Hackthebox - Retired- Cascade Recon As usual I start with a simple UP/Down scan on all TCP ports. $ nmap -T4 -p- -oX ./nmapb.xml cascade.htb Hmmm… don't know if this is because it's a new box or intentional, but my normal nmap scan gets nada. I took its advice and added the -Pn $ nmap -T4 -p- -Pn -oX ./nmapb.xml 10.10.10.182 Then converted that to HTML A bunch of open ports DNS, LDAP, net bios, winRM Let's repeat the scan with the -A switch to try all the things :) on the ports we found nmap -T4 -p53,88,135,139,389,445,646,3268,3269,5985,49154,49155,49157,49158,49173 -A -Pn -oX ./nmapf.xml cascade.htb Then I'll convert that to HTML too Ok so let's see what we can find poking around the services we see Let's start with smb It let me login in anonymous but no share for me.. But as for RPC.. We got some data We got back a list of domain users CascGuest arksvc s.smith r.thompson util j.wakefield s.hickson j.goodhand a.turnbull e.crowe b.hanson d.burman BackupSv
@circusmonkey404 on the twitters; DM for contact