HTB: axlle Writeup

Machine Information

Attribute	Details
Name	axlle
OS	Windows Server 10.0.20348
Difficulty	Hard
Points	N/A
Release Date	N/A
IP Address	`10.129.12.112`
Host	MAINFRAME.axlle.htb
Domain	AXLLE (axlle.htb)
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐⭐☆

axlle is a Hard-difficulty Windows machine running Active Directory in a domain environment. The machine hosts multiple services including SMTP, DNS, IIS, and Kerberos. The reconnaissance phase involves comprehensive port scanning, service enumeration, email address discovery, and subdomain enumeration. The exploitation path requires careful enumeration of these services and the AD infrastructure.

TL;DR: Reconnaissance → Service enumeration → [Exploitation path incomplete] → User compromise → Privilege escalation.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.12.112

Results:

25/tcp    open  smtp           hMailServer smtpd
53/tcp    open  domain         Simple DNS Plus
80/tcp    open  http           Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec   Microsoft Windows Kerberos
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
389/tcp   open  ldap           Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds   SMB signing: enabled, required
464/tcp   open  kpasswd5       Kerberos password change
593/tcp   open  ncacn_http     Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl        LDAP over SSL
3268/tcp  open  ldap           Microsoft Windows Active Directory Global Catalog
3269/tcp  open  ldapssl        LDAP over SSL Global Catalog
3389/tcp  open  ms-wbt-server  Microsoft Terminal Services (RDP)
9389/tcp  open  mc-nmf         .NET Message Framing
49664/tcp open  msrpc          Microsoft Windows RPC
49668/tcp open  msrpc          Microsoft Windows RPC
56807/tcp open  ncacn_http     Microsoft Windows RPC over HTTP 1.0

Service Enumeration

Hostname: MAINFRAME.axlle.htb

echo "10.129.12.112 axlle.htb MAINFRAME.axlle.htb" >> /etc/hosts

Services Identified:

SMTP (Port 25): hMailServer smtpd - Supports AUTH LOGIN, SIZE 20480000
DNS (Port 53): Simple DNS Plus
HTTP (Port 80): Microsoft IIS 10.0 - “Axlle Development”
- Technologies: Bootstrap 5.1.3, Font Awesome, Google Font API, jsDelivr CDN
Kerberos (Port 88): Windows Kerberos authentication
LDAP (Ports 389, 3268): Active Directory - Domain: axlle.htb0. (with trailing dot)
RDP (Port 3389): Terminal Services available

SMTP Enumeration

telnet 10.129.12.112 25

Discovered Commands:

SIZE 20480000
AUTH LOGIN
HELP

Email Enumeration

The following email addresses were discovered or confirmed:

Web Application Enumeration

gobuster dir -u http://axlle.htb -w /usr/share/wordlists/dirb/common.txt
gobuster vhost -u http://axlle.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt

Findings: [Notes incomplete - specific directories and subdomains not documented in source notes]

LDAP Enumeration

Active Directory LDAP is accessible on ports 389 and 3268. The domain structure uses the distinguished name format with a trailing dot (axlle.htb0.).

SMB Information:

SMB signing is enabled and required
Standard RPC services available on dynamic ports

Initial Foothold

[Notes incomplete - exploitation path not documented in source notes]

Reconnaissance Summary

The enumeration phase successfully identified:

Active Directory infrastructure with Kerberos and LDAP services
SMTP service with enumerated user accounts
IIS web server hosting the Axlle Development application
Multiple valid email addresses for further targeting
SMB services with signing requirements

Next Steps (from notes): Directory browsing, subdomain fuzzing, and credential enumeration required to identify exploitation vector.

cat ~/user.txt

🚩 User Flag: [Not obtained - exploitation path incomplete]

Privilege Escalation

[Notes incomplete - exploitation path not documented in source notes]

Enumeration Commands

Once user access is obtained:

whoami /priv
net user
systeminfo
Get-ADUser -Filter * -Properties *

Exploitation (Root/Administrator)

The specific privilege escalation technique is not documented in the source notes.

Root Flag

cat C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: [Not obtained - exploitation path incomplete]

Attack Chain Summary

Based on the reconnaissance phase:

Reconnaissance
  ├── Port Scanning (nmap)
  ├── Service Enumeration
  ├── SMTP Enumeration (Email discovery)
  ├── Web Application Enumeration (gobuster)
  ├── LDAP/AD Enumeration
  └── SMB Information Gathering
           ↓
  [Exploitation Path - Not Documented]
           ↓
  User Compromise
           ↓
  Privilege Escalation to Administrator

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`gobuster`	Directory and subdomain enumeration
`hydra`	Online brute-force attacks (potential use)
`telnet`	SMTP banner grabbing and enumeration
`ldapsearch`	LDAP directory enumeration (potential)

Key Learnings

Windows Server environments with Active Directory present multiple enumeration vectors (LDAP, Kerberos, SMTP, RPC).
Email enumeration through SMTP can provide valid usernames for further attacks.
SMTP services often expose user information through AUTH mechanisms and VRFY/EXPN commands.
SMB signing requirements affect lateral movement tactics.
IIS web applications often reveal technology stacks (Bootstrap, CDN usage) that can inform further analysis.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #ActiveDirectory #Hard