Hercules HTB Walkthrough

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the Hercules machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.

You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

Hercules is an Insane level Windows machine on Hack the Box

The first step in owning the Hercules machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

sudo openvpn hercules.ovpn

Once the connection between my terminal and Hack the Box server has been established, I started the Hercules machine and I was assigned an IP address 10.10.11.91.

Enumeration with Nmap

I started the enumeration phase by running a comprehensive Nmap scan against the target machine to identify open ports, running services, and potential attack surfaces:

nmap -sCV -A 10.10.11.91

The scan results revealed that the target is a Windows Server machine, most likely part of a domain environment based on the number of Active Directory-related services running. The domain name hercules.htb was also clearly indicated in several service banners and SSL certificates.

Recon: name resolution and web enumeration

The Nmap output made it obvious we’re dealing with an Active Directory domain called hercules.htb and a host named dc.hercules.htb. To make interacting with the HTTPS site straightforward I added both names to my /etc/hosts:

sudo nano /etc/hosts

I saved the changes and exited the /etc/hosts configuration screen.

Reading krb5.conf - Kerberos configuration confirms the domain controller

I opened the Kerberos config on my machine to see how the target domain was being resolved locally:

nano /etc/krb5.conf

I added the following in the krb5.conf file so as to confirm the exact Kerberos realm (HERCULES.HTB) and pointed it directly to dc.hercules.htb as the KDC/admin server while disabling DNS discovery. That made our Kerberos enumeration deterministic - we could target the DC directly (or use its IP) with Impacket tools to check for AS-REP and Kerberoastable accounts.

Kerberos user enumeration with kerbrute

To enumerate valid domain accounts via Kerberos, I ran kerbrute against the domain controller. This tool attempts Kerberos AS-REQs for each username in the supplied wordlist and detects which accounts exist based on the responses (without needing passwords):

If you have difficulties running kerbrute command, you can check my Medium post on how to install Kerbrute here.

KDC revealed multiple valid accounts, notably several admin/administrator variants, an auditor account, and a user will.s. These confirmed usernames give us targets for AS-REP roasting, Kerberoasting, and carefully throttled password spraying.

Generating username permutations for brute-forcing

After some enumeration I needed a larger username list derived from the short names I already had. I ran a one-liner that expands each base name into 26 variants (name.a → name.z) and writes the result back to disk:

awk '/^[[:space:]]*$/ {next} { gsub(/^[ \t]+|[ \t]+$/,""); for(i=97;i<=122;i++) printf "%s.%c\n", $0, i }' /home/boltech/Desktop/HerculesHTB/names.txt | sudo tee /home/boltech/Desktop/HerculesHTB/names.txt > /dev/null && echo "Created: /home/boltech/Desktop/HerculesHTB/names.txt"

d

Web enumeration - browsing the site and running directory fuzzing

I started by manually browsing https://hercules.htb/. The landing page is a polished IIS-hosted site with five visible links in the nav: Our Services, About Us, Portfolio, Blog, Contact.

I clicked through all of them and didn’t find any obvious application functionality, upload points, or leaked configuration - nothing that immediately looked like a foothold.

asdf

asdf

asdf

f

Because the visible pages were unhelpful, I moved to automated directory discovery using dirb against the HTTPS host:

dirb https://hercules.htb

asdf

Login page rate-limiting - what I did and what it means

After finding /Login with dirb I inspected the form and tried a few password guesses to see how the application responded. I intentionally submitted repeated invalid logins to check whether the site would allow brute-forcing.

The /Login endpoint enforces rate limiting: after roughly ten failed attempts the server responds with 429 Too Many Requests and blocks further attempts for ~30 seconds (the page displays a countdown). This makes fast web brute-force ineffective

asdf

i

j

k

l

m

n

o

asdf

p

q

r

s

t

u

v

w

x

y

z