130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Background
  • Penetrating Methodology
  • Service Scanning
  • Enumeration
  • Exploitation
  • Hacking Process Part 1 – Service Scanning

Was this helpful?

  1. Hacking Report (HTB)
  2. Windows Machine

Resolute

10.10.10.169, windows machine.

PreviousLegacyNextCascade

Last updated 4 years ago

Was this helpful?

Background

Target machine: 10.10.10.169

Attacking (Hacker) machine: 10.10.14.4

Penetrating Methodology

Service Scanning

  • Nmap

Enumeration

  • Enum4linux

  • nmap -p 389 --script ldap-search

  • SMBClient

  • SMBMap

  • nmap --script smb-enum-search

  • rpcclient

Exploitation

  • msfvenom

  • dnscmd

Hacking Process Part 1 – Service Scanning

1.1 Quick Pre-searching

$ nmap 10.10.10.169 -oN nmap-htb-resolute-base.txt
root@kclai:~/Documents/ctf/htb/windows/09_resolute# nmap -sV -p 53 88 135 139 389 445 464 593 636 3268 3269 -A -vvv -oN nmap-htb-resolute-detail.txt 10.10.10.169

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 15:25 HKT

NSE: Loaded 151 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

Initiating Ping Scan at 15:25

Scanning 10 hosts [4 ports/host]

Completed Ping Scan at 15:25, 9.06s elapsed (10 total hosts)

Nmap scan report for 88 (0.0.0.88) [host down, received no-response]

Nmap scan report for 135 (0.0.0.135) [host down, received no-response]

Nmap scan report for 139 (0.0.0.139) [host down, received no-response]

Nmap scan report for 389 (0.0.1.133) [host down, received no-response]

Nmap scan report for 445 (0.0.1.189) [host down, received no-response]

Nmap scan report for 464 (0.0.1.208) [host down, received no-response]

Nmap scan report for 593 (0.0.2.81) [host down, received no-response]

Nmap scan report for 636 (0.0.2.124) [host down, received no-response]

Nmap scan report for 3268 (0.0.12.196) [host down, received no-response]

Nmap scan report for 3269 (0.0.12.197) [host down, received no-response]

Initiating Ping Scan at 15:25

Scanning 10.10.10.169 [4 ports]

Completed Ping Scan at 15:25, 0.30s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 15:25

Completed Parallel DNS resolution of 1 host. at 15:25, 0.01s elapsed

DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 15:25

Scanning 10.10.10.169 [1 port]

Discovered open port 53/tcp on 10.10.10.169

Completed SYN Stealth Scan at 15:25, 0.51s elapsed (1 total ports)

Initiating Service scan at 15:25

Scanning 1 service on 10.10.10.169

Completed Service scan at 15:25, 10.98s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against 10.10.10.169

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

Retrying OS detection (try #2) against 10.10.10.169

Initiating Traceroute at 15:26

Completed Traceroute at 15:26, 0.66s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 15:26

Completed Parallel DNS resolution of 2 hosts. at 15:26, 0.17s elapsed

DNS resolution of 2 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]

NSE: Script scanning 10.10.10.169.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 17.63s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 3.06s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

Nmap scan report for 10.10.10.169

Host is up, received reset ttl 127 (0.39s latency).

Scanned at 2020-02-27 15:25:47 HKT for 38s


PORT   STATE SERVICE REASON          VERSION

53/tcp open  domain? syn-ack ttl 127

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%), Microsoft Windows 10 (93%)

No exact OS matches for host (test conditions non-ideal).

TCP/IP fingerprint:

SCAN(V=7.80%E=4%D=2/27%OT=53%CT=%CU=36533%PV=Y%DS=2%DC=T%G=N%TM=5E576F21%P=x86_64-pc-linux-gnu)

SEQ(CI=RD%II=I)

SEQ(SP=106%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=A)

OPS(O1=%O2=%O3=%O4=%O5=M54DNW8ST11%O6=M54DST11)

WIN(W1=0%W2=0%W3=0%W4=0%W5=2000%W6=2000)

ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)

T1(R=Y%DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)

T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)

T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)

T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)

T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)

T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)

IE(R=Y%DFI=N%T=80%CD=Z)


Uptime guess: 0.026 days (since Thu Feb 27 14:48:34 2020)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Incremental


TRACEROUTE (using port 443/tcp)

HOP RTT       ADDRESS

1   227.42 ms 10.10.14.1

2   651.46 ms 10.10.10.169


NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 11 IP addresses (1 host up) scanned in 47.92 seconds

           Raw packets sent: 128 (6.556KB) | Rcvd: 65 (4.256KB)