Post

Hackthebox Active Directory Enumeration And Attacks Walkthrough

Questions walkthrough

Hackthebox Active Directory Enumeration And Attacks Walkthrough

# Initial Enumeration Section


External Recon and Enumeration Principles

Question 1 :- While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{**} ).
Answer :- HTB{5Fz####################}

  • as taught in module we will look for the public records on bgp.he.net

image

  • and we can see flag in the output .

Intial Enumeration of the Domain

Question 1 :- From your scans, what is the “commonName” of host 172.16.5.5 ?
Answer :- ACADEMY-##############################

  • we will do the nmap scan and from the result we can filter out the commonName parameter for the flag .
1
nmap 172.16.5.5 -sC -sV --min-rate=1500

Nmap Scan Result

Question 2 :- What host is running “Microsoft SQL Server 2019 15.00.2000.00”? (IP address, not Resolved name).
Answer :- 172.########

  • again we will do the Nmap scan and save the result in host-enum file .
1
sudo nmap -v -A -oA -iL  host.txt -oN /home/htb-student/Documents/host-enum
  • after that we can filter out string from the result using grep

grep

  • or we can use the pluma inbuilt text editor and search (CTRL+F) for keyword and then filter out the ip we get this for

Pluma

# Sniffing out a Foothold

LLMNR/NBT-NS Poisoning - from Linux

Question 1 :- Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer.
Answer :-

Question 2 :- Crack the hash for the previous account and submit the cleartext password as your answer.
Answer :-

Question 3 :- Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user’s password as your answer.
Answer :-

……………………………Coming-Soon………………………

This post is licensed under CC BY 4.0 by the author.