Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Credential Harvesting
Privilege Escalation Techniques
192.168.140.30
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 06:49 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.14% done; ETC: 06:49 (0:00:00 remaining)
Nmap scan report for 192.168.140.30
Host is up (0.066s latency).
Not shown: 65511 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49685/tcp open unknown
49687/tcp open unknown
49694/tcp open unknown
49705/tcp open unknown
49708/tcp open unknown
49739/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 06:49 EDT
Nmap scan report for 192.168.140.30
Host is up (0.064s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 26.59 seconds
139,445

Nothing valuable found
we try to access SMB via account root:nara which can be login

I have checked nara file, only this file can be found

The content of this file means everyone will click into file which in this folder

so we set a responder to capture hash from some click our hashgrab

we upload it and will received hash from someone who click the file

and then we hashcat the hash, also we can know the hash type is


got the password
TRACY.WHITE:zqwj041FGX
We attempt to use the credentials to access port 5985, but fail

since it is not a member of remote management group, so we can use rpc to add it in

successful
PE

we found this hash, but no sure what it is

Jodie.Summers:hHO_S9gff7ehXw




got it