Let’s start with port scan as always:
~ ✘ ABR
❯ rustscan -a 10.10.11.21 -u 10000 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I scanned ports so fast, even my computer was surprised.
[~] The config file is expected to be at "/home/ch/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.11.21:25
Open 10.10.11.21:53
Open 10.10.11.21:88
Open 10.10.11.21:80
Open 10.10.11.21:135
Open 10.10.11.21:139
Open 10.10.11.21:445
Open 10.10.11.21:593
Open 10.10.11.21:3269
Open 10.10.11.21:3389
Open 10.10.11.21:3268
Open 10.10.11.21:464
Open 10.10.11.21:389
Open 10.10.11.21:5985
Open 10.10.11.21:9389
Open 10.10.11.21:49669
Open 10.10.11.21:49664
Open 10.10.11.21:58787
Open 10.10.11.21:61596
Open 10.10.11.21:64818
Open 10.10.11.21:64823
Open 10.10.11.21:64819
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV" on ip 10.10.11.21
Depending on the complexity of the script, results may take some time to appear.
...
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Axlle Development
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-06-23 09:54:28Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-06-23T09:55:57+00:00; +24s from scanner time.
| rdp-ntlm-info:
| Target_Name: AXLLE
| NetBIOS_Domain_Name: AXLLE
| NetBIOS_Computer_Name: MAINFRAME
| DNS_Domain_Name: axlle.htb
| DNS_Computer_Name: MAINFRAME.axlle.htb
| DNS_Tree_Name: axlle.htb
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-23T09:55:17+00:00
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Issuer: commonName=MAINFRAME.axlle.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-19T11:25:03
| Not valid after: 2024-11-18T11:25:03
| MD5: acc1:ec10:1311:0c34:c548:bd34:8cce:53f9
| SHA-1: 9d6c:ac58:e52c:a711:9ffa:795f:171b:555c:cf0e:7fc9
| -----BEGIN CERTIFICATE-----
| MIIC6jCCAdKgAwIBAgIQVVwvBVAJjJ9KU24nlGQGOjANBgkqhkiG9w0BAQsFADAe
| MRwwGgYDVQQDExNNQUlORlJBTUUuYXhsbGUuaHRiMB4XDTI0MDUxOTExMjUwM1oX
| DTI0MTExODExMjUwM1owHjEcMBoGA1UEAxMTTUFJTkZSQU1FLmF4bGxlLmh0YjCC
| ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2LCqLiWgbUAoZDZqpnkO4I
| ydQrIBAT5BX0+R+OnEibrVE2pSqV0nfp4hAv1672OFsWB3iM8aDYDAmER5g+LRoz
| LkwyaeChgvzafcywL7RFAuW+1fCgbygdQTjvmEJwwwb6ZSbzZGAVMyXzEoKZBYsb
| 9jpgDdv9ukaQFFWSSVWMynwXDOVK/EYEDdD1NtLAdziNqe73n1nR+AibPz4ZW7Em
| pCz0g3Ir+Ql1MOY09sWoZ0TvzA/5LTSDd0ivH+VlfFQT12cNbdIZKSCwtOmjiuka
| T7URoEx4kMNVKKmj9M4CBTp4fUwECdwDYr/XHZE6MiZBd6T24AAYL16M2OQotyEC
| AwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqG
| SIb3DQEBCwUAA4IBAQDJHGe0pLywnHy+zofiDksI30sdsz7fNdstVz7IxZ07Cu1g
| 2mbiULCg/HYIWFMx1dJ5g/kwhiP7zswp/5VrJVTsCcSbxaVrIsu9apYN3LjGBxHh
| E4TTnljPtZSJSINyAdLMkeYT1N8502ZkaP8Ofeliwb6/IoDiPdmMyiWIJl23es4F
| kM705n8BiWJ3hpFHSpTUYNfiMbGmkneig9V9K1SQkf+ERezuQR1OPrX/JuAtpvcg
| ll8a4lhwT+mpf8LvcLl1NPoMgtrG+c7bb1tHgBLDrIvZ6fQAS/A4s5QKjbkn/Ew7
| iATUIyWSRw8YVEflYv8Qr7qynrY2aKhUB1UP1Znx
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
58787/tcp open msrpc syn-ack Microsoft Windows RPC
61596/tcp open msrpc syn-ack Microsoft Windows RPC
64818/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
64819/tcp open msrpc syn-ack Microsoft Windows RPC
64823/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-23T09:55:20
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 29964/tcp): CLEAN (Timeout)
| Check 2 (port 60718/tcp): CLEAN (Timeout)
| Check 3 (port 59572/udp): CLEAN (Timeout)
| Check 4 (port 35232/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 23s, deviation: 0s, median: 23s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:55
Completed NSE at 12:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.98 secondsSo many ports…
So:
25is hMailServer53is Simple DNS Plus80is IIS http server389is LDAP445is SMB3268is LDAP3389is RDP5985is winrm
And a lot of other ports! But I think we are interested only in this list.
I think about starting at http and running fuzzer on it:
~ 1m 59
❯ ffuf -w /usr/share/dirb/wordlists/big.txt -ic -u http://10.10.11.21/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.11.21/FUZZ
:: Wordlist : FUZZ: /usr/share/dirb/wordlists/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
assets [Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 54ms]
css [Status: 301, Size: 146, Words: 9, Lines: 2, Duration: 55ms]
js [Status: 301, Size: 145, Words: 9, Lines: 2, Duration: 55ms]
:: Progress: [20469/20469] :: Job [1/1] :: 749 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
~ 29
❯ ffuf -w /usr/share/wordlists/directory-list-lowercase-2.3-medium.txt -ic -u http://10.10.11.21/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.11.21/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 10228, Words: 3640, Lines: 167, Duration: 60ms]
assets [Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 56ms]
css [Status: 301, Size: 146, Words: 9, Lines: 2, Duration: 55ms]
js [Status: 301, Size: 145, Words: 9, Lines: 2, Duration: 55ms]
[Status: 200, Size: 10228, Words: 3640, Lines: 167, Duration: 56ms]
:: Progress: [156169/207630] :: Job [1/1] :: 722 req/sec :: Duration: [0:03:52] :: Errors: 0 ::After checking page I immediately found domain that might be useful:
So let’s add it to the hosts 10.10.11.21 axlle.htb
It’s the same page:
But now we can run subdomain scan!
After trying multiple wordlists no additional subdomains was found. Let’s try switching to other ports.
Let’s check smb:
~ 4
❯ smbclient -L 10.10.11.21 -U=guest
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\guest]:
session setup failed: NT_STATUS_ACCOUNT_DISABLED
~ 1m 32
❯ enum4linux -a 10.10.11.21
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 23 13:32:05 2024
=========================================( Target Information )=========================================
Target ........... 10.10.11.21
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.21 )============================
Can't load /etc/samba/smb.conf - run testparm to debug it
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.11.21 )================================
Can't load /etc/samba/smb.conf - run testparm to debug it
Looking up status of 10.10.11.21
No reply from 10.10.11.21
====================================( Session Check on 10.10.11.21 )====================================
[+] Server 10.10.11.21 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.11.21 )=================================
Can't load /etc/samba/smb.conf - run testparm to debug it
Domain Name: AXLLE
Domain Sid: S-1-5-21-1005535646-190407494-3473065389
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.11.21 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.21 from srvinfo:
Can't load /etc/samba/smb.conf - run testparm to debug it
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================( Users on 10.10.11.21 )========================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==================================( Share Enumeration on 10.10.11.21 )==================================
Can't load /etc/samba/smb.conf - run testparm to debug it
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.11.21
============================( Password Policy Information for 10.10.11.21 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.11.21 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.21)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.11.21 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================( Users on 10.10.11.21 via RID cycling (RIDS: 500-550,1000-1050) )===================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
================================( Getting printer info for 10.10.11.21 )================================
Can't load /etc/samba/smb.conf - run testparm to debug it
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Jun 23 13:32:35 2024Nothing interesting…