53,80,88,135,139,445,464,593,3268,3269,3306,5985,9389,33060,47001,49664,49665,49666,49667,49669,49670,49671,49672,49676,49679,49784

echo "10.129.230.179 analysis.htb dc.analysis.htb" >> /etc/hosts


kerbrute:
kerbrute userenum -d analysis.htb /usr/share/wordlists/rockyou.txt --dc dc.analysis.htb
2024/01/25 06:33:01 > [+] VALID USERNAME: [email protected]
2024/01/25 06:33:06 > [+] VALID USERNAME: [email protected]
2024/01/25 06:34:17 > [+] VALID USERNAME: [email protected]
2024/01/25 06:34:53 > [+] VALID USERNAME: [email protected]
2024/01/25 06:35:33 > [+] VALID USERNAME: [email protected]
2024/01/25 06:43:06 > [+] VALID USERNAME: [email protected]
2024/01/25 06:43:18 > [+] VALID USERNAME: [email protected]
subdomain scanning

add internal.analysis.htb

git clone <https://github.com/maurosoria/dirsearch.git> --depth 1
python3 [dirsearch.py](<http://dirsearch.py/>) -u [<http://internal.analysis.htb>](<http://internal.analysis.htb/>) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

get a login page http://internal.analysis.htb/employees/

under /user