Active
OS: Windows, Difficulty: Easy, IP: 10.10.10.100
Initial Enumeration
# Nmap 7.70 scan initiated Fri Jul 26 15:34:45 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,38446,47001 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-07-26 09:58:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
38446/tcp closed unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/26%OT=53%CT=38446%CU=41736%PV=Y%DS=2%DC=T%G=Y%TM=5D3
OS:AD102%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%
OS:TS=7)SEQ(SP=FC%GCD=1%ISR=107%TI=I%CI=I%TS=7)SEQ(SP=FC%GCD=1%ISR=107%TI=I
OS:%CI=I%II=I%TS=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54
OS:DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%
OS:W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=
OS:Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q
OS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%
OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -6m50s, deviation: 0s, median: -6m50s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-07-26 15:29:12
|_ start_date: 2019-07-26 15:19:25
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 222.63 ms 10.10.14.1
2 222.77 ms 10.10.10.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 26 15:38:02 2019 -- 1 IP address (1 host up) scanned in 197.65 secondsFetch the Groups.xml file and crack the cpassword value to get credentials for SVC_TGS user.
Used hashcat to get the value from the TGS hash. The password for Administrator user is Ticketmaster1968
User Own
Root Own
Learning Outcome
This was a fun box, teached me new things about Windows AD testing, hashcat, and PSExec attack.
Last updated
Was this helpful?