Post

Hercules

HackTheBox Hercules machine writeup — reconnaissance and enumeration walkthrough.

Posted Updated
By Andrés
1 min read
Hercules

Phase 1: Reconnaissance & Enumeration

Initial Port Scan

1

nmap -p- -sCV -T4 10.10.11.91 -oN nmap_full.txt

Key Findings:

  • Port 53 (DNS): Domain Controller
  • Port 88 (Kerberos): Authentication service
  • Port 389/636 (LDAP/LDAPS): Directory services
  • Port 443 (HTTPS): Web application at https://hercules.htb
  • Port 5986 (WinRM SSL): Remote management

Learning Point: These ports indicate a Windows Active Directory Domain Controller. The presence of HTTPS suggests a web application integrated with AD authentication.

Host Configuration

1
2

# Add to /etc/hosts (DC hostname MUST come first for Kerberos SPN resolution)
echo "10.10.11.91 dc.hercules.htb hercules.htb" | sudo tee -a /etc/hosts

Why this order matters: When LDAP/Kerberos clients resolve hostnames, the PRIMARY hostname determines the Service Principal Name (SPN). ldap/dc.hercules.htb@HERCULES.HTB will work, but ldap/hercules.htb@HERCULES.HTB will fail.

🔒

Premium Content

The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.

Unlock Full Writeup →
HackTheBox, Writeup
htb hackthebox writeup pentest hercules
This post is licensed under CC BY 4.0 by the author.