Introduction
Hercules is an Insane-difficulty Windows Active Directory machine that demonstrates a complex attack chain involving LDAP injection, certificate-based attacks (ESC3), shadow credentials, and Resource-Based Constrained Delegation (RBCD). This writeup focuses on understanding each technique and why it works.
Phase 1: Reconnaissance & Enumeration
Initial Port Scan
nmap -sC -sV -p- 10.10.11.91 -oN hercules_scan.txt
Scan started
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-22 22:24 IST
Target
Hostname:
hercules.htbIP:
10.10.11.91Host is up (0.43s latency)
Summary
Not shown: 65512 filtered tcp ports (no-response)
Service Info:
Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windowsScan duration:
Nmap done: 1 IP address (1 host up) scanned in 990.64 seconds
Open ports & services
PORT | STATE | SERVICE | VERSION / NOTES |
|---|---|---|---|
53/tcp | open | domain | Simple DNS Plus |
80/tcp | open | http | Microsoft IIS httpd 10.0 |
88/tcp | open | kerberos-sec | Microsoft Windows Kerberos (server time: 2025-10-22 17:10:46Z) |
135/tcp | open | msrpc | Microsoft Windows RPC |
139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
389/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name) |
443/tcp | open | ssl/http | Microsoft IIS httpd 10.0 (TLS: http/1.1) |
445/tcp | open | microsoft-ds? | (not further identified) |
464/tcp | open | kpasswd5? | (not further identified) |
593/tcp | open | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
636/tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP (secure) |
3268/tcp | open | ldap | Microsoft Windows Active Directory Global Catalog |
3269/tcp | open | ssl/ldap | Microsoft Windows Active Directory Global Catalog (secure) |
5986/tcp | open | ssl/http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
9389/tcp | open | mc-nmf | .NET Message Framing |
49664/tcp | open | msrpc | Microsoft Windows RPC |
49668/tcp | open | msrpc | Microsoft Windows RPC |
49670/tcp | open | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
49677/tcp | open | msrpc | Microsoft Windows RPC |
57846/tcp | open | msrpc | Microsoft Windows RPC |
57859/tcp | open | msrpc | Microsoft Windows RPC |
57874/tcp | open | msrpc | Microsoft Windows RPC |
64369/tcp | open | msrpc | Microsoft Windows RPC |
HTTP / TLS details
Port 80
Server header:
Microsoft-IIS/10.0HTTP title:
Did not follow redirect to https://hercules.htb/
Port 443
Server header:
Microsoft-IIS/10.0TLS ALPN:
http/1.1ssl-cert:
Subject:
commonName=hercules.htbSubject Alternative Name:
DNS:hercules.htbValid from:
2024-12-04T01:34:56to2034-12-04T01:44:56
_ssl-date: TLS randomness does not represent time
Port 5986
Server header:
Microsoft-HTTPAPI/2.0TLS ALPN:
http/1.1HTTP title:
Not Foundssl-cert subject:
commonName=dc.hercules.htb(see below for full DC cert info)
