Pathfinder Walkthrough
After the Shield Walkthrough, Here I'm with Pathfinder box and this is the last box you can play if you are a free member on HTB platform. Let's hack and grab the flags.
Last updated
Was this helpful?
After the Shield Walkthrough, Here I'm with Pathfinder box and this is the last box you can play if you are a free member on HTB platform. Let's hack and grab the flags.
Last updated
Was this helpful?
As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box, first of all you must have a complete machine.
Enough talks, 🥱 Let’s Get It Started 🐱💻
Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! 🐱👤
To start machine, just click "Join Machine".
Then you can see the IP address for that machine. Usually it is 10.10.10.30
🤠
Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! 🙂
As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.
Here is the output 👇
This is why I recommend to scan all the ports. Here you can see there are so many ports open and by looking at the open ports (ldap,kpasswd5 & kerberos
) we can definitely say that this machine is an Active Directory machine. We haven't touched that area before. Sharp your Active Directory enumeration skills, it will worth if you are willing to try Red Team activities.
To get the best result, we can run the Nmap Scripting Engine
for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible.
Here is the output, 👇👇
There are 5 accounts here. Guest, Administrator
and krbtgt
accounts are the default accounts. sandra
and svc_bes
accounts are user created ones. As you can see, I highlighted the svc_bes
account because it has enabled theDONT_REQ_PREAUTH
flag.
Now I'll simply explain what the kerberos authentication is. If you need to know what DONT_REQ_PREAUTH
flag means, you must understand the kerberos authentication before.
Type below commands to grab the request ticket.
Output will be like this. 👇👇
We got the password for svc_bes
!!!
svc_bes : Sheffield19
Now, don't you have a question ❓ We already have the username and password for user sandra. Why didn't we use it? It's because there is nothing inside that account. It's just a simple user account.
Let's run the tool for svc_bes account.
So we got the user flag. Now, time to escalate privileges.
Here is the output. 👇👇
First, copy the above Administrator's hash without triple colon (:::) at the end and then type this.
We got the root flag too!!. 🧐🧐
Then we can run that file by typing .\mcat
And then run the lsadump::sam
command.
Here is the hash : 7facdc498ed1680c4fd1448319a8c04f
The password is : Password!
Finally we are done. and from here you must have VIP or VIP+ membership to play with other boxes.
Okay... I’ll see you on the next box! 🙋♂️🙋♂️
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. [Copied from ]
As it is an Active Directory machine, our enumeration steps will be different. ldap enumeration is pretty cool if you use because it gives us graphical information. But it's already done in official writeup. So let's begin with my way. 😎😎
Nmap tells us the domain (Domain: MEGACORP
) we are in. And don't forget we had some credentials from machine. sandra:Password1234!
First we can tryout with tool. Let's start.
As you can see there are a lot of HTML files here. Among them, first I choose domain_users.html
You can view through it from the browser. But instead of that, I will use tool. You can simply install it by typing sudo apt-get install html2text
. However the result will be like this. 👇👇
This draft shows you how the normal authentication process. But if DONT_REQ_PREAUTH
flag is set, second and third steps of the process can be missed. That means you can directly request the service ticket. Click if you need more information about kerberos authentication.
Now we are going to use GetNPUsers.py
script to grab the request service ticket.
We grabbed the ticket. Now it's time to powerup and crack the hash. First of all copy that hash to file then run the john.🤠🤠
Now since we have the username and password, we can use tool. You can simply install it by typing gem install evil-winrm
and hit enter, then the tool will be installed to your machine. 😎😎
Now we are going to perform and dump the NTLM hashes of all domain users using the Impacket's script. 😈😈 Let's try it.
As you can see, We have NTLM hash for the Administrator account. We can use this to perform Pass The Hash attack and gain elevated access to the system. Also we can use Impacket's for this too.
See how helps us during this machine. Give respect to the . 🙋♂️🙋♂️
Since these boxes are all connected, we are going to grab the local admin hash too. So let’s upload You can download mimikatz
tool from and upload it to the box using python demon web server.
You can decode it through the site.
Find me on