Hackthebox: Scrambled

As with any HTB machine, we begin with a standard nmap scan.

./kerbrute userenum --domain scrambled.htb users.txt -dc-ip 10.10.11.168 scrambled hackthebox

This binary does not have a manual page. Running it with --help shows it expects an input file. It "scrambles" the contents using a proprietary algorithm (likely XOR or RC4 based on a key found elsewhere on the system). As with any HTB machine, we begin with a standard nmap scan

*/2 * * * * root /usr/local/bin/scramble_engine /opt/scrambled/incoming/request.bin > /opt/scrambled/outgoing/response.enc As with any HTB machine

evil-winrm -i 10.10.11.168 -u user -p password

Kerberoasting, NTLM Relay, MSSQL Impersonation, Silver Tickets. 1. Enumeration & Initial Access