Initial Enumeration of the Domain
βΉοΈ Informations¶
- π Website: HackTheBox
- π Module: Active Directory Enumeration & Attacks
- π Link: Initial Enumeration of the Domain
βQuestion¶
From your scans, what is the "commonName" of host 172.16.5.5?
π Walkthrough¶
Let's connect to the host via SSH using the credentials htb-student:HTB_@cademy_stdnt!
and run fping to scan the network. But first, we need to determine which network we are on.
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.5.225 netmask 255.255.254.0 broadcast 172.16.5.255
inet6 fe80::32e6:baa0:e3aa:25da prefixlen 64 scopeid 0x20<link>
ether 00:50:56:94:b2:a1 txqueuelen 1000 (Ethernet)
RX packets 30347 bytes 2683090 (2.5 MiB)
RX errors 0 dropped 14 overruns 0 frame 0
TX packets 873 bytes 61686 (60.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
We need to scan the entire 172.16.5.0/24 network.
ββ[htb-student@ea-attack01]β[~]
ββββΌ $fping -asgq 172.16.5.0/24
172.16.5.5
172.16.5.130
172.16.5.225
254 targets
3 alive
251 unreachable
0 unknown addresses
1004 timeouts (waiting for response)
1007 ICMP Echos sent
3 ICMP Echo Replies received
1004 other ICMP received
0.041 ms (min round trip time)
0.916 ms (avg round trip time)
2.02 ms (max round trip time)
9.563 sec (elapsed real time)
Now that we have found the host 172.16.5.5
, let's use nmap to discover the commonName
.
ββ[β]β[htb-student@ea-attack01]β[~]
ββββΌ $nmap -sC -sV 172.16.5.5
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-30 14:26 EDT
Nmap scan report for inlanefreight.local (172.16.5.5)
Host is up (0.038s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-30 18:26:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after: 2024-10-26T13:11:32
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after: 2024-10-26T13:11:32
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after: 2024-10-26T13:11:32
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after: 2024-10-26T13:11:32
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
| Not valid before: 2025-02-11T06:08:03
|_Not valid after: 2025-08-13T06:08:03
| rdp-ntlm-info:
| Target_Name: INLANEFREIGHT
| NetBIOS_Domain_Name: INLANEFREIGHT
| NetBIOS_Computer_Name: ACADEMY-EA-DC01
| DNS_Domain_Name: INLANEFREIGHT.LOCAL
| DNS_Computer_Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
| Product_Version: 10.0.17763
|_ System_Time: 2025-03-30T18:27:16+00:00
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
Service Info: Host: ACADEMY-EA-DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: ACADEMY-EA-DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:eb:bb (VMware)
| smb2-time:
| date: 2025-03-30T18:27:16
|_ start_date: N/A
Answer
ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
βQuestion¶
What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name)
π Walkthrough¶
Let's scan the remaining two IPs.
ββ[β]β[htb-student@ea-attack01]β[~]
ββββΌ $sudo nmap -O 172.16.5.130 172.16.5.225
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-30 14:35 EDT
Nmap scan report for 172.16.5.130
Host is up (0.0015s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open ccproxy-http
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
16001/tcp open fmsascon
MAC Address: 00:50:56:94:6F:7E (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
Network Distance: 1 hop
Nmap scan report for 172.16.5.225
Host is up (0.00074s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3389/tcp open ms-wbt-server
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 50.81 seconds
172.16.5.130
due to the presence of port 1433
. Answer
172.16.5.130