| ターゲット // Bounty | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.X.X |
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Directory fuzzing reveals two interesting hits:
| ターゲット // Blue | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.44.168 |
Nothing special needed here – straight to enumeration.
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
OS: Windows 7 Professional 7601 Service Pack 1 x64
| ターゲット // Reel | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Hard |
| IP | 10.129.50.115 |
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
FTP + SMTP on a Windows AD box – this screams phishing.
| ターゲット // Resolute | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Medium |
| IP | 10.129.96.155 |
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
Domain: megabank.local, Windows Server 2016.
| ターゲット // Blackfield | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Hard |
| IP | 10.129.229.17 |
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open ncacn_http
3268/tcp open ldap
5985/tcp open http
Domain: BLACKFIELD.LOCAL, DC01.
| ターゲット // Sauna | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.93.188 |
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
Classic AD box – Kerberos, LDAP, SMB, WinRM all present. Domain: EGOTISTICAL-BANK.LOCAL.
| ターゲット // Forest | |
|---|---|
| Platform | HTB |
| OS | Windows |
| Difficulty | Easy |
| IP | 10.129.157.109 |
Standard AD box – DNS, Kerberos, LDAP, SMB all present. Domain: htb.local.
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
OS: Windows Server 2016 Standard 14393 x64
| ターゲット // Hutch | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Windows |
| Difficulty | Medium |
| IP | 192.168.160.122 |
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
3269/tcp open tcpwrapped
This is a Windows Server 2019 domain controller (hutch.offsec).
| ターゲット // Algernon | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Windows |
| Difficulty | Easy |
| IP | 192.168.197.65 |
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
9998/tcp open http Microsoft IIS httpd 10.0
17001/tcp open remoting MS .NET Remoting services
Anonymous access is allowed. Downloaded the FTP contents:
| ターゲット // Nickel | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Windows |
| Difficulty | Medium |
| IP | 192.168.57.99 |
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
22/tcp open ssh OpenSSH for_Windows_8.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
3389/tcp open ms-wbt-server Microsoft Terminal Services
8089/tcp open http Microsoft HTTPAPI httpd 2.0
33333/tcp open http Microsoft HTTPAPI httpd 2.0
Two HTTP APIs on non-standard ports. FTP requires credentials, no anonymous access.