Resolute

10.10.10.169, windows machine.

Background

Target machine: 10.10.10.169

Attacking (Hacker) machine: 10.10.14.4

Penetrating Methodology

Service Scanning

Nmap

Enumeration

Enum4linux
nmap -p 389 --script ldap-search
SMBClient
SMBMap
nmap --script smb-enum-search
rpcclient

Exploitation

msfvenom
dnscmd

Hacking Process Part 1 – Service Scanning

1.1 Quick Pre-searching

$ nmap 10.10.10.169 -oN nmap-htb-resolute-base.txt

root@kclai:~/Documents/ctf/htb/windows/09_resolute# nmap -sV -p 53 88 135 139 389 445 464 593 636 3268 3269 -A -vvv -oN nmap-htb-resolute-detail.txt 10.10.10.169


Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 15:25 HKT

NSE: Loaded 151 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:25

Completed NSE at 15:25, 0.00s elapsed

Initiating Ping Scan at 15:25

Scanning 10 hosts [4 ports/host]

Completed Ping Scan at 15:25, 9.06s elapsed (10 total hosts)

Nmap scan report for 88 (0.0.0.88) [host down, received no-response]

Nmap scan report for 135 (0.0.0.135) [host down, received no-response]

Nmap scan report for 139 (0.0.0.139) [host down, received no-response]

Nmap scan report for 389 (0.0.1.133) [host down, received no-response]

Nmap scan report for 445 (0.0.1.189) [host down, received no-response]

Nmap scan report for 464 (0.0.1.208) [host down, received no-response]

Nmap scan report for 593 (0.0.2.81) [host down, received no-response]

Nmap scan report for 636 (0.0.2.124) [host down, received no-response]

Nmap scan report for 3268 (0.0.12.196) [host down, received no-response]

Nmap scan report for 3269 (0.0.12.197) [host down, received no-response]

Initiating Ping Scan at 15:25

Scanning 10.10.10.169 [4 ports]

Completed Ping Scan at 15:25, 0.30s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 15:25

Completed Parallel DNS resolution of 1 host. at 15:25, 0.01s elapsed

DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 15:25

Scanning 10.10.10.169 [1 port]

Discovered open port 53/tcp on 10.10.10.169

Completed SYN Stealth Scan at 15:25, 0.51s elapsed (1 total ports)

Initiating Service scan at 15:25

Scanning 1 service on 10.10.10.169

Completed Service scan at 15:25, 10.98s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against 10.10.10.169

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

WARNING: RST from 10.10.10.169 port 53 -- is this port really open?

Retrying OS detection (try #2) against 10.10.10.169

Initiating Traceroute at 15:26

Completed Traceroute at 15:26, 0.66s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 15:26

Completed Parallel DNS resolution of 2 hosts. at 15:26, 0.17s elapsed

DNS resolution of 2 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]

NSE: Script scanning 10.10.10.169.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 17.63s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 3.06s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

Nmap scan report for 10.10.10.169

Host is up, received reset ttl 127 (0.39s latency).

Scanned at 2020-02-27 15:25:47 HKT for 38s


PORT   STATE SERVICE REASON          VERSION

53/tcp open  domain? syn-ack ttl 127

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%), Microsoft Windows 10 (93%)

No exact OS matches for host (test conditions non-ideal).

TCP/IP fingerprint:

SCAN(V=7.80%E=4%D=2/27%OT=53%CT=%CU=36533%PV=Y%DS=2%DC=T%G=N%TM=5E576F21%P=x86_64-pc-linux-gnu)

SEQ(CI=RD%II=I)

SEQ(SP=106%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=A)

OPS(O1=%O2=%O3=%O4=%O5=M54DNW8ST11%O6=M54DST11)

WIN(W1=0%W2=0%W3=0%W4=0%W5=2000%W6=2000)

ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)

T1(R=Y%DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=)

T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)

T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)

T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)

T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)

T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)

IE(R=Y%DFI=N%T=80%CD=Z)


Uptime guess: 0.026 days (since Thu Feb 27 14:48:34 2020)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Incremental


TRACEROUTE (using port 443/tcp)

HOP RTT       ADDRESS

1   227.42 ms 10.10.14.1

2   651.46 ms 10.10.10.169


NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

NSE: Starting runlevel 2 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

NSE: Starting runlevel 3 (of 3) scan.

Initiating NSE at 15:26

Completed NSE at 15:26, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 11 IP addresses (1 host up) scanned in 47.92 seconds

           Raw packets sent: 128 (6.556KB) | Rcvd: 65 (4.256KB)

PreviousLegacy NextCascade

Last updated 5 years ago

Was this helpful?

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 15:25 HKT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed Initiating Ping Scan at 15:25 Scanning 10 hosts [4 ports/host] Completed Ping Scan at 15:25, 9.06s elapsed (10 total hosts) Nmap scan report for 88 (0.0.0.88) [host down, received no-response] Nmap scan report for 135 (0.0.0.135) [host down, received no-response] Nmap scan report for 139 (0.0.0.139) [host down, received no-response] Nmap scan report for 389 (0.0.1.133) [host down, received no-response] Nmap scan report for 445 (0.0.1.189) [host down, received no-response] Nmap scan report for 464 (0.0.1.208) [host down, received no-response] Nmap scan report for 593 (0.0.2.81) [host down, received no-response] Nmap scan report for 636 (0.0.2.124) [host down, received no-response] Nmap scan report for 3268 (0.0.12.196) [host down, received no-response] Nmap scan report for 3269 (0.0.12.197) [host down, received no-response] Initiating Ping Scan at 15:25 Scanning 10.10.10.169 [4 ports] Completed Ping Scan at 15:25, 0.30s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:25 Completed Parallel DNS resolution of 1 host. at 15:25, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 15:25 Scanning 10.10.10.169 [1 port] Discovered open port 53/tcp on 10.10.10.169 Completed SYN Stealth Scan at 15:25, 0.51s elapsed (1 total ports) Initiating Service scan at 15:25 Scanning 1 service on 10.10.10.169 Completed Service scan at 15:25, 10.98s elapsed (1 service on 1 host) Initiating OS detection (try #1) against 10.10.10.169 WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? Retrying OS detection (try #2) against 10.10.10.169 Initiating Traceroute at 15:26 Completed Traceroute at 15:26, 0.66s elapsed Initiating Parallel DNS resolution of 2 hosts. at 15:26 Completed Parallel DNS resolution of 2 hosts. at 15:26, 0.17s elapsed DNS resolution of 2 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0] NSE: Script scanning 10.10.10.169. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 17.63s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 3.06s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed Nmap scan report for 10.10.10.169 Host is up, received reset ttl 127 (0.39s latency). Scanned at 2020-02-27 15:25:47 HKT for 38s PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%), Microsoft Windows 10 (93%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.80%E=4%D=2/27%OT=53%CT=%CU=36533%PV=Y%DS=2%DC=T%G=N%TM=5E576F21%P=x86_64-pc-linux-gnu) SEQ(CI=RD%II=I) SEQ(SP=106%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=A) OPS(O1=%O2=%O3=%O4=%O5=M54DNW8ST11%O6=M54DST11) WIN(W1=0%W2=0%W3=0%W4=0%W5=2000%W6=2000) ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=) T1(R=Y%DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=) T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=) T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=N%T=80%CD=Z) Uptime guess: 0.026 days (since Thu Feb 27 14:48:34 2020) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 227.42 ms 10.10.14.1 2 651.46 ms 10.10.10.169 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 11 IP addresses (1 host up) scanned in 47.92 seconds Raw packets sent: 128 (6.556KB) | Rcvd: 65 (4.256KB)