Alright, let’s talk about Hercules. This box was a mix of “aha” moments and “why the hell isn’t this working” moments. It starts with some web trickery and ends with a headache-inducing AD chain. Here’s how I tore it apart.
Phase 1: The Recon
Started with the usual Nmap scan. We’ve got a Domain Controller here (Port 88, 389, 445) and a Web Server (Port 80/443).
# Nmap Scannmap -sC -sV -oA hercules 10.10.11.91
# Directory Brute Forcegobuster dir -u https://hercules.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
I saw port 88 open, so my first instinct was to spray usernames. I grabbed a list and ran kerbrute. It spit back a few valid users: admin, administrator, and auditor. Good to know, but no passwords yet.
# User Enumeration (Kerbrute)kerbrute userenum -d hercules.htb --dc 10.10.11.91 users_kerb.txt
Phase 2: The Web & The Custom Tool
I hit the web server on port 443. It’s a generic corporate static page.
Tip (IIS)
I’m using Wappalyzer to enumerate the technologies used on the website.
Found login page at /login using gobuster.
