This box is a “Hard” Windows box by HackTheBox
User flag #
usual first scans : #
mkdir scans loot shares
nmap -A 10.129.85.23 -vvv -oA scans/first_scan
nmap -A 10.129.85.23 -vvv -p- -oA scans/full_scan
nmap -sU -A 10.129.85.23 --top-port 100 -vvv -oA scans/first_scan_udp
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-07 23:22:01Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RTM
2179/tcp open vmrdp? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
This looks like a business as usual Windows DC with an MSSQL endpoint. Let’s check that our user works :
The content of this article is currently restricted due to HackTheBox’s policies. This blog post will remain private until the machine is retired.
Have fun and don’t hesitate to DM me to ask questions on Discord (through the HTB Discord), Linkedin or on X ;)
In the meantime you can follow me on HTB :
