Myles Nieman
← All writeups

Playground

Overview

Playground is a hard Windows Active Directory box. The session documented here is primarily an enumeration exercise — the notes cover SMB null-session testing, kerbrute username enumeration, RPC endpoint mapping, and share discovery, but do not reach initial access. The box is playground.htb with a domain controller at the IP.

Path (partial): SMB null session → share enumeration → backup/web shares → (foothold not reached in this session)

Enumeration

The initial scan confirms a Windows DC fingerprint — DNS, Kerberos, LDAP, SMB, and RPC on the standard domain controller ports.

Nmap scan confirming a Windows domain controller

Additional nmap detail or service version output

The domain name is confirmed as playground.htb.

SMB Enumeration

enum4linux with no credentials fails to enumerate domain users:

enum4linux with no credentials returning no domain users

A null session to IPC$ is possible:

SMB null session to IPC$ confirmed

IPC$ null session detail

Trying the % username trick with enum4linux allows more extensive enumeration — though the returned users are local accounts rather than domain accounts:

enum4linux with % username returning local accounts, not domain users

Username Enumeration

Kerbrute against the domain controller starts returning a very large list of valid users:

kerbrute username enumeration running against playground.htb

kerbrute returning a large number of valid usernames

The enumeration is stopped due to the volume of results — the box likely has a broad AD user base requiring a targeted approach.

RPC Endpoint Mapping

impacket-rpcmap enumerates exposed RPC interfaces — the output is extensive but highlights several interesting interfaces:

$ impacket-rpcmap ncacn_ip_tcp:10.129.231.63

The RPC endpoint mapper is then scanned with Metasploit’s auxiliary/scanner/dcerpc/endpoint_mapper module for a more structured view. Notable endpoints include:

  • 12345678-1234-abcd-ef00-0123456789ab — the spoolss (Print Spooler) UUID, which the Potato family of exploits targets
  • e3514235-4b06-11d1-ab04-00c04fc2dcd2 — MS NT Directory DRS Interface (used by DCSync)

RPC UUID associated with the Potato exploit family

RPC endpoint mapping — spoolss and DRS interfaces visible

Share Enumeration

Share enumeration with a null session reveals backup and web shares as potentially accessible:

SMB share listing with backup and web shares identified

SID enumeration via brute force adds additional context:

SID enumeration output identifying local and domain groups

Continued SID enumeration output

Final SID enumeration results

Additional RPC interface analysis:

RPC interface analysis — 99fc UUID noted as interesting

Full Metasploit endpoint_mapper scan output

Endpoint mapper results — LiveIdSvc and other interfaces

Endpoint mapper results continued

Endpoint mapper results — final entries

Notes

Thin notes — no foothold reached. The session covers thorough enumeration through kerbrute, RPC mapping, SID brute-forcing, and share discovery, but the notes end without authenticating to the box or accessing any of the identified shares. The backup and web shares are flagged as the most promising next targets.

Takeaways

  • RPC endpoint mapping reveals attack surface beyond what nmap shows. The presence of the Print Spooler UUID (12345678-1234-abcd-ef00-0123456789ab) on a DC is relevant for PrinterBug / SpoolSample exploitation if any authenticated account can be obtained.
  • SID brute-forcing against IPC$ null sessions can map local and domain groups even when enum4linux returns no domain users — useful for building a target list for password sprays or kerbrute.