,49702,51330
6 │
7 │ [*] Ports copied to clipboard
8 │
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Vemos varios puertos, vamos a realizar un escaneo mas exhaustivo para ver las ****tecnologias y versiones.
\> nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49686,49702,51330 10.129.40.34 -Pn -oN targeted
\> cat targeted -l ruby
# Nmap 7.95 scan initiated Sun Apr 19 07:18:13 2026 as: nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49686,49702,51330 -Pn -oN targeted 10.129.40.34
Nmap scan report for 10.129.40.34
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-19 10:18:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
51330/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=4/19%Time=69E4ABFB%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-19T10:19:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 19 07:19:56 2026 -- 1 IP address (1 host up) scanned in 103.20 seconds
Hay varios servicios, para empezar vamos a revisar el servio smb con la herramienta netexec.
> nxc smb 10.129.40.34
[*] Initializing SMB protocol database
SMB 10.129.40.34 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:None) (Null Auth:True)
Vemos un dominio, por tanto vamos agregarlo al /etc/hosts.
> cat /etc/hosts
───────┬───────────────────────────────────────────────────────────────
│ File: /etc/hosts
───────┼───────────────────────────────────────────────────────────────
1 │ # Host addresses
2 │ 127.0.0.1 localhost
3 │ 127.0.1.1 parrot
4 │ ::1 localhost ip6-localhost ip6-loopback
5 │ ff02::1 ip6-allnodes
6 │ ff02::2 ip6-allrouters
7 │ # Others
8 │
9 │ 10.129.40.34 support.htb DC.support.htb support.htb0 DC.support.htb0
───────┴───────────────────────────────────────────────────────────────
Vamos a ver si existen recursos compartidos y si tenemos los permisos.
> nxc smb 10.129.40.34 --shares
SMB 10.129.40.34 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.40.34 445 DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
Despues, de un rato se me ocurre probar credenciales comunes hasta que me deja conectarme por anonymous sin contraseña.
nxc smb 10.129.40.34 -u 'anonymous' -p '' --shares
SMB 10.129.40.34 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.40.34 445 DC [+] support.htb\anonymous: (Guest)
SMB 10.129.40.34 445 DC [*] Enumerated shares
SMB 10.129.40.34 445 DC Share Permissions Remark
SMB 10.129.40.34 445 DC ----- ----------- ------
SMB 10.129.40.34 445 DC ADMIN$ Remote Admin
SMB 10.129.40.34 445 DC C$ Default share
SMB 10.129.40.34 445 DC IPC$ READ Remote IPC
SMB 10.129.40.34 445 DC NETLOGON Logon server share
SMB 10.129.40.34 445 DC support-tools READ support staff tools
SMB 10.129.40.34 445 DC SYSVOL Logon server share
Lo que me llama mas la atencion es el support-tools, vamos a revisar que contiene.
> smbclient -U "anonymous" \\\\10.129.40.34\\support-tools
Password for [WORKGROUP\anonymous]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
Vemos bastante contenido, asi que vamos a traernos todo ese contenido para analizarlo en local.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> !cd ../content/
smb: \> mget *
getting file \7-ZipPortable_21.07.paf.exe of size 2880728 as 7-ZipPortable_21.07.paf.exe (995,5 KiloBytes/sec) (average 995,5 KiloBytes/sec)
getting file \npp.8.4.1.portable.x64.zip of size 5439245 as npp.8.4.1.portable.x64.zip (1937,9 KiloBytes/sec) (average 1459,5 KiloBytes/sec)
getting file \putty.exe of size 1273576 as putty.exe (962,6 KiloBytes/sec) (average 1365,9 KiloBytes/sec)
getting file \SysinternalsSuite.zip of size 48102161 as SysinternalsSuite.zip (1814,6 KiloBytes/sec) (average 1720,6 KiloBytes/sec)
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (356,1 KiloBytes/sec) (average 1689,6 KiloBytes/sec)
getting file \windirstat1_1_2_setup.exe of size 79171 as windirstat1_1_2_setup.exe (31,1 KiloBytes/sec) (average 1574,9 KiloBytes/sec)
parallel_read returned NT_STATUS_IO_TIMEOUT