Incendium.rocks

Nmaptitle=Nmap results overflow=wrap112345678910111213141516171819# Nmap 7.94SVN scan initiated Sun Apr 7 07:13:14 2024 as: nmap -sCV -T4 --min-rate 10000 -v -oA nmap/tcp_default 10.10.11.12Nmap scan report for 10.10.11.12Host is up (0.027s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 256 2c:f9:07:77:e3:f1:3a:36:db:f2:3b:94:e3:b7:cf:b2 (ECDSA)|_ 256 4a:91:9f:f2:74: ...

Nmap scan12345678910111213141516171819202122232425262728293031323334353637383940┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Sauna] └─$ nmap_default [0/37]Completed NSE at 09:03, 0.00s elapsedNmap scan report for ...

Nmap scanA Nmap scan shows us that there are a lot of opened ports on the target server. The target server seems to be running a Windows Server OS. Also, we can see that it is promoted to a Active Directory by looking at the opened ports. For example, LDAP is a open port. 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111 ...

Nmap12345678910111213141516171819202122232425# Nmap 7.94SVN scan initiated Sun Dec 3 10:28:41 2023 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.173.58Nmap scan report for 10.129.173.58Host is up (0.027s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 256 6f:f2:b4:ed:1a:91:8d:6e:c9:10:51:71:d5:7c:49:bb (ECDSA)|_ 256 df:dd:bc:dc:57:0d:98:a ...

Nmap scanAs always we start off with a Nmap scan on the box: 12345678910111213141516171819202122232425262728293031323334353637383940# Nmap 7.94SVN scan initiated Sat Nov 11 14:08:01 2023 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.161.134Nmap scan report for app.napper.htb (10.129.161.134)Host is up (0.023s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0|_http-server-header: Mi ...

SummarySearch is a hard HackTheBox machine that requires some knowledge about Active Directory. First of all, we find a webserver running on port 80, 443 and 8172. We have to do some OSINT on the website to find a password. After finding credentials for Hope.Sharp, we are able to authenticate with SMB and LDAP. We can also use bloodhound-python to get information about the domain. By using bloodhound we can find a service account that is kerberoastable. After getting the hash for this account, w ...