Hackthebox Active Directory Enumeration And Attacks Walkthrough
Questions walkthrough
# Initial Enumeration Section
External Recon and Enumeration Principles
Question 1 :- While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{**} ).
Answer :- HTB{5Fz####################}
- as taught in module we will look for the public records on bgp.he.net
- and we can see flag in the output .
Intial Enumeration of the Domain
Question 1 :- From your scans, what is the “commonName” of host 172.16.5.5 ?
Answer :- ACADEMY-##############################
- we will do the nmap scan and from the result we can filter out the
commonName
parameter for the flag .
1
nmap 172.16.5.5 -sC -sV --min-rate=1500
Question 2 :- What host is running “Microsoft SQL Server 2019 15.00.2000.00”? (IP address, not Resolved name).
Answer :- 172.########
- again we will do the Nmap scan and save the result in host-enum file .
1
sudo nmap -v -A -oA -iL host.txt -oN /home/htb-student/Documents/host-enum
- after that we can filter out string from the result using
grep
- or we can use the pluma inbuilt text editor and search (CTRL+F) for keyword and then filter out the
ip
we get this for
# Sniffing out a Foothold
LLMNR/NBT-NS Poisoning - from Linux
Question 1 :- Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer.
Answer :-
Question 2 :- Crack the hash for the previous account and submit the cleartext password as your answer.
Answer :-
Question 3 :- Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user’s password as your answer.
Answer :-
……………………………Coming-Soon………………………