Scholarfriends
Active Directory Enumeration & Attacks. Hack The Box
Module 143
https://scholarfriends.com
Downloaded by: | https://scholarfriends.com/singlePaper/644184/active-directory-enumeration-attacks-
hack-the-box-module-143
Distribution of this document is illegal.
,Active Directory Enumeration & Attacks:
Link to challenge: https://academy.hackthebox.com/module/143/
(log in required)
Class: Tier II | Medium | Offensive
Before we begin: throughout the module we will be requested to login to
target Linux machines, and target windows machines.
The credentials will be provided for us by the module.
For Linux, we will use ssh with the command:
ssh <username>@<target-IP>
and then we will be requested to enter the password.
For windows – we will use xfreerdp with the command:
xfreerdp /v:<Target IP> /u:<username> /p:<password>
/dynamic-resolution
Throughout the module, those steps will be referred as ‘login to the
Linux/Windows target machine’.
*all Windows powershell commands assume cd of ‘C:\tools’ unless specified
otherwise *
Initial Enumeration
External Recon and Enumeration Principles:
Question: While looking at inlanefreights public records; A flag can be seen.
Find the flag and submit it. ( format == HTB{******} )
Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}
Method: we will search on google the string:
‘intext:"HTB{" inurl:inlanefreight.com’ – we are told the string is in format of
‘HTB{**}’, by necessarily the substring ‘intext:"HTB{‘ will appear.
Downloaded from Scholarfriends.com
,So we search that string within the url ‘inlanefreight.com’ (its google patterned
search).
Lets search:
After several results we see this:
Where the flag is visible to us in the preview of the website.
We can take that already, but in this module guide we will go into the website
anyway, enter the link and scroll down.
Somewhere within the page – we see this:
.
*note – be careful of misdirection, at first I searched for ‘HTB{*****}’ - and
this result was here. But that was not the answer. *
Downloaded from Scholarfriends.com
, Initial Enumeration of the Domain:
Question: From your scans, what is the "commonName" of host 172.16.5.5 ?
Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Method: lets rehearse what is Common name – common name is an attribute
of Active directory object that represents the object, it parts of the attribute
‘DN’- distinguished name which purpose is to make the object distinguishable
from other objects.
First, we login the target Linux machine.
Now, to find the common name on ‘172.16.5.5’ – we will perform aggressive
NMAP:
nmap -A 172.16.5.5
the ‘-A’ flag performs deeper investigation of open ports, one of which at
certain cases is service enumeration.
Now lets observe on the scan results:
We can find the common name on the LDAP (lightweight directory access
protocol). We can find further evidences here:
and here:
Downloaded from Scholarfriends.com