Hack The Box — Active Writeup w/o Metasploit

This is the 13th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJnull can be found here.

Let’s get started!

Reconnaissance

First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

nmap -sC -sV -O -oA initial 10.10.10.100

• -sC: run default nmap scripts
• -sV: detect service version
• -O: detect OS
• -oA: output all formats and store in file initial

We get back the following result showing that 17 ports are open:

• Port 53: running DNS 6.1.7601
• Port 88: running Kerberos
• Ports 135, 593, 49152, 49153, 49154, 49155, 49157, 49158: running msrpc
• Ports 139 & 445: running SMB
• Port 389 & 3268: running Active Directory LDAP
• Port 464: running kpasswd5. This port is used for changing/setting passwords against Active Directory
• Ports 636 & 3269: As indicated on the nmap FAQ page, this means that the port is protected by tcpwrapper…