Hero Image
[HTB] Machine: Control

Control

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.167 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 20:22 BST
Nmap scan report for 10.10.10.167 (10.10.10.167)
Host is up (0.11s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
3306/tcp  open  mysql
49666/tcp open  unknown
49667/tcp open  unknown

└─$ nmap -Pn -p80,135,3306 -sC -sV 10.10.10.167 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 20:23 BST
Nmap scan report for 10.10.10.167 (10.10.10.167)
Host is up (0.12s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql?
| fingerprint-strings: 
|   NULL, SIPOptions: 
|_    Host '10.10.16.9' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94%I=7%D=9/30%Time=6518759C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.9'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SIPOptions,49
SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.9'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.22 seconds
  • mysql
└─$ mysql -h 10.10.10.167
ERROR 1130 (HY000): Host '10.10.16.9' is not allowed to connect to this MariaDB server
Saturday, September 30, 2023 | 10 minutes Read
Hero Image
[HTB] Machine: Sniper

Sniper

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.151 -T4                   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 19:59 BST
Stats: 0:17:07 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Nmap scan report for 10.10.10.151
Host is up (0.024s latency).
Not shown: 65530 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49667/tcp open  unknown

└─$ nmap -Pn -p80,135,139,445 -sC -sV 10.10.10.151 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-11 20:17 BST
Nmap scan report for 10.10.10.151 (10.10.10.151)
Host is up (0.13s latency).

PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Sniper Co.
|_http-server-header: Microsoft-IIS/10.0
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m22s
| smb2-time: 
|   date: 2023-09-12T02:17:13
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
  • smb
└─$ smbclient -N -L //10.10.10.151                                                    
session setup failed: NT_STATUS_ACCESS_DENIED
  • Web Server

Monday, September 11, 2023 | 6 minutes Read
Hero Image
[HTB] Machine: Object

Object

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.11.132 -T4                                                          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 09:35 BST
Nmap scan report for 10.10.11.132 (10.10.11.132)
Host is up (0.092s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman
8080/tcp open  http-proxy

└─$ nmap -Pn -p80,5985,8080 -sC -sV 10.10.11.132 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 09:38 BST
Nmap scan report for 10.10.11.132 (10.10.11.132)
Host is up (0.11s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Mega Engines
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http    Jetty 9.4.43.v20210629
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.43.v20210629)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.89 seconds
  • Web Server

Friday, September 8, 2023 | 11 minutes Read
Hero Image
[HTB] Machine: Monteverde

Monteverde

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.172 -T4          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-02 17:02 BST
Nmap scan report for 10.10.10.172 (10.10.10.172)
Host is up (0.095s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49697/tcp open  unknown
54886/tcp open  unknown

└─$ nmap -Pn -p88,135,139,389,464,593,636,3268,3269,5985,9389 -sC -sV 10.10.10.172 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-02 17:38 BST
Nmap scan report for 10.10.10.172 (10.10.10.172)
Host is up (0.16s latency).

PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-02 16:37:49Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf       .NET Message Framing
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
  • smb
  • ldap
└─$ ldapsearch -H ldap://10.10.10.172 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Foothold

  • Will dump everything ldapsearch -H ldap://10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL"
└─$ ldapsearch -H ldap://10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL" 
# extended LDIF
#
# LDAPv3
# base <DC=MEGABANK,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# MEGABANK.LOCAL
dn: DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=MEGABANK,DC=LOCAL
instanceType: 5
whenCreated: 20200102220515.0Z
whenChanged: 20230902160106.0Z
subRefs: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: CN=Configuration,DC=MEGABANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAD3ugOsMvMU+GSt3sotNcxQ==
uSNChanged: 77851
name: MEGABANK
objectGUID:: dF0ZQW9mmEa6eGdQmEH00A==
replUpToDateVector:: AgAAAAAAAAALAAAAAAAAAA97oDrDLzFPhkrd7KLTXMUFcAAAAAAAAHgMH
 xQDAAAAR5FJQrVN102DFng19yhewBEwAQAAAAAAQO0DGwMAAAAwI/VDJY7GTL9LbBrQc6myECABAA
 AAAABJ0GoZAwAAADOghEir6oNEsvEJ9u8wjngKwAAAAAAAALHzHxQDAAAATEU0VTJDIUOpC+muz1W
 GHAzgAAAAAAAAFc0jFAMAAABlUzJYUqlcQa1wRtRT7+pYCbAAAAAAAAAH5x8UAwAAAF7963Yf1ZpM
 jnEppodbjcsOAAEAAAAAAE3OshYDAAAAhz8WkG49/0eslA/vS3oKjgeQAAAAAAAA5BYfFAMAAAAPn
 /fkzuNaRKsJOojPyQTJBoAAAAAAAAA5Ex8UAwAAAKdfSfADqmJLvDeHFzYjcqcL0AAAAAAAALqZIx
 QDAAAASULD+GgHQU+OAWPs7IQ4IQ8QAQAAAAAAYz1oGQMAAAA=
creationTime: 133381440661787842
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
...

└─$ rpcclient -U "" -N 10.10.10.172  

rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

rpcclient $> querydispinfo
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)
  • No more information we could retrieve
    • So we might try password spraying using crackmapexec
    • First, we will try using usernames as passwords
      • Then we might need to create different password list using names combinations
└─$ crackmapexec smb 10.10.10.172 -u users.list -p users.list 
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-bexec STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:dgalanos STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
  • Now let’s enumerate smb
└─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs
[+] IP: 10.10.10.172:445        Name: 10.10.10.172                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        azure_uploads                                           READ ONLY
        C$                                                      NO ACCESS       Default share
        E$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        users$                                                  READ ONLY

└─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs -R users$
[+] IP: 10.10.10.172:445        Name: 10.10.10.172                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        users$                                                  READ ONLY
        .\users$\*
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    .
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    ..
        dr--r--r--                0 Fri Jan  3 13:15:23 2020    dgalanos
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    mhope
        dr--r--r--                0 Fri Jan  3 13:14:56 2020    roleary
        dr--r--r--                0 Fri Jan  3 13:14:28 2020    smorgan
        .\users$\mhope\*
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    .
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    ..
        fw--w--w--             1212 Fri Jan  3 14:59:24 2020    azure.xml
  • Let’s get azure.xml from mhope’s directory
└─$ smbclient -U SABatchJobs //10.10.10.172/users$ --password 'SABatchJobs'
  • azure.xml
    • Looks like we have a password
└─$ cat azure.xml                                            
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>
  • Let’s check it via crackmapexec
└─$ crackmapexec smb 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 

└─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)
  • We can evil-winrm

Friday, September 1, 2023 | 7 minutes Read
Hero Image
[HTB] Machine: Heist

Heist

Enumeration

  • nmap
└─$ nmap -sC -sV -Pn 10.10.10.149
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 10:40 BST
Nmap scan report for 10.10.10.149 (10.10.10.149)
Host is up (0.10s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -30s
| smb2-time: 
|   date: 2023-06-24T09:40:31
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.50 seconds
  • gobuster
└─$ gobuster dir -u http://10.10.10.149 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x asp,aspx,php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.149
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              asp,aspx,php
[+] Timeout:                 10s
===============================================================
2023/06/24 11:12:31 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 150] [--> http://10.10.10.149/images/]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 2058]
/Images               (Status: 301) [Size: 150] [--> http://10.10.10.149/Images/]
/issues.php           (Status: 302) [Size: 16] [--> login.php]
/css                  (Status: 301) [Size: 147] [--> http://10.10.10.149/css/]
/Index.php            (Status: 302) [Size: 0] [--> login.php]
/Login.php            (Status: 200) [Size: 2058]
/js                   (Status: 301) [Size: 146] [--> http://10.10.10.149/js/]
/Issues.php           (Status: 302) [Size: 16] [--> login.php]
/attachments          (Status: 301) [Size: 155] [--> http://10.10.10.149/attachments/]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.10.10.149/IMAGES/]
/INDEX.php            (Status: 302) [Size: 0] [--> login.php]
/CSS                  (Status: 301) [Size: 147] [--> http://10.10.10.149/CSS/]
/JS                   (Status: 301) [Size: 146] [--> http://10.10.10.149/JS/]
/Attachments          (Status: 301) [Size: 155] [--> http://10.10.10.149/Attachments/]
/LogIn.php            (Status: 200) [Size: 2058]
/LOGIN.php            (Status: 200) [Size: 2058]
Progress: 882180 / 882244 (99.99%)
===============================================================
2023/06/24 11:59:05 Finished
===============================================================
  • Web server

Friday, June 23, 2023 | 3 minutes Read