In the off-season, HackTheBox's Administrator machine takes us through an Active Directory environment for privilege escalation. We begin with a low-privilege account, simulating a real-world penetration test, and gradually elevate our privileges. This machine is relatively straightforward, making it ideal for practicing BloodHound analysis.
└─$ nmap -sVC 10.10.11.42 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-13 08:17 EST Nmap scan report for 10.10.11.42 Host is up (0.17s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-13 20:17:12Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-11-13T20:17:23 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 7h00m01s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.47 seconds
Let's add administrator.htb to the /etc/hosts file:
echo " 10.10.11.42 administrator.htb" | sudo tee -a /etc/hosts
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .