Medium Lab

May 18, 2024

# Nmap 7.94 scan initiated Sat May 18 00:33:17 2024 as: nmap -sC -sV -sS -oN nmap -vv 10.129.202.41
Nmap scan report for 10.129.202.41
Host is up, received echo-reply ttl 127 (0.29s latency).
Scanned at 2024-05-18 00:33:18 PST for 107s
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE       REASON          VERSION
111/tcp  open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
2049/tcp open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2024-05-17T16:35:02+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=WINMEDIUM
| Issuer: commonName=WINMEDIUM
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-16T16:31:08
| Not valid after:  2024-11-15T16:31:08
| MD5:   9e56:26fa:d8bf:3278:17e9:7b85:c601:258e
| SHA-1: fc99:f1c2:c7b1:9885:1e2b:8e88:c7d1:175f:aa5c:4d3b
| -----BEGIN CERTIFICATE-----
| MIIC1jCCAb6gAwIBAgIQGPITOA3tdIBCgx2Mi4BeSDANBgkqhkiG9w0BAQsFADAU
| MRIwEAYDVQQDEwlXSU5NRURJVU0wHhcNMjQwNTE2MTYzMTA4WhcNMjQxMTE1MTYz
| MTA4WjAUMRIwEAYDVQQDEwlXSU5NRURJVU0wggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQDUzzxYqO7XT7EAwcx6rPUSVl2Cs8Wu4JVrw7c6Wir4Of7uPRb3
| GB+jEGOJWsA2CO0rAhZQI5+0eBW7XY314kaeIetAq3n92kvUho4j8yLCXbI8WCFl
| Ef3t/Oi6cn9RzO/wjsTs7yHaYFeMlgsokw3YFwgKoqsz2L6u2XdWINKmNFnlQHVr
| MRweKqj3qnSSU9robwaCTE7LH+N2yQaZluKlhWWqNoJG7kTBmKavKgA/m2gAVFIN
| p05YpbeA+QQTZC++2SO4UphJIJ6E71MFyqmpICYQJ2n6D9LOIq1qzOZycjYA0UEd
| iRceT/kih/WJKxmFezCF0T2wYja2y0tLGad5AgMBAAGjJDAiMBMGA1UdJQQMMAoG
| CCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEASBTbLWfx
| S5WVVRfGNkdsWXyl4YUEgSb0IlJeq19oyLVJzEoogCtqdI0U3r9mxIUlr4tL+Jge
| d/4Lb3tMvdw2xZzK6sHAT2w0oz72N9ac9cwNr5tAqERiKITNHMI0b5/OMsG9rCYv
| 6sACitefwVYIoK53qFjg6bJ604hnIqg8hocYypJCDxFNn0gYzZpamhghh80n4Mdl
| 6HCttN/Kax0/zZZejpe98FxcWN62UwgNoQUem4dRJ8pF4VOX5NYcT8Cu1vuqw3sx
| OFT3UIosQU6UwhdDVr4NeoJ2PZSAja+VfzN8TrX+tf0Smce5oYm1vaL0lh8v8/4G
| 6pwEk2uLSPXdkg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: WINMEDIUM
|   NetBIOS_Domain_Name: WINMEDIUM
|   NetBIOS_Computer_Name: WINMEDIUM
|   DNS_Domain_Name: WINMEDIUM
|   DNS_Computer_Name: WINMEDIUM
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-17T16:34:36+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 47689/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 46177/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 28088/udp): CLEAN (Timeout)
|   Check 4 (port 27218/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-05-17T16:34:39
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 00:35:05 2024 -- 1 IP address (1 host up) scanned in 107.71 seconds

sudo showmount -e IP

mkdir /tmp/attacker
sudo mount -t nfs 10.129.61.86:/TechSupport /tmp/attacker/

cd /tmp/attacker

cp ticket4238791283782.txt /home/kyou/academy-htb/footprinting/medium-lab/tickets

Conversation with InlaneFreight Ltd

Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,. 
 
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:

 1smtp {
 2    host=smtp.web.dev.inlanefreight.htb
 3    #port=25
 4    ssl=true
 5    user="alex"
 6    password="lol123!mD"
 7    from="alex.g@web.dev.inlanefreight.htb"
 8}
 9
10securesocial {
11    
12    onLoginGoTo=/
13    onLogoutGoTo=/login
14    ssl=false
15    
16    userpass {      
17    	withUserNameSupport=false
18    	sendWelcomeEmail=true
19    	enableGravatarSupport=true
20    	signupSkipLogin=true
21    	tokenDuration=60
22    	tokenDeleteInterval=5
23    	minimumPasswordLength=8
24    	enableTokenJob=true
25    	hasher=bcrypt
26	}
27
28     cookie {
29     #       name=id
30     #       path=/login
31     #       domain="10.129.2.59:9500"
32            httpOnly=true
33            makeTransient=false
34            absoluteTimeoutInMinutes=1440
35            idleTimeoutInMinutes=1440
36    }   



---

smbclient -U alex -L 10.129.61.86

smbclient -U alex \\\\10.129.61.86\\devshare

sa:87N1ns@slls83

smbclient -U alex \\\\10.129.61.86\\Users

cd alex
ls

cd Desktop
ls

Then i try using rdp to login as alex user

After that just run as a admin user the mssql studio

remmina

PreviousEasy Lab NextHard Lab

Last updated 11 months ago

Medium Lab

May 18, 2024

# Nmap 7.94 scan initiated Sat May 18 00:33:17 2024 as: nmap -sC -sV -sS -oN nmap -vv 10.129.202.41
Nmap scan report for 10.129.202.41
Host is up, received echo-reply ttl 127 (0.29s latency).
Scanned at 2024-05-18 00:33:18 PST for 107s
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE       REASON          VERSION
111/tcp  open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
2049/tcp open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2024-05-17T16:35:02+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=WINMEDIUM
| Issuer: commonName=WINMEDIUM
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-16T16:31:08
| Not valid after:  2024-11-15T16:31:08
| MD5:   9e56:26fa:d8bf:3278:17e9:7b85:c601:258e
| SHA-1: fc99:f1c2:c7b1:9885:1e2b:8e88:c7d1:175f:aa5c:4d3b
| -----BEGIN CERTIFICATE-----
| MIIC1jCCAb6gAwIBAgIQGPITOA3tdIBCgx2Mi4BeSDANBgkqhkiG9w0BAQsFADAU
| MRIwEAYDVQQDEwlXSU5NRURJVU0wHhcNMjQwNTE2MTYzMTA4WhcNMjQxMTE1MTYz
| MTA4WjAUMRIwEAYDVQQDEwlXSU5NRURJVU0wggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQDUzzxYqO7XT7EAwcx6rPUSVl2Cs8Wu4JVrw7c6Wir4Of7uPRb3
| GB+jEGOJWsA2CO0rAhZQI5+0eBW7XY314kaeIetAq3n92kvUho4j8yLCXbI8WCFl
| Ef3t/Oi6cn9RzO/wjsTs7yHaYFeMlgsokw3YFwgKoqsz2L6u2XdWINKmNFnlQHVr
| MRweKqj3qnSSU9robwaCTE7LH+N2yQaZluKlhWWqNoJG7kTBmKavKgA/m2gAVFIN
| p05YpbeA+QQTZC++2SO4UphJIJ6E71MFyqmpICYQJ2n6D9LOIq1qzOZycjYA0UEd
| iRceT/kih/WJKxmFezCF0T2wYja2y0tLGad5AgMBAAGjJDAiMBMGA1UdJQQMMAoG
| CCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEASBTbLWfx
| S5WVVRfGNkdsWXyl4YUEgSb0IlJeq19oyLVJzEoogCtqdI0U3r9mxIUlr4tL+Jge
| d/4Lb3tMvdw2xZzK6sHAT2w0oz72N9ac9cwNr5tAqERiKITNHMI0b5/OMsG9rCYv
| 6sACitefwVYIoK53qFjg6bJ604hnIqg8hocYypJCDxFNn0gYzZpamhghh80n4Mdl
| 6HCttN/Kax0/zZZejpe98FxcWN62UwgNoQUem4dRJ8pF4VOX5NYcT8Cu1vuqw3sx
| OFT3UIosQU6UwhdDVr4NeoJ2PZSAja+VfzN8TrX+tf0Smce5oYm1vaL0lh8v8/4G
| 6pwEk2uLSPXdkg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: WINMEDIUM
|   NetBIOS_Domain_Name: WINMEDIUM
|   NetBIOS_Computer_Name: WINMEDIUM
|   DNS_Domain_Name: WINMEDIUM
|   DNS_Computer_Name: WINMEDIUM
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-17T16:34:36+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 47689/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 46177/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 28088/udp): CLEAN (Timeout)
|   Check 4 (port 27218/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-05-17T16:34:39
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 00:35:05 2024 -- 1 IP address (1 host up) scanned in 107.71 seconds

sudo showmount -e IP

mkdir /tmp/attacker
sudo mount -t nfs 10.129.61.86:/TechSupport /tmp/attacker/

cd /tmp/attacker

cp ticket4238791283782.txt /home/kyou/academy-htb/footprinting/medium-lab/tickets

Conversation with InlaneFreight Ltd

Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,. 
 
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:

 1smtp {
 2    host=smtp.web.dev.inlanefreight.htb
 3    #port=25
 4    ssl=true
 5    user="alex"
 6    password="lol123!mD"
 7    from="alex.g@web.dev.inlanefreight.htb"
 8}
 9
10securesocial {
11    
12    onLoginGoTo=/
13    onLogoutGoTo=/login
14    ssl=false
15    
16    userpass {      
17    	withUserNameSupport=false
18    	sendWelcomeEmail=true
19    	enableGravatarSupport=true
20    	signupSkipLogin=true
21    	tokenDuration=60
22    	tokenDeleteInterval=5
23    	minimumPasswordLength=8
24    	enableTokenJob=true
25    	hasher=bcrypt
26	}
27
28     cookie {
29     #       name=id
30     #       path=/login
31     #       domain="10.129.2.59:9500"
32            httpOnly=true
33            makeTransient=false
34            absoluteTimeoutInMinutes=1440
35            idleTimeoutInMinutes=1440
36    }   



---

smbclient -U alex -L 10.129.61.86

smbclient -U alex \\\\10.129.61.86\\devshare

sa:87N1ns@slls83

smbclient -U alex \\\\10.129.61.86\\Users

cd alex
ls

cd Desktop
ls

Then i try using rdp to login as alex user

After that just run as a admin user the mssql studio

remmina

PreviousEasy Lab NextHard Lab

Last updated 11 months ago