Official Support Discussion

Official discussion thread for Support. Please do not post any spoilers or big hints.


Nice box! Always like seeing AD come up in these boxes.

1 Like


yes indeed, nice AD box :smiley:


Really like the privesc, it was very instructive. Thanks @0xdf !

I have credentials for the sup**** account and I am stuck now. Winrm does not work (always get timeout) as well as psexec so I have no way of code execution, roasting is also not possible. Somebody got a hint for a shell with the creds?

How do you get this account info? Can I have some hint because I have already made some enumerations with kerbrute but no username found

First try basic Windows Enumeration, what services are running and how can you access them? You can DM me if ur stuck.


Hello ! I’m new to windows pentest. I tried some stuff to gain a foothold on this box, but nothing juicy for now. Coul’d someone help me to lead me to tools/methodology/etc ? I can tell what I did for now. Thanks in advance !

First try to enumerate what services are running on the box. There are a bunch of ports open, but there are actually just a handful of important protocols. Then you can google how to enumerate each protocol you find!

User: Make a list of the services that are running and look up how to enumerate each of them. Take special note of anything that stands out as custom to this box. Look what is inside of there.
Root: There is a very popular AD attacking tool that can sniff out any paths forward. Look what accounts you have access to and what they might be able to do on the box.

Got root! had some issues on privsec if you’re stuck


Understand all the services running on the box. Look for ways to enumerate each one
There’s an interesting file somewhere you have access to… Look into it further (:


Enumerate the domain, see what privileges you have (or don’t have)
Look at the abilities you have over the domain as a whole
If you can’t do it yourself, make someone do it for you. :wink:
Trial and error. If one tool isn’t working, try another that does the same thing (Had to try this a few different ways)


Than you !

In fact I think I found something interesting in a service.

But for now I don’t know what to do with it.

EDIT: Well, I looked into it . Don’t know what to do with, but the clues are pilling up ^^

1 Like

I’ve enumerated the apparant valuable ports and accessed the support-t**** things. Should I pay attention to the executive’s files there? I really appreciate any help you can provide.

Hello, I’m still stuck on the foothold, but I can say yes, you must pay attention to a specific file. Check the modification dates of the files in it :wink:

Hey folks! Does anyone know what debugger you can use for win binary testing? Because I hate to use other virtual machine for this. My ollydb does not want to run these stuff… Same the dnSpy

With dnSpy normally you can do some stuff no ? Not sure you need to run it.

what methods can i use for login with credencials?

There is some issues with wine+dnspy and as I mentioned before windows VM is not for me :slight_smile:

Oh ! Ok sorry. I did it on my (real) windows machine to handle it.

evil-winrm worked for me. (sidenote - after using it successfully I tried updating it from 3.3 to 3.4 and this completely borked it and I had to revert to a previous VM snapshot of my attack box). So I’m not sure what your experience will be if you use the latest version.