| ターゲット // Bounty | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.X.X |
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Directory fuzzing reveals two interesting hits:
| ターゲット // Sunday | |
|---|---|
| Platform | HTB |
| OS | Solaris |
| Difficulty | Easy |
| IP | 10.129.8.23 |
PORT STATE SERVICE VERSION
79/tcp open finger?
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer
6787/tcp open http Apache httpd
22022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
Solaris box with an unusual port layout – SSH on 22022 and the finger service on 79.
| ターゲット // Poison | |
|---|---|
| Platform | HTB |
| OS | FreeBSD |
| Difficulty | Medium |
| IP | 10.129.1.254 |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
OS: FreeBSD
| ターゲット // Busqueda | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Easy |
| IP | 10.129.228.217 |
| |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open http Apache httpd 2.4.52
Requests to the IP get redirected to searcher.htb – add it to /etc/hosts.
| ターゲット // Blue | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.44.168 |
Nothing special needed here – straight to enumeration.
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
OS: Windows 7 Professional 7601 Service Pack 1 x64
| ターゲット // Reel | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Hard |
| IP | 10.129.50.115 |
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
FTP + SMTP on a Windows AD box – this screams phishing.
| ターゲット // Resolute | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Medium |
| IP | 10.129.96.155 |
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
Domain: megabank.local, Windows Server 2016.
| ターゲット // Blackfield | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Hard |
| IP | 10.129.229.17 |
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open ncacn_http
3268/tcp open ldap
5985/tcp open http
Domain: BLACKFIELD.LOCAL, DC01.
| ターゲット // Seal | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Medium |
| IP | 10.129.95.190 |
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8080/tcp open http-proxy
A GitBucket instance with open registration. After registering, we get access to repository info and commit history.
| ターゲット // Sauna | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.93.188 |
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
Classic AD box – Kerberos, LDAP, SMB, WinRM all present. Domain: EGOTISTICAL-BANK.LOCAL.