Official Support Discussion

Are you sure you are connected to the right VPN?

Incredibly frustrating so far, not because of the machine itself but because of the tools you need to be using. Just one thing, if none of the tools work for you try using single instead of double quotes…

Wow. The evil program was giving me problems since the day this machine released ( HTTPClient::ReceiveTimeoutError ). I finally figured out that turning off my host machine’s VPN solves the issue. I’ve seen people post this issue in other machine discussions but never a solution – so I thought this was important to share.

1 Like

I’ve got User access to the box, currently navigating using Evil… I think I have the foothold for Admin but my ticket there does not seem to be working. Any help or a DM is much appreciated :slight_smile:

Got it! Make sure your hostnames are correct and yes, in some cases it is better to use Linux alternatives.

Hit me up for an assist.

I’m stucked on rubeus part ticket created but showing access denied how to proceed further

Someone helps me to find username? Ive already the password analyzing the executable file.

You have access to multiple SMB shares. Look up what you might be able to do with the share you haven’t used yet.

Could someone help me? i’m at the end of privesc. I followed the guide about obj takeover and used the windows tool, but at the end, i cannot list admin files.


As I have no experience in coding, how do I get the PW from the decrypted key? I tried but have failed many times. Tks.

Hi Lddj90,

What do you have so far? If you can see the decryption key, then you are looking in the right place.

The approach I took was to try the support-tool, just to see what it does, and then used “debug mode” to “breakout” at a point where I could see what I needed.

Hope this helps.

Hey guys I’m a bit lost on the lateral move/priv esc. I was able to obtain the creds for a user from a very spicy file. I used those creds with bloodhound and found a user I think I need to use su**** however I am a bit lost on how to obtain it’s creds/hash. Any hint or DM would be appreciated.

Ok I am new to HACKTHEBOX and I think that I am stuck right now in this machine. I got the l*** user credentials but I couldn’t do anything with it but some domain enumeration. I think that I am missing something here

I have found the goodies in UserInfo.exe I am using dnSpy to see how they are used in the code. I feel I have what I need to log into ldap. No luck. I feel like its a misuse of ldapsearchon my part. Any help?

guys, can you tell me step by step how to capture the flag in support machine? I tried to do it with xfreerdp - no possible, tried with smb but i can’t open zip files. Please help me!)

I am also new here…can any one tell me that smbghost gonna work on this box or not?

I have decrypted the password in UserInfo. Trying to use ldapsearch with the decrypted password, and what I believe is the username as shown in the code line:

this.entry = new DirectoryEntry(“LDAP://support.htb”, “support\ldap”, password);

Keep getting authentication errors.

EDIT: got it. And the missing cred for my evil friend.

Very good box, maybe a bit challenging for someone who is new at windows and AD pentesting like me. One piece of advice for the PE part try to execute it from your box with the linux tools that are available. I had some trouble trying to do it with the windows equivalents.

1 Like

Can somebody give me a nudge?

I have the user flag, took the dog for a walk, got what I thought was the privesc route, but Access_Denied.

Whenever I try to do that, I keep getting encoding issues after it appears to be working. Have tried on several different Kalis … Any ideas?