Hello Navi

note and sharing

Posted on Edited on In Disqus: Word count in article: 1.2k Reading time ≈ 4 mins.

enterprise

enterprise

I find a plugin name img-paste.vim, i can paste img in markdown by using vim now.

scan

1
2
3
4
5
6
7
8
9
10
➜  tmp rustscan -a 10.10.216.225
...
PORT      STATE SERVICE      REASON
53/tcp    open  domain       syn-ack
80/tcp    open  http         syn-ack
88/tcp    open  kerberos-sec syn-ack
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
5357/tcp  open  wsdapi       syn-ack
47001/tcp open  winrm        syn-ack

web page enterprise-webpage scan dir 

1
2
3
4
5
6
7
8

➜  ~ gobuster dir -u http://10.10.216.225/  -w /usr/share/dirb/wordlists/big.txt
/robots.txt           (Status: 200) [Size: 110]

# get nothing

Why would robots.txt exist on a Domain Controllers web server?
Robots.txt is for search engines, not for you!
1
2
3
4
5
6
7
8
9
10
search wirteup XD

I find that some ports are missed.
If i want get all ports,i need wait for one hour.orz

```sh
➜  ~ nmap 10.10.216.225 -p0-65535 -A    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 23:42 CST
Stats: 0:06:51 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 8.37% done; ETC: 01:04 (1:14:59 remaining)
# weak vpn connect

another way. to increase accuracy of rustscan, need add the timeout

still can't scan 445 and 7990 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜  ~ rustscan -a 10.10.216.225 -t 3000
...
PORT      STATE SERVICE      REASON
53/tcp    open  domain       syn-ack
80/tcp    open  http         syn-ack
88/tcp    open  kerberos-sec syn-ack
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
5357/tcp  open  wsdapi       syn-ack
5985/tcp  open  wsman        syn-ack
47001/tcp open  winrm        syn-ack
49664/tcp open  unknown      syn-ack
49665/tcp open  unknown      syn-ack
49666/tcp open  unknown      syn-ack
49668/tcp open  unknown      syn-ack
49671/tcp open  unknown      syn-ack
49672/tcp open  unknown      syn-ack
49673/tcp open  unknown      syn-ack
49679/tcp open  unknown      syn-ack
49705/tcp open  unknown      syn-ack
49710/tcp open  unknown      syn-ack
49842/tcp open  unknown      syn-ack

config 2 tries, finally

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
➜  ~ rustscan -a 10.10.216.225 -t 3000 --tries 2 
...
PORT      STATE SERVICE        REASON
53/tcp    open  domain         syn-ack
80/tcp    open  http           syn-ack
88/tcp    open  kerberos-sec   syn-ack
135/tcp   open  msrpc          syn-ack
139/tcp   open  netbios-ssn    syn-ack
389/tcp   open  ldap           syn-ack
445/tcp   open  microsoft-ds   syn-ack
464/tcp   open  kpasswd5       syn-ack
593/tcp   open  http-rpc-epmap syn-ack
636/tcp   open  ldapssl        syn-ack
5357/tcp  open  wsdapi         syn-ack
5985/tcp  open  wsman          syn-ack
7990/tcp  open  unknown        syn-ack
47001/tcp open  winrm          syn-ack
49664/tcp open  unknown        syn-ack
49665/tcp open  unknown        syn-ack
49666/tcp open  unknown        syn-ack
49668/tcp open  unknown        syn-ack
49671/tcp open  unknown        syn-ack
49672/tcp open  unknown        syn-ack
49673/tcp open  unknown        syn-ack
49679/tcp open  unknown        syn-ack
49705/tcp open  unknown        syn-ack
49710/tcp open  unknown        syn-ack

spend 2 hours now what can i say nmap and check service again

I will be thm top player never give up

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
➜  ~ nmap -sV -A -p 53,80,88,135,139,389,445,464,593,636,5357,5985,7990,47001,49664,49665,49666,49668,49671,49672,49673,49679,49705,49710 10.10.216.225

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-17 00:24 CST
Nmap scan report for 10.10.216.225
Host is up (0.28s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-16 16:23:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7990/tcp  open  http          Microsoft IIS httpd 10.0
|_http-title: Log in to continue - Log in with Atlassian account
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49672/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
49710/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=2/17%Time=67B21144%P=x86_64-pc-linux-gnu%r(DNSS
SF:tatusRequestTCP,E,"\0\x0c\0\0\x90\x02\0\0\0\0\0\0\0\0");
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-16T16:24:34
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -58s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.26 seconds

check service

http://10.10.216.225:7990/? enterprise-7990

find github page

https://github.com/Nik-enterprise-dev/mgmtScript.ps1/commit/bc40c9f237bfbe7be7181e82bebe7c0087eb7ed8

get a user pass in commit 

1
2
3
4
5
6
7
Import-Module ActiveDirectory
$userName = 'nik'
$userPassword = 'ToastyBoi!'
$psCreds = ConvertTo-SecureString $userPassword -AsPlainText -Force
$Computers = New-Object -TypeName "System.Collections.ArrayList"
$Computer = $(Get-ADComputer -Filter * | Select-Object Name)
for ($index = -1; $index -lt $Computer.count; $index++) { Invoke-Command -ComputerName $index {systeminfo} }

\(username = 'nik'\)userPassword = 'ToastyBoi!'

try ssh 

1
2
➜  tmp ssh nik@10.10.216.225
ssh: connect to host 10.10.216.225 port 22: Connection refused
forget it's a windows server try rdp

install remmina and freerdp for rdp connect, fail enterprise-rdptry

check smb 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
➜  ~ smbclient --list=10.10.216.225 --no-pass       
Can't load /etc/samba/smb.conf - run testparm to debug it

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	Docs            Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
	Users           Disk      Users Share. Do Not Touch!
SMB1 disabled -- no workgroup available


➜  ~ smbclient //10.10.216.225/Docs --no-pass
Can't load /etc/samba/smb.conf - run testparm to debug it
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar 15 10:47:35 2021
  ..                                  D        0  Mon Mar 15 10:47:35 2021
  RSA-Secured-Credentials.xlsx        A    15360  Mon Mar 15 10:46:54 2021
  RSA-Secured-Document-PII.docx       A    18432  Mon Mar 15 10:45:24 2021

# this two files need password

➜  tmp office2john RSA-Secured-Credentials.xlsx > xlsx-hash          
➜  tmp office2john RSA-Secured-Document-PII.docx > docx-hash                 
➜  tmp john xlsx-hash --wordlist=/usr/share/wordlists/passwords/rockyou.txt
# feel laptop will bomb in calc

A thing name kerberosting and SPN? Terminate box