HTB Administrator

Enumeration

Given credentials

1
Username: Olivia
2
Password: ichliebedich

Port scanning

1
$ nmap -sCV -T4 10.129.214.40
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-08 07:40 CDT
3
Nmap scan report for 10.129.214.40
4
Host is up (0.0033s latency).
5
Not shown: 988 closed tcp ports (reset)
6
PORT     STATE SERVICE       VERSION
7
21/tcp   open  ftp           Microsoft ftpd
8
| ftp-syst:
9
|_  SYST: Windows_NT
10
53/tcp   open  domain        Simple DNS Plus
11
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-08 19:40:11Z)
12
135/tcp  open  msrpc         Microsoft Windows RPC
13
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
14
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
15
445/tcp  open  microsoft-ds?
16
464/tcp  open  kpasswd5?
17
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
18
636/tcp  open  tcpwrapped
19
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
20
3269/tcp open  tcpwrapped
21
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
22

23
Host script results:
24
| smb2-security-mode:
25
|   3:1:1:
26
|_    Message signing enabled and required
27
| smb2-time:
28
|   date: 2026-04-08T19:40:12
29
|_  start_date: N/A
30
|_clock-skew: 7h00m00s
31

32
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33
Nmap done: 1 IP address (1 host up) scanned in 16.29 seconds

From this listed port, we know that the server is run on Active Directory. Trying to Enumerating using netexec.

┌─[sg-free-1]─[10.10.15.203]─[htb-mp-2897749@htb-l7hpcxj8do]─[~]
└──╼ [★]$ nxc smb 10.129.20.200 -u Olivia -p 'ichliebedich' --shares

SMB         10.129.20.200   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.20.200   445    DC               [+] administrator.htb\Olivia:ichliebedich
SMB         10.129.20.200   445    DC               [*] Enumerated shares
SMB         10.129.20.200   445    DC               Share           Permissions     Remark
SMB         10.129.20.200   445    DC               -----           -----------     ------
SMB         10.129.20.200   445    DC               ADMIN$                          Remote Admin
SMB         10.129.20.200   445    DC               C$                              Default share
SMB         10.129.20.200   445    DC               IPC$            READ            Remote IPC
SMB         10.129.20.200   445    DC               NETLOGON        READ            Logon server share
SMB         10.129.20.200   445    DC               SYSVOL          READ            Logon server share

Seems user Olivia given 3 share, trying to enum bloodhound via nxc LDAP.

1
┌─[sg-free-1]─[10.10.15.203]─[htb-mp-2897749@htb-l7hpcxj8do]─[~]
2
└──╼ [★]$ nxc ldap 10.129.20.200 -u Olivia -p 'ichliebedich' --bloodhound --collection All --dns-server 10.129.20.200
3
SMB         10.129.20.200   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
4
LDAP        10.129.20.200   389    DC               [+] administrator.htb\Olivia:ichliebedich
5
LDAP        10.129.20.200   389    DC               Resolved collection methods: trusts, acl, objectprops, rdp, dcom, container, psremote, session, group, localadmin
6
LDAP        10.129.20.200   389    DC               Done in 00M 01S
7
LDAP        10.129.20.200   389    DC               Compressing output into /home/htb-mp-2897749/.nxc/logs/DC_10.129.20.200_2026-04-09_123834_bloodhound.zip

Open all json extracted into bloodhound web.

Seems olivia user have connection with michael.

Michael have connection with benjamin.

Benjamin users has joined non default group named share moderators.

To be continued