Unintended
Unintended is a company that has recently migrated its infrastructure to Active Directory. Management is concerned that legacy practices and overlooked misconfigurations could expose the environment to external threats. Your firm has been contracted to conduct a penetration test, with the objective of determining whether an attacker can move from initial access to full control of the domain.
Unintended provides a hands-on experience with common missteps in Active Directory deployments, demonstrating how attackers can pivot between services to escalate privileges. It blends Linux privilege escalation techniques with Active Directory attack paths, making it a valuable practice ground for both offensive and defensive security practitioners.
Unintended is designed for individuals looking to expand their knowledge of Active Directory exploitation in a Linux-centric environment. It is well-suited for those seeking to understand real-world misconfigurations in hybrid infrastructure.
This Red Team Operator I lab will expose players to:
- Active Directory backup enumeration
- Lateral movement
- Network Pivoting
- Linux privilege escalation
- Backup Forensics
- Web Application attacks
1. Touchdown
1.1. 信息收集
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nmap 10.13.38.57 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-06 08:33 EST
Nmap scan report for 10.13.38.57
Host is up (0.34s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 17.29 seconds
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nmap 10.13.38.58 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-06 08:34 EST
Nmap scan report for 10.13.38.58
Host is up (0.36s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 16.93 seconds
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nmap 10.13.38.59 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-06 08:34 EST
Nmap scan report for 10.13.38.59
Host is up (0.36s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 21.47 seconds
1.2. FTP
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# ftp 10.13.38.58
Connected to 10.13.38.58.
220 pyftpdlib 1.5.7 ready.
Name (10.13.38.58:root): anonymous
331 Username ok, send password.
Password:
530 Anonymous access not allowed.
ftp: Login failed
ftp>
1.3. SMB
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nxc smb 10.13.38.57 -u '' -p '' --shares
SMB 10.13.38.57 445 DC [*] Unix - Samba x32 (name:DC) (domain:unintended.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.13.38.57 445 DC [+] unintended.vl\:
SMB 10.13.38.57 445 DC [*] Enumerated shares
SMB 10.13.38.57 445 DC Share Permissions Remark
SMB 10.13.38.57 445 DC ----- ----------- ------
SMB 10.13.38.57 445 DC sysvol
SMB 10.13.38.57 445 DC netlogon
SMB 10.13.38.57 445 DC home Home Directories
SMB 10.13.38.57 445 DC IPC$ IPC Service (Samba 4.15.13-Ubuntu)这里没有可以匿名访问的share,但是是允许匿名登录的
尝试获取一下域内的用户
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nxc smb 10.13.38.57 -u '' -p '' --rid-brute
SMB 10.13.38.57 445 DC [*] Unix - Samba x32 (name:DC) (domain:unintended.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.13.38.57 445 DC [+] unintended.vl\:
SMB 10.13.38.57 445 DC [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
rid-brute失败了,应该与系统有关,这里是linux的
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# nxc smb 10.13.38.57 -u '' -p '' --users
SMB 10.13.38.57 445 DC [*] Unix - Samba x32 (name:DC) (domain:unintended.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.13.38.57 445 DC [+] unintended.vl\:
SMB 10.13.38.57 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.13.38.57 445 DC Administrator 2024-02-24 19:33:16 0 Built-in account for administering the computer/domain
SMB 10.13.38.57 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.13.38.57 445 DC krbtgt 2024-02-24 19:33:16 0 Key Distribution Center Service Account
SMB 10.13.38.57 445 DC juan 2024-02-24 19:40:31 0
SMB 10.13.38.57 445 DC abbie 2024-02-24 19:40:32 0
SMB 10.13.38.57 445 DC cartor 2024-02-24 19:40:32 0
SMB 10.13.38.57 445 DC [*] Enumerated 6 local users: UNINTENDED
1.4. web
1.4.1. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Unintended]
└─# dirsearch -u http://10.13.38.59/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Unintended/reports/http_10.13.38.59/__26-01-06_08-37-49.txt
Target: http://10.13.38.59/
[08:37:49] Starting:
Task Completed