HTB · Easy
HTB Support: SMB Anonymous Access → Binary Reversing → LDAP Credentials → RBCD Privilege Escalation
Anonymous SMB access reveals a .NET binary containing hardcoded XOR-encrypted LDAP credentials. After enumerating LDAP, a cleartext password in the info attribute grants WinRM access. BloodHound shows GenericAll on DC$, enabling RBCD abuse to impersonate Administrator and achieve SYSTEM on the Domain Controller.
