10.10.10.161¶
Recon¶
Port Scan¶
There were a lot of filtered ports included in the nmap results...I grepped for just the open ports to avoid the signal in the noise issue.
PORT STATE SERVICE REASON VERSION
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-02-03 16:58:07Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49684/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49944/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%)
This one also appears to be an AD machine.
Enumerate attack surface¶
This one is also running Active Directory - 88: Kerberos - 389: ldap - 636: ldaps
SMB? - 139: Netbios-ssn - Anon login - Nope - Various ports serving RPC
Other - 464: kpasswd5? - A service for changing LDAP passwords!? - 593: ncacn_http - RPC over HTTP 1.0 - 9389: mc-nmf - .NET Message Framing
Web: - 5985: Microsoft HTTPAPI httpd 2.0 - WinRM? - check manual commands. - 47001: Microsoft HTTPAPI httpd 2.0
Enum4linux did a great job on this one! Got a bunch of details about users. Here is a list of users with enabled accounts:
- All the
HealthMailboxuserslucindaAdministratorsebastiensantisvc-alfrescomarkandy
Public exploits¶
Didn't find any.
Maybe I can brute force the users
crackmapexec winrm 10.10.10.161 -d htb.local -u users.txt -p /usr/share/seclists/Passwords/darkweb2017-top100.txt
The domain is htb.local