WriteupsHTB — Hercules
MiscMediumWindows
HTB — Hercules
Windows machine leveraging MSSQL linked server abuse and xp_cmdshell to gain initial foothold, then DPAPI credential decryption for escalation.
October 20, 2025HackTheBox
#MSSQL#Linked Servers#xp_cmdshell#DPAPI
nmap
sh
nmap -sV -sC -p- -Pn 10.10.11.91 -oN nmap 130 ↵
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-20 13:07 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.01% done
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.13% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.47% done
Stats: 0:00:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.98% done; ETC: 13:09 (0:01:36 remaining)
Nmap scan report for 10.10.11.91
Host is up (0.023s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://10.10.11.91/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-20 17:09:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Not valid before: 2024-12-04T01:34:52
|_Not valid after: 2034-12-02T01:34:52
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
|_ http/1.1
|_http-title: Hercules Corp
| http-methods:
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=hercules.htb
| Subject Alternative Name: DNS:hercules.htb
| Not valid before: 2024-12-04T01:34:56
|_Not valid after: 2034-12-04T01:44:56
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Not valid before: 2024-12-04T01:34:52
|_Not valid after: 2034-12-02T01:34:52
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Not valid before: 2024-12-04T01:34:52
|_Not valid after: 2034-12-02T01:34:52
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Not valid before: 2024-12-04T01:34:52
|_Not valid after: 2034-12-02T01:34:52
|_ssl-date: TLS randomness does not represent time
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Not valid before: 2024-12-04T01:34:52
|_Not valid after: 2034-12-02T01:34:52
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
51684/tcp open msrpc Microsoft Windows RPC
54984/tcp open msrpc Microsoft Windows RPC
61785/tcp open msrpc Microsoft Windows RPC
61792/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-20T17:10:00
|_ start_date: N/A
|_clock-skew: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.77 seconds
feroxbuster
sh
[--------------------] - 0s 0/30000 - https://10.10.11.91/Login
[--------------------] - 0s 0/30000 - https://10.10.11.91/Content/js/modal.js
[--------------------] - 0s 0/30000 - https://10.10.11.91/Content/vendors/bootstrap/bootstrap.bundle.js
[--------------------] - 0s 0/30000 - https://10.10.11.91/Content/Assets/advertising-3.png
[--------------------] - 0s 0/30000 - https://10.10.11.91/Content/Assets/about-2.jpgkerbrute
sh
kerbrute userenum -d hercules.htb --dc 10.10.11.91 /usr/share/seclists/Usernames/Names/names.txt -o kerb-results 1 ↵
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/20/25 - Ronnie Flathers @ropnop
2025/10/20 13:21:01 > Using KDC(s):
2025/10/20 13:21:01 > 10.10.11.91:88
2025/10/20 13:21:01 > [+] VALID USERNAME: admin@hercules.htb
2025/10/20 13:21:30 > Done! Tested 10177 usernames (1 valid) in 29.000 secondsUp next
MediumOct 2025
HTB — Conversor
Unit conversion web app vulnerable to server-side formula injection, leading to arbitrary OS command execution.
Read writeup
MediumNov 2025
HTB — Giveback
Custom network service with an authentication logic flaw. Protocol reverse engineering reveals a bypass path to root.
Read writeup
MediumNov 2025
HTB — NanoCorp
MSSQL enumeration with credential discovery, followed by Active Directory privilege escalation through ACL misconfigurations.
Read writeup