Active
Introduction:
Recon
1# Nmap 7.91 scan initiated Fri Jan 1 16:49:57 2021 as: nmap -sS -sV -sC -T4 -O -oN nmap.active.txt 10.10.10.100
2WARNING: RST from 10.10.10.100 port 88 -- is this port really open?
3Nmap scan report for 10.10.10.100
4Host is up (0.015s latency).
5Not shown: 986 closed ports
6PORT STATE SERVICE VERSION
788/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-01-01 21:58:14Z)
8135/tcp open msrpc Microsoft Windows RPC
9139/tcp open netbios-ssn Microsoft Windows netbios-ssn
10389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
11445/tcp open microsoft-ds?
12464/tcp open tcpwrapped
13593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
14636/tcp open tcpwrapped
1549152/tcp open msrpc Microsoft Windows RPC
1649153/tcp open msrpc Microsoft Windows RPC
1749154/tcp open msrpc Microsoft Windows RPC
1849155/tcp open msrpc Microsoft Windows RPC
1949157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
2049158/tcp open msrpc Microsoft Windows RPC
21No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
22TCP/IP fingerprint:
23OS:SCAN(V=7.91%E=4%D=1/1%OT=88%CT=1%CU=44626%PV=Y%DS=2%DC=I%G=Y%TM=5FEF995A
24OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=106%CI=RD%TS=7)SEQ(SP=101%GC
25OS:D=1%ISR=106%CI=I%II=I%TS=7)SEQ(SP=101%GCD=1%ISR=106%TS=7)OPS(O1=M54DNW8S
26OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D
27OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=N)ECN(R=Y
28OS:%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD
29OS:=0%Q=)T2(R=N)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=
30OS:80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
31OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
32OS:Z%A=O%F=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
33OS:=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
34OS:%T=80%CD=Z)
35
36Network Distance: 2 hops
37Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
38
39Host script results:
40|_clock-skew: 8m08s
41| smb2-security-mode:
42| 2.02:
43|_ Message signing enabled and required
44| smb2-time:
45| date: 2021-01-01T21:59:27
46|_ start_date: 2021-01-01T21:57:50
47
48OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
49# Nmap done at Fri Jan 1 16:51:22 2021 -- 1 IP address (1 host up) scanned in 84.83 seconds
50
1(py3) eneloop@kinetic:.../hackthebox/active/data$ nmap -n -sV --script "ldap* and not brute" 10.10.10.100
2Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 12:08 EST
3Nmap scan report for 10.10.10.100
4Host is up (0.015s latency).
5Not shown: 983 closed ports
6PORT STATE SERVICE VERSION
753/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
888/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-01-02 17:16:56Z)
9135/tcp open msrpc Microsoft Windows RPC
10139/tcp open netbios-ssn Microsoft Windows netbios-ssn
11389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
12| ldap-rootdse:
13| LDAP Results
14| <ROOT>
15| currentTime: 20210102171749.0Z
16| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb
17| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
18| namingContexts: DC=active,DC=htb
19| namingContexts: CN=Configuration,DC=active,DC=htb
20| namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
21| namingContexts: DC=DomainDnsZones,DC=active,DC=htb
22| namingContexts: DC=ForestDnsZones,DC=active,DC=htb
23| defaultNamingContext: DC=active,DC=htb
24| schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb
25| configurationNamingContext: CN=Configuration,DC=active,DC=htb
26| rootDomainNamingContext: DC=active,DC=htb
27| supportedControl: 1.2.840.113556.1.4.319
28| supportedControl: 1.2.840.113556.1.4.801
29| supportedControl: 1.2.840.113556.1.4.473
30| supportedControl: 1.2.840.113556.1.4.528
31| supportedControl: 1.2.840.113556.1.4.417
32| supportedControl: 1.2.840.113556.1.4.619
33| supportedControl: 1.2.840.113556.1.4.841
34| supportedControl: 1.2.840.113556.1.4.529
35| supportedControl: 1.2.840.113556.1.4.805
36| supportedControl: 1.2.840.113556.1.4.521
37| supportedControl: 1.2.840.113556.1.4.970
38| supportedControl: 1.2.840.113556.1.4.1338
39| supportedControl: 1.2.840.113556.1.4.474
40| supportedControl: 1.2.840.113556.1.4.1339
41| supportedControl: 1.2.840.113556.1.4.1340
42| supportedControl: 1.2.840.113556.1.4.1413
43| supportedControl: 2.16.840.1.113730.3.4.9
44| supportedControl: 2.16.840.1.113730.3.4.10
45| supportedControl: 1.2.840.113556.1.4.1504
46| supportedControl: 1.2.840.113556.1.4.1852
47| supportedControl: 1.2.840.113556.1.4.802
48| supportedControl: 1.2.840.113556.1.4.1907
49| supportedControl: 1.2.840.113556.1.4.1948
50| supportedControl: 1.2.840.113556.1.4.1974
51| supportedControl: 1.2.840.113556.1.4.1341
52| supportedControl: 1.2.840.113556.1.4.2026
53| supportedControl: 1.2.840.113556.1.4.2064
54| supportedControl: 1.2.840.113556.1.4.2065
55| supportedControl: 1.2.840.113556.1.4.2066
56| supportedLDAPVersion: 3
57| supportedLDAPVersion: 2
58| supportedLDAPPolicies: MaxPoolThreads
59| supportedLDAPPolicies: MaxDatagramRecv
60| supportedLDAPPolicies: MaxReceiveBuffer
61| supportedLDAPPolicies: InitRecvTimeout
62| supportedLDAPPolicies: MaxConnections
63| supportedLDAPPolicies: MaxConnIdleTime
64| supportedLDAPPolicies: MaxPageSize
65| supportedLDAPPolicies: MaxQueryDuration
66| supportedLDAPPolicies: MaxTempTableSize
67| supportedLDAPPolicies: MaxResultSetSize
68| supportedLDAPPolicies: MinResultSets
69| supportedLDAPPolicies: MaxResultSetsPerConn
70| supportedLDAPPolicies: MaxNotificationPerConn
71| supportedLDAPPolicies: MaxValRange
72| supportedLDAPPolicies: ThreadMemoryLimit
73| supportedLDAPPolicies: SystemMemoryLimitPercent
74| highestCommittedUSN: 90226
75| supportedSASLMechanisms: GSSAPI
76| supportedSASLMechanisms: GSS-SPNEGO
77| supportedSASLMechanisms: EXTERNAL
78| supportedSASLMechanisms: DIGEST-MD5
79| dnsHostName: DC.active.htb
80| ldapServiceName: active.htb:[email protected]
81| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
82| supportedCapabilities: 1.2.840.113556.1.4.800
83| supportedCapabilities: 1.2.840.113556.1.4.1670
84| supportedCapabilities: 1.2.840.113556.1.4.1791
85| supportedCapabilities: 1.2.840.113556.1.4.1935
86| supportedCapabilities: 1.2.840.113556.1.4.2080
87| isSynchronized: TRUE
88| isGlobalCatalogReady: TRUE
89| domainFunctionality: 4
90| forestFunctionality: 4
91|_ domainControllerFunctionality: 4
92445/tcp open microsoft-ds?
93464/tcp open kpasswd5?
94593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
95636/tcp open tcpwrapped
963268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
97| ldap-rootdse:
98| LDAP Results
99| <ROOT>
100| currentTime: 20210102171749.0Z
101| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb
102| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
103| namingContexts: DC=active,DC=htb
104| namingContexts: CN=Configuration,DC=active,DC=htb
105| namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
106| namingContexts: DC=DomainDnsZones,DC=active,DC=htb
107| namingContexts: DC=ForestDnsZones,DC=active,DC=htb
108| defaultNamingContext: DC=active,DC=htb
109| schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb
110| configurationNamingContext: CN=Configuration,DC=active,DC=htb
111| rootDomainNamingContext: DC=active,DC=htb
112| supportedControl: 1.2.840.113556.1.4.319
113| supportedControl: 1.2.840.113556.1.4.801
114| supportedControl: 1.2.840.113556.1.4.473
115| supportedControl: 1.2.840.113556.1.4.528
116| supportedControl: 1.2.840.113556.1.4.417
117| supportedControl: 1.2.840.113556.1.4.619
118| supportedControl: 1.2.840.113556.1.4.841
119| supportedControl: 1.2.840.113556.1.4.529
120| supportedControl: 1.2.840.113556.1.4.805
121| supportedControl: 1.2.840.113556.1.4.521
122| supportedControl: 1.2.840.113556.1.4.970
123| supportedControl: 1.2.840.113556.1.4.1338
124| supportedControl: 1.2.840.113556.1.4.474
125| supportedControl: 1.2.840.113556.1.4.1339
126| supportedControl: 1.2.840.113556.1.4.1340
127| supportedControl: 1.2.840.113556.1.4.1413
128| supportedControl: 2.16.840.1.113730.3.4.9
129| supportedControl: 2.16.840.1.113730.3.4.10
130| supportedControl: 1.2.840.113556.1.4.1504
131| supportedControl: 1.2.840.113556.1.4.1852
132| supportedControl: 1.2.840.113556.1.4.802
133| supportedControl: 1.2.840.113556.1.4.1907
134| supportedControl: 1.2.840.113556.1.4.1948
135| supportedControl: 1.2.840.113556.1.4.1974
136| supportedControl: 1.2.840.113556.1.4.1341
137| supportedControl: 1.2.840.113556.1.4.2026
138| supportedControl: 1.2.840.113556.1.4.2064
139| supportedControl: 1.2.840.113556.1.4.2065
140| supportedControl: 1.2.840.113556.1.4.2066
141| supportedLDAPVersion: 3
142| supportedLDAPVersion: 2
143| supportedLDAPPolicies: MaxPoolThreads
144| supportedLDAPPolicies: MaxDatagramRecv
145| supportedLDAPPolicies: MaxReceiveBuffer
146| supportedLDAPPolicies: InitRecvTimeout
147| supportedLDAPPolicies: MaxConnections
148| supportedLDAPPolicies: MaxConnIdleTime
149| supportedLDAPPolicies: MaxPageSize
150| supportedLDAPPolicies: MaxQueryDuration
151| supportedLDAPPolicies: MaxTempTableSize
152| supportedLDAPPolicies: MaxResultSetSize
153| supportedLDAPPolicies: MinResultSets
154| supportedLDAPPolicies: MaxResultSetsPerConn
155| supportedLDAPPolicies: MaxNotificationPerConn
156| supportedLDAPPolicies: MaxValRange
157| supportedLDAPPolicies: ThreadMemoryLimit
158| supportedLDAPPolicies: SystemMemoryLimitPercent
159| highestCommittedUSN: 90226
160| supportedSASLMechanisms: GSSAPI
161| supportedSASLMechanisms: GSS-SPNEGO
162| supportedSASLMechanisms: EXTERNAL
163| supportedSASLMechanisms: DIGEST-MD5
164| dnsHostName: DC.active.htb
165| ldapServiceName: active.htb:[email protected]
166| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb
167| supportedCapabilities: 1.2.840.113556.1.4.800
168| supportedCapabilities: 1.2.840.113556.1.4.1670
169| supportedCapabilities: 1.2.840.113556.1.4.1791
170| supportedCapabilities: 1.2.840.113556.1.4.1935
171| supportedCapabilities: 1.2.840.113556.1.4.2080
172| isSynchronized: TRUE
173| isGlobalCatalogReady: TRUE
174| domainFunctionality: 4
175| forestFunctionality: 4
176|_ domainControllerFunctionality: 4
1773269/tcp open tcpwrapped
17849152/tcp open msrpc Microsoft Windows RPC
17949153/tcp open msrpc Microsoft Windows RPC
18049154/tcp open msrpc Microsoft Windows RPC
18149155/tcp open msrpc Microsoft Windows RPC
18249157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
18349158/tcp open msrpc Microsoft Windows RPC
184Service Info: Host: DC; OSs: Windows, Windows 2008 R2; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
185
186Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
187Nmap done: 1 IP address (1 host up) scanned in 60.82 seconds
188
Enumeration
1eneloop@kinetic:.../lab/hackthebox/active$ smbmap -H 10.10.10.100
2[+] IP: 10.10.10.100:445 Name: 10.10.10.100
3 Disk Permissions Comment
4 ---- ----------- -------
5 ADMIN$ NO ACCESS Remote Admin
6 C$ NO ACCESS Default share
7 IPC$ NO ACCESS Remote IPC
8 NETLOGON NO ACCESS Logon server share
9 Replication READ ONLY
10 SYSVOL NO ACCESS Logon server share
11 Users NO ACCESS
12eneloop@kinetic:.../lab/hackthebox/active$ smbclient //10.10.10.100/Replication
13Enter WORKGROUP\eneloop's password:
14Anonymous login successful
15Try "help" to get a list of possible commands.
16smb: \> dir
17 . D 0 Sat Jul 21 06:37:44 2018
18 .. D 0 Sat Jul 21 06:37:44 2018
19 active.htb D 0 Sat Jul 21 06:37:44 2018
20
21
1[+] Got OS info for 10.10.10.100 from srvinfo:
2 10.10.10.100 Wk Sv PDC Tim NT Domain Controller
3 platform_id : 500
4 os version : 6.1
5 server type : 0x80102b
6
Exploitation
Post-exploit/PrivEsc
Notes: