Playground
Overview
Playground is a hard Windows Active Directory box. The session documented
here is primarily an enumeration exercise — the notes cover SMB null-session
testing, kerbrute username enumeration, RPC endpoint mapping, and share
discovery, but do not reach initial access. The box is playground.htb with
a domain controller at the IP.
Path (partial): SMB null session → share enumeration → backup/web shares → (foothold not reached in this session)
Enumeration
The initial scan confirms a Windows DC fingerprint — DNS, Kerberos, LDAP, SMB, and RPC on the standard domain controller ports.


The domain name is confirmed as playground.htb.
SMB Enumeration
enum4linux with no credentials fails to enumerate domain users:

A null session to IPC$ is possible:


Trying the % username trick with enum4linux allows more extensive
enumeration — though the returned users are local accounts rather than
domain accounts:

Username Enumeration
Kerbrute against the domain controller starts returning a very large list of valid users:


The enumeration is stopped due to the volume of results — the box likely has a broad AD user base requiring a targeted approach.
RPC Endpoint Mapping
impacket-rpcmap enumerates exposed RPC interfaces — the output is
extensive but highlights several interesting interfaces:
$ impacket-rpcmap ncacn_ip_tcp:10.129.231.63
The RPC endpoint mapper is then scanned with Metasploit’s
auxiliary/scanner/dcerpc/endpoint_mapper module for a more structured view.
Notable endpoints include:
12345678-1234-abcd-ef00-0123456789ab— the spoolss (Print Spooler) UUID, which the Potato family of exploits targetse3514235-4b06-11d1-ab04-00c04fc2dcd2— MS NT Directory DRS Interface (used by DCSync)


Share Enumeration
Share enumeration with a null session reveals backup and web shares as
potentially accessible:

SID enumeration via brute force adds additional context:



Additional RPC interface analysis:





Notes
Thin notes — no foothold reached. The session covers thorough enumeration
through kerbrute, RPC mapping, SID brute-forcing, and share discovery, but
the notes end without authenticating to the box or accessing any of the
identified shares. The backup and web shares are flagged as the most
promising next targets.
Takeaways
- RPC endpoint mapping reveals attack surface beyond what nmap shows. The
presence of the Print Spooler UUID (
12345678-1234-abcd-ef00-0123456789ab) on a DC is relevant for PrinterBug / SpoolSample exploitation if any authenticated account can be obtained. - SID brute-forcing against IPC$ null sessions can map local and domain
groups even when
enum4linuxreturns no domain users — useful for building a target list for password sprays or kerbrute.