smbclient -L //10.10.10.161 -N
No null session shares.
Try LDAP enumeration:
ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts
Find domain: DC=htb,DC=local
In a default Active Directory environment, a user must provide a password to get a Kerberos Ticket Granting Ticket (TGT). However, if a user has the property "Do not require Kerberos preauthentication" enabled, anyone can ask the KDC (Key Distribution Center) for encrypted data related to that user without authentication. forest hackthebox walkthrough best
This attack is known as AS-REP Roasting. smbclient -L //10
ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local"
# Dumped domain info: domain = htb.local
Visiting http://10.10.10.74:8080 reveals a web application that appears to be a simple file manager. Further exploration leads to the discovery of a robots.txt file and a potential directory traversal vulnerability. No null session shares