Resolute
10.10.10.169, windows machine.

Background

Target machine: 10.10.10.169
Attacking (Hacker) machine: 10.10.14.4

Penetrating Methodology

Service Scanning

    Nmap

Enumeration

    Enum4linux
    nmap -p 389 --script ldap-search
    SMBClient
    SMBMap
    nmap --script smb-enum-search
    rpcclient

Exploitation

    msfvenom
    dnscmd

Hacking Process Part 1 – Service Scanning

1.1 Quick Pre-searching

1
$ nmap 10.10.10.169 -oN nmap-htb-resolute-base.txt
Copied!
1
[email protected]:~/Documents/ctf/htb/windows/09_resolute# nmap -sV -p 53 88 135 139 389 445 464 593 636 3268 3269 -A -vvv -oN nmap-htb-resolute-detail.txt 10.10.10.169
Copied!
1
2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 15:25 HKT
3
4
NSE: Loaded 151 scripts for scanning.
5
6
NSE: Script Pre-scanning.
7
8
NSE: Starting runlevel 1 (of 3) scan.
9
10
Initiating NSE at 15:25
11
12
Completed NSE at 15:25, 0.00s elapsed
13
14
NSE: Starting runlevel 2 (of 3) scan.
15
16
Initiating NSE at 15:25
17
18
Completed NSE at 15:25, 0.00s elapsed
19
20
NSE: Starting runlevel 3 (of 3) scan.
21
22
Initiating NSE at 15:25
23
24
Completed NSE at 15:25, 0.00s elapsed
25
26
Initiating Ping Scan at 15:25
27
28
Scanning 10 hosts [4 ports/host]
29
30
Completed Ping Scan at 15:25, 9.06s elapsed (10 total hosts)
31
32
Nmap scan report for 88 (0.0.0.88) [host down, received no-response]
33
34
Nmap scan report for 135 (0.0.0.135) [host down, received no-response]
35
36
Nmap scan report for 139 (0.0.0.139) [host down, received no-response]
37
38
Nmap scan report for 389 (0.0.1.133) [host down, received no-response]
39
40
Nmap scan report for 445 (0.0.1.189) [host down, received no-response]
41
42
Nmap scan report for 464 (0.0.1.208) [host down, received no-response]
43
44
Nmap scan report for 593 (0.0.2.81) [host down, received no-response]
45
46
Nmap scan report for 636 (0.0.2.124) [host down, received no-response]
47
48
Nmap scan report for 3268 (0.0.12.196) [host down, received no-response]
49
50
Nmap scan report for 3269 (0.0.12.197) [host down, received no-response]
51
52
Initiating Ping Scan at 15:25
53
54
Scanning 10.10.10.169 [4 ports]
55
56
Completed Ping Scan at 15:25, 0.30s elapsed (1 total hosts)
57
58
Initiating Parallel DNS resolution of 1 host. at 15:25
59
60
Completed Parallel DNS resolution of 1 host. at 15:25, 0.01s elapsed
61
62
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
63
64
Initiating SYN Stealth Scan at 15:25
65
66
Scanning 10.10.10.169 [1 port]
67
68
Discovered open port 53/tcp on 10.10.10.169
69
70
Completed SYN Stealth Scan at 15:25, 0.51s elapsed (1 total ports)
71
72
Initiating Service scan at 15:25
73
74
Scanning 1 service on 10.10.10.169
75
76
Completed Service scan at 15:25, 10.98s elapsed (1 service on 1 host)
77
78
Initiating OS detection (try #1) against 10.10.10.169
79
80
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
81
82
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
83
84
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
85
86
WARNING: RST from 10.10.10.169 port 53 -- is this port really open?
87
88
Retrying OS detection (try #2) against 10.10.10.169
89
90
Initiating Traceroute at 15:26
91
92
Completed Traceroute at 15:26, 0.66s elapsed
93
94
Initiating Parallel DNS resolution of 2 hosts. at 15:26
95
96
Completed Parallel DNS resolution of 2 hosts. at 15:26, 0.17s elapsed
97
98
DNS resolution of 2 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
99
100
NSE: Script scanning 10.10.10.169.
101
102
NSE: Starting runlevel 1 (of 3) scan.
103
104
Initiating NSE at 15:26
105
106
Completed NSE at 15:26, 17.63s elapsed
107
108
NSE: Starting runlevel 2 (of 3) scan.
109
110
Initiating NSE at 15:26
111
112
Completed NSE at 15:26, 3.06s elapsed
113
114
NSE: Starting runlevel 3 (of 3) scan.
115
116
Initiating NSE at 15:26
117
118
Completed NSE at 15:26, 0.00s elapsed
119
120
Nmap scan report for 10.10.10.169
121
122
Host is up, received reset ttl 127 (0.39s latency).
123
124
Scanned at 2020-02-27 15:25:47 HKT for 38s
125
126
127
PORT STATE SERVICE REASON VERSION
128
129
53/tcp open domain? syn-ack ttl 127
130
131
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
132
133
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
134
135
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%), Microsoft Windows 10 (93%)
136
137
No exact OS matches for host (test conditions non-ideal).
138
139
TCP/IP fingerprint:
140
141
SCAN(V=7.80%E=4%D=2/27%OT=53%CT=%CU=36533%PV=Y%DS=2%DC=T%G=N%TM=5E576F21%P=x86_64-pc-linux-gnu)
142
143
SEQ(CI=RD%II=I)
144
145
SEQ(SP=106%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=A)
146
147
OPS(O1=%O2=%O3=%O4=%O5=M54DNW8ST11%O6=M54DST11)
148
149
WIN(W1=0%W2=0%W3=0%W4=0%W5=2000%W6=2000)
150
151
ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)
152
153
T1(R=Y%DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)
154
155
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
156
157
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
158
159
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
160
161
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
162
163
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
164
165
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
166
167
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
168
169
IE(R=Y%DFI=N%T=80%CD=Z)
170
171
172
Uptime guess: 0.026 days (since Thu Feb 27 14:48:34 2020)
173
174
Network Distance: 2 hops
175
176
TCP Sequence Prediction: Difficulty=262 (Good luck!)
177
178
IP ID Sequence Generation: Incremental
179
180
181
TRACEROUTE (using port 443/tcp)
182
183
HOP RTT ADDRESS
184
185
1 227.42 ms 10.10.14.1
186
187
2 651.46 ms 10.10.10.169
188
189
190
NSE: Script Post-scanning.
191
192
NSE: Starting runlevel 1 (of 3) scan.
193
194
Initiating NSE at 15:26
195
196
Completed NSE at 15:26, 0.00s elapsed
197
198
NSE: Starting runlevel 2 (of 3) scan.
199
200
Initiating NSE at 15:26
201
202
Completed NSE at 15:26, 0.00s elapsed
203
204
NSE: Starting runlevel 3 (of 3) scan.
205
206
Initiating NSE at 15:26
207
208
Completed NSE at 15:26, 0.00s elapsed
209
210
Read data files from: /usr/bin/../share/nmap
211
212
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
213
214
Nmap done: 11 IP addresses (1 host up) scanned in 47.92 seconds
215
216
Raw packets sent: 128 (6.556KB) | Rcvd: 65 (4.256KB)
217
218
Copied!
Last modified 1yr ago