Attacker IP: 10.10.14.102 (Kali Linux)
Target IP: 10.10.11.96
Difficulty: Hard
Attack Chain Summary: Web Credential Leak → pgAdmin Authenticated RCE → Docker Container Escape → SSH Lateral Movement → sshuttle Pivot → NFS no_root_squash Vulnerability → Docker CA Takeover → PWM Configuration Manipulation → LDAP Poisoning with Responder → Domain Credential Capture → gMSA Password Retrieval → AD CS Abuse (ESC6/ESC16) → Certificate-based Impersonation → Domain Administrator Access
SECTION 0 - PREPARATION (KALI TERMINAL)
This initial setup phase involves configuring the attacker machine to resolve the target's hostnames. All commands in this section are executed on the Kali Linux machine.
Add Hostnames to Local DNS Resolution
To ensure that the various subdomains hosted by the target can be accessed by their names, their corresponding IP address is added to the /etc/hosts file. This prevents DNS resolution issues during the engagement.
sudo bash -c 'cat >> /etc/hosts <<EOF
10.10.11.96 fries.htb pwm.fries.htb code.fries.htb db-mgmt05.fries.htb
EOF'
SECTION 1 - FULL PORT SCAN & ENUMERATION
With initial setup complete, the next step is to perform comprehensive network reconnaissance on the target machine to identify all open ports and the services running on them.
Full TCP Port Scan
A fast, aggressive scan is launched using nmap to identify every open TCP port on the target machine.
-sS: Performs a TCP SYN scan (stealth scan).-p-: Scans all 65535 TCP ports.--min-rate 10000: Ensures a very fast scan rate to minimize discovery time.-oN nmap_full.txt: Saves the output to a text file for later review.
sudo nmap -sS -p- --min-rate 10000 10.10.11.96 -oN nmap_full.txt
Service Enumeration
A follow-up nmap scan is run on the discovered ports to determine the specific services and their versions.
-sC: Runs default Nmap scripts to gather more information.-sV: Probes open ports to determine service/version info.-p ...: Specifies the list of open ports found in the previous scan.-oN nmap_services.txt: Saves the detailed service output.
sudo nmap -sC -sV -p 22,53,80,88,135,139,389,443,445,464,636,3268,3269,5985 10.10.11.96 -oN nmap_services.txt
Key Findings from Enumeration
The scan results indicate a complex environment with multiple interconnected systems:
Active Directory Domain Controller: The presence of WinRM (5985), LDAP (389/636), and Kerberos (88) strongly suggests the target is a Windows Domain Controller for the
fries.htbdomain.Web Services: Multiple subdomains are hosted, pointing to a variety of web applications.
Containerization: The combination of services suggests the use of technologies like Docker to host applications.
This initial analysis points to a multifaceted attack surface involving Active Directory, containerized web applications, and potential developer tooling.
