Voleur

Setup mkdir -p ~/ctf/HackTheBox/voleur/scans && cd ~/ctf/HackTheBox/voleur IP Address: 10.10.11.76 Add to /etc/hosts (requires sudo): echo "10.10.11.76 voleur.htb" | sudo tee -a /etc/hosts 10.10.11.76 voleur.htb As this is a assumed breach scenario, we are provided with a low privilege account with credentials: ryan.naylor:HollowOct31Nyt Enumeration Fast sweep variant: nmap -sC -sV -p- -T4 --min-rate 2000 -vv voleur.htb -oN ~/ctf/HackTheBox/voleur/scans/nmap_fast_20250814-112058.txt # nmap findings PORT STATE SERVICE REASON 53/tcp open domain syn-ack ttl 127 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 2222/tcp open ssh syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 9389/tcp open adws syn-ack ttl 127 49664/tcp open unknown syn-ack ttl 127 49669/tcp open unknown syn-ack ttl 127 55183/tcp open unknown syn-ack ttl 127 55184/tcp open unknown syn-ack ttl 127 55197/tcp open unknown syn-ack ttl 127 55203/tcp open unknown syn-ack ttl 127 55217/tcp open unknown syn-ack ttl 127 Using NetExec and given credentials we enumerate the following: ...