Enum

nmap

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.161 | grep '^[0-9]' | cut -d '/' -f 1 | tr
'\\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.161

Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-11 08:48 EDT
The machine appears to be a Domain Controller for the htb.local domain. We proceed to add this to our
/etc/hosts file.
LDAP
It's worth checking if the LDAP service allows anonymous binds using the ldapsearch tool.
Nmap scan report for 10.10.10.161
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-11
12:55:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local,
Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup:
HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local,
Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found

| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2025-06-11T05:56:33-07:00

no website, 128 ttl means the machine is a windows. ttl beyond that is a router

Smb share for anonymous login enabled but no shares available.

dns enums

53 active so get reverse lookup…. dns didnt leak hostname

nslookup                                                                                                                                            
> server 10.10.10.161
Default server: 10.10.10.161
Address: 10.10.10.161#53
> 127.0.0.1
1.0.0.127.in-addr.arpa  name = localhost.
> 127.0.0.2
** server can't find 2.0.0.127.in-addr.arpa: NXDOMAIN

port 464 - something domain controller related.

ldapsearch

ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-x unauth simple , -s base query top level entry.. namingcontexts attribute query returns distinguished names of the naming contexts it manages.

NCs are top level entry points for distinct directory partitions.

first 2 dcs are the domain naming contexts and main partions

next configuration naming contexts for forest wide conf info like AD sites and services. replicated between all the Domain controllers of the forest.

next child of CNC and contains AD objects (user, group,) their attributes.

/ the server is a domain controller for htb.local domain with exposed metadata

continuing anon search perms use new search base.