HTB: inflitrator Writeup
Machine Information
| Attribute | Details | |
|---|---|---|
| Name | inflitrator | |
| OS | Windows Server 2019 (10.0.17763) | |
| Difficulty | Hard | |
| Points | N/A | |
| Release Date | N/A | |
| Domain | infiltrator.htb / inflitrator.htb | |
| DC | dc01.infiltrator.htb | |
| Domain SID | S-1-5-21-2606098828-3734741516-3625406802 | |
| Author | D3vnomi | |
Machine Rating
⭐⭐⭐⭐☆ (8.0/10)
Difficulty Assessment:
- Enumeration: ⭐⭐⭐⭐☆
- Real-world: ⭐⭐⭐⭐☆
- CVE: ⭐⭐⭐⭐☆
- CTF-like: ⭐⭐⭐⭐☆
Summary
inflitrator is a Hard-difficulty Windows Server 2019 domain controller machine. The attack involves extensive reconnaissance of the domain environment, web application enumeration, and vulnerability assessment. The machine runs IIS 10.0 and hosts the TemplateMo Breezed Template. Exploitation relies on CVE-2024-21307 and domain-based attack vectors. The engagement focused on reconnaissance, subdomain discovery, web vulnerability testing, and Active Directory enumeration.
TL;DR: Domain enumeration → Web reconnaissance → Vulnerability assessment → [Exploitation path not yet documented].
Reconnaissance
Port Scanning
nmap -sC -sV -T4 -p- infiltrator.htbResults:
Open ports identified:
53/tcp open domain (DNS)80/tcp open http (IIS 10.0)88/tcp open kerberos-sec (Active Directory)135/tcp open epmap (RPC Endpoint Mapper)139/tcp open netbios-ssn (SMB over NetBIOS)389/tcp open ldap (LDAP - Active Directory)445/tcp open microsoft-ds (SMB)464/tcp open kpasswd5 (Kerberos Password Change)593/tcp open http-rpc-epmap (HTTP RPC Endpoint Mapper)636/tcp open ldapssl (LDAP over SSL)3268/tcp open ldap (Global Catalog)3269/tcp open ldapssl (Global Catalog SSL)3389/tcp open ms-wbt-server (RDP - Remote Desktop)Service Enumeration
Hostnames: infiltrator.htb, inflitrator.htb, dc01.infiltrator.htb
echo "[IP] infiltrator.htb inflitrator.htb dc01.infiltrator.htb" >> /etc/hostsWeb Server: IIS 10.0 on port 80 Template: TemplateMo Breezed Template
Users Discovered:
- David Anderson
- Olivia Martinez
- Kevin Turner (QA)
- Amanda Walker
- Marcus Harris (Dev)
- Lauren Clark
- Ethan Rodriguez
- administrator@infiltrator.htb
Subdomain & DNS Enumeration
Tools used: ffuf, gobuster, autorecon, katana
ffuf -w /path/to/wordlist -u http://infiltrator.htb -H "Host: FUZZ.infiltrator.htb"gobuster dns -d infiltrator.htb -w /path/to/wordlistWeb Application Testing
Paths Tested:
- LFI testing on various paths (no successful exploitation documented)
- SQLi testing on
/?q=parameter with sqlmap - XSS testing on
/?q=parameter with multiple payloads and xsser - Burp Suite for manual testing
Results: No successful exploitation path documented in reconnaissance notes.
Active Directory Enumeration
Tools used: ldapsearch, crackmapexec, enum4linux, kerbrute
ldapsearch -x -H ldap://infiltrator.htb -b "dc=infiltrator,dc=htb"crackmapexec ldap infiltrator.htb -u '' -p ''enum4linux infiltrator.htbkerbrute userenum /path/to/userlist infiltrator.htbDomain Information:
- Domain: infiltrator.htb
- Domain Controller: dc01.infiltrator.htb
- Domain SID: S-1-5-21-2606098828-3734741516-3625406802
Vulnerability Assessment
Identified Vulnerabilities:
- CVE-2024-21307 — RDP-related vulnerability (requires further exploitation steps)
- LFI vectors identified but not successfully exploited
- SQLi parameter identified (
/?q=) but no successful injection confirmed - XSS vectors identified but no confirmed exploitation path
Initial Foothold
Exploitation Path
[Notes incomplete - exploitation path not documented in source notes]
The reconnaissance phase identified multiple potential vectors:
- CVE-2024-21307 on RDP service (port 3389)
- Web application vulnerabilities (SQLi, XSS, LFI)
- Active Directory credentials or misconfigurations
- LDAP enumeration for credential spray attacks
Further testing required to determine which vector leads to initial access.
User Compromise
Credential Discovery
[Notes incomplete - exploitation path not documented in source notes]
Potential credential sources identified during reconnaissance:
- Domain user accounts enumerated via LDAP
- User names discovered on website
- Configuration files in web application
- Active Directory credential spray candidates
User Flag
[Notes incomplete - user access not achieved during reconnaissance phase]
Privilege Escalation
Enumeration
[Notes incomplete - exploitation path not documented in source notes]
Once initial access is achieved, standard Windows/AD privilege escalation enumeration would apply:
whoami /privnet usersysteminfoGet-ADUser -Filter * | Select-Object nameExploitation (Root/Administrator)
[Notes incomplete - privilege escalation path not documented in source notes]
Potential privilege escalation vectors in Active Directory environments:
- Kerberoasting attacks on service accounts
- AS-REP roasting for users with UF_DONT_REQUIRE_PREAUTH
- Unconstrained/constrained delegation abuse
- Domain controller misconfigurations
- Local privilege escalation through kernel exploits
Root Flag
[Notes incomplete - domain administrator access not achieved during reconnaissance phase]
Attack Chain Summary
Reconnaissance Phase (Completed):├── Port Scanning (nmap)├── DNS/Subdomain Enumeration (ffuf, gobuster)├── Web Application Enumeration (autorecon, katana)├── Active Directory Enumeration (ldapsearch, crackmapexec, enum4linux, kerbrute)├── User Discovery (website scraping, LDAP enumeration)├── Web Vulnerability Testing (SQLi, XSS, LFI)└── CVE Assessment (CVE-2024-21307 identified)
Exploitation Phase (Incomplete):├── Initial Foothold [Not documented]├── User Compromise [Not documented]└── Privilege Escalation [Not documented]Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service fingerprinting |
autorecon | Automated reconnaissance and enumeration |
katana | Web crawling and endpoint discovery |
cewl | Custom wordlist generation from website content |
ffuf | Web fuzzing and subdomain enumeration |
gobuster | Directory and DNS enumeration |
ldapsearch | LDAP directory querying |
crackmapexec | Network protocol exploitation and enumeration |
enum4linux | SMB and RPC enumeration |
kerbrute | Kerberos user enumeration |
sqlmap | SQL injection testing |
xsser | XSS vulnerability testing |
Burp Suite | Web application testing and interception |
Vulnerability Reference
| # | Vulnerability | Component | Severity | Impact |
|---|---|---|---|---|
| 1 | CVE-2024-21307 | Application | High | Exploitation vector |
Key Learnings
- Domain controllers expose extensive attack surface through DNS, LDAP, SMB, and Kerberos services.
- Multi-method enumeration is essential: combine DNS tools, web crawlers, and directory queries to build complete asset inventory.
- User enumeration through LDAP and website scraping creates targeted credential spray wordlists.
- Active Directory enumeration requires both anonymous and authenticated approaches (via ldapsearch, crackmapexec, enum4linux, kerbrute).
- Web application testing should include parameter fuzzing (SQLi, XSS, LFI) even on seemingly simple interfaces.
- CVE-2024-21307 on RDP services may provide initial access vectors on Windows systems.
- Reconnaissance completeness is critical — exploitation success depends on thoroughly identifying all potential entry points.
Author
D3vnomi
Disclaimer
This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.
Last Updated: 08 Mar 2026
Tags: #HackTheBox #Windows #Hard #CVE-2024-21307