# Resolute ## Background ![](/files/-MHdaTdvUyKqLfV2hGpv) Target machine: 10.10.10.169 Attacking (Hacker) machine: 10.10.14.4 ## Penetrating Methodology ### Service Scanning * Nmap ### Enumeration * Enum4linux * nmap -p 389 --script ldap-search * SMBClient * SMBMap * nmap --script smb-enum-search * rpcclient ### Exploitation * msfvenom * dnscmd ## Hacking Process Part 1 – Service Scanning #### 1.1 Quick Pre-searching ``` $ nmap 10.10.10.169 -oN nmap-htb-resolute-base.txt ``` ![](/files/-MHdd2M827gLLlrN7FnT) ```bash root@kclai:~/Documents/ctf/htb/windows/09_resolute# nmap -sV -p 53 88 135 139 389 445 464 593 636 3268 3269 -A -vvv -oN nmap-htb-resolute-detail.txt 10.10.10.169 ``` ```bash Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 15:25 HKT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:25 Completed NSE at 15:25, 0.00s elapsed Initiating Ping Scan at 15:25 Scanning 10 hosts [4 ports/host] Completed Ping Scan at 15:25, 9.06s elapsed (10 total hosts) Nmap scan report for 88 (0.0.0.88) [host down, received no-response] Nmap scan report for 135 (0.0.0.135) [host down, received no-response] Nmap scan report for 139 (0.0.0.139) [host down, received no-response] Nmap scan report for 389 (0.0.1.133) [host down, received no-response] Nmap scan report for 445 (0.0.1.189) [host down, received no-response] Nmap scan report for 464 (0.0.1.208) [host down, received no-response] Nmap scan report for 593 (0.0.2.81) [host down, received no-response] Nmap scan report for 636 (0.0.2.124) [host down, received no-response] Nmap scan report for 3268 (0.0.12.196) [host down, received no-response] Nmap scan report for 3269 (0.0.12.197) [host down, received no-response] Initiating Ping Scan at 15:25 Scanning 10.10.10.169 [4 ports] Completed Ping Scan at 15:25, 0.30s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:25 Completed Parallel DNS resolution of 1 host. at 15:25, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 15:25 Scanning 10.10.10.169 [1 port] Discovered open port 53/tcp on 10.10.10.169 Completed SYN Stealth Scan at 15:25, 0.51s elapsed (1 total ports) Initiating Service scan at 15:25 Scanning 1 service on 10.10.10.169 Completed Service scan at 15:25, 10.98s elapsed (1 service on 1 host) Initiating OS detection (try #1) against 10.10.10.169 WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? WARNING: RST from 10.10.10.169 port 53 -- is this port really open? Retrying OS detection (try #2) against 10.10.10.169 Initiating Traceroute at 15:26 Completed Traceroute at 15:26, 0.66s elapsed Initiating Parallel DNS resolution of 2 hosts. at 15:26 Completed Parallel DNS resolution of 2 hosts. at 15:26, 0.17s elapsed DNS resolution of 2 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0] NSE: Script scanning 10.10.10.169. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 17.63s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 3.06s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed Nmap scan report for 10.10.10.169 Host is up, received reset ttl 127 (0.39s latency). Scanned at 2020-02-27 15:25:47 HKT for 38s PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%), Microsoft Windows 10 (93%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.80%E=4%D=2/27%OT=53%CT=%CU=36533%PV=Y%DS=2%DC=T%G=N%TM=5E576F21%P=x86_64-pc-linux-gnu) SEQ(CI=RD%II=I) SEQ(SP=106%GCD=1%ISR=105%TI=I%CI=I%II=I%SS=S%TS=A) OPS(O1=%O2=%O3=%O4=%O5=M54DNW8ST11%O6=M54DST11) WIN(W1=0%W2=0%W3=0%W4=0%W5=2000%W6=2000) ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=) T1(R=Y%DF=Y%T=80%S=Z%A=S+%F=AR%RD=0%Q=) T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=) T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=N%T=80%CD=Z) Uptime guess: 0.026 days (since Thu Feb 27 14:48:34 2020) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 227.42 ms 10.10.14.1 2 651.46 ms 10.10.10.169 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:26 Completed NSE at 15:26, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 11 IP addresses (1 host up) scanned in 47.92 seconds Raw packets sent: 128 (6.556KB) | Rcvd: 65 (4.256KB) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/hack-the-box-writeup/windows-machine/resolute.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.