HTB Waldo (10.10.10.87)

PART 1 : INITIAL RECON

$ nmap --min-rate 3000 -p- -Pn -v 10.10.10.100

  PORT      STATE SERVICE
  53/tcp    open  domain
  88/tcp    open  kerberos-sec
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  389/tcp   open  ldap
  445/tcp   open  microsoft-ds
  464/tcp   open  kpasswd5
  593/tcp   open  http-rpc-epmap
  636/tcp   open  ldapssl
  3268/tcp  open  globalcatLDAP
  3269/tcp  open  globalcatLDAPssl
  5722/tcp  open  msdfsr
  9389/tcp  open  adws
  47001/tcp open  winrm
  ...omitted...

$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001 -Pn -sC -sV -T4 -v 10.10.10.100

  PORT      STATE SERVICE       VERSION
  53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
  | dns-nsid:
  |_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
  88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-07-20 19:17:21Z)
  135/tcp   open  msrpc         Microsoft Windows RPC
  139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
  445/tcp   open  microsoft-ds?
  464/tcp   open  kpasswd5?
  593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  636/tcp   open  tcpwrapped
  3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
  3269/tcp  open  tcpwrapped
  5722/tcp  open  msrpc         Microsoft Windows RPC
  9389/tcp  open  mc-nmf        .NET Message Framing
  47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: 3m44s
  | smb2-security-mode:
  |   2.02:
  |    Message signing enabled and required
  | smb2-time:
  |   date: 2020-07-20T19:18:17
  |_  start_date: 2020-07-20T18:35:49

PART 2 : PORT ENUMERATION

PORT 445 (SMB)

Let’s enumerate available shares for the host, 10.10.10.100:

$ smbmap -H 10.10.10.100

  [+] IP: 10.10.10.100:445        Name: 10.10.10.100
          Disk                                                    Permissions     Comment
          ----                                                    -----------     -------
          ADMIN$                                                  NO ACCESS       Remote Admin
          C$                                                      NO ACCESS       Default share
          IPC$                                                    NO ACCESS       Remote IPC
          NETLOGON                                                NO ACCESS       Logon server share
          Replication                                             READ ONLY
          SYSVOL                                                  NO ACCESS       Logon server share
          Users                                                   NO ACCESS

The file share, Replication, could be accessed without having any login credentials.

Exploring it using smbclient:

The Replication share:

$ smbclient \\\\10.10.10.100\\Replication -I 10.10.10.100 -N

smb :\> dir

  active.htb                          D        0  Sat Jul 21 18:37:44 2018

smb :\> cd active.htb

smb: \active.htb\> dir

  DfsrPrivate                       DHS        0  Sat Jul 21 18:37:44 2018
  Policies                            D        0  Sat Jul 21 18:37:44 2018
  scripts                             D        0  Thu Jul 19 02:48:57 2018

smb: \active.htb\> cd Policies

smb: ...\Policies\> dir

  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 18:37:44 2018
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 18:37:44 2018

smb: ...\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}

smb: ...\{31B2F340-016D-11D2-945F-00C04FB984F9}\> dir

  GPT.INI                             A       23  Thu Jul 19 04:46:06 2018
  Group Policy                        D        0  Sat Jul 21 18:37:44 2018
  MACHINE                             D        0  Sat Jul 21 18:37:44 2018
  USER                                D        0  Thu Jul 19 02:49:12 2018

smb: ...\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE

smb: ...\MACHINE\> dir

  Microsoft                           D        0  Sat Jul 21 18:37:44 2018
  Preferences                         D        0  Sat Jul 21 18:37:44 2018
  Registry.pol                        A     2788  Thu Jul 19 02:53:45 2018

smb: ...\MACHINE\> cd Preferences

smb: ...\Preferences\> dir

  Groups                              D        0  Sat Jul 21 18:37:44 2018

smb: ...\Preferences\> cd Groups

smb: ...\Groups\> dir

  Groups.xml                          A      533  Thu Jul 19 04:46:06 2018

smb: ...\Groups\> get Groups.xml

There is a file, Groups.xml, deep within the share:

Groups.xml:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
        <Properties
            action="U"
            newName=""
            fullName=""
            description=""
            cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
            changeLogon="0"
            noChange="1"
            neverExpires="1" cd
            acctDisabled="0"
            userName="active.htb\SVC_TGS"/>
    </User>
</Groups>

Other XML files (like Groups.xml) are created when a new Group Policy Preference is created.

[SITE PAGES]

[HTB BOXES]

jebidiah-anthony

write-ups and what not

HTB Waldo (10.10.10.87)

PART 1 : INITIAL RECON

PART 2 : PORT ENUMERATION

PORT 445 (SMB)