1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259
| ┌──(root💀kali)-[~/hackthebox/machine/timelapse] └─ Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-26 19:04 EDT Nmap scan report for 10.10.11.152 Host is up (0.36s latency).
PORT STATE SERVICE 389/tcp open ldap | ldap-rootdse: | LDAP Results | <ROOT> | domainFunctionality: 7 | forestFunctionality: 7 | domainControllerFunctionality: 7 | rootDomainNamingContext: DC=timelapse,DC=htb | ldapServiceName: timelapse.htb:dc01$@TIMELAPSE.HTB | isGlobalCatalogReady: TRUE | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxPercentDirSyncRequests | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxBatchReturnMessages | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxDirSyncDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: MaxValRangeTransitive | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedControl: 1.2.840.113556.1.4.2090 | supportedControl: 1.2.840.113556.1.4.2205 | supportedControl: 1.2.840.113556.1.4.2204 | supportedControl: 1.2.840.113556.1.4.2206 | supportedControl: 1.2.840.113556.1.4.2211 | supportedControl: 1.2.840.113556.1.4.2239 | supportedControl: 1.2.840.113556.1.4.2255 | supportedControl: 1.2.840.113556.1.4.2256 | supportedControl: 1.2.840.113556.1.4.2309 | supportedControl: 1.2.840.113556.1.4.2330 | supportedControl: 1.2.840.113556.1.4.2354 | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=timelapse,DC=htb | serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb | schemaNamingContext: CN=Schema,CN=Configuration,DC=timelapse,DC=htb | namingContexts: DC=timelapse,DC=htb | namingContexts: CN=Configuration,DC=timelapse,DC=htb | namingContexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb | namingContexts: DC=DomainDnsZones,DC=timelapse,DC=htb | namingContexts: DC=ForestDnsZones,DC=timelapse,DC=htb | isSynchronized: TRUE | highestCommittedUSN: 135273 | dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb | dnsHostName: dc01.timelapse.htb | defaultNamingContext: DC=timelapse,DC=htb | currentTime: 20220327070426.0Z |_ configurationNamingContext: CN=Configuration,DC=timelapse,DC=htb Service Info: Host: DC01; OS: Windows
┌──(root💀kali)-[~/hackthebox/machine/timelapse] └─
dn: namingContexts: DC=timelapse,DC=htb namingContexts: CN=Configuration,DC=timelapse,DC=htb namingContexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb namingContexts: DC=DomainDnsZones,DC=timelapse,DC=htb namingContexts: DC=ForestDnsZones,DC=timelapse,DC=htb
search: 2 result: 0 Success
┌──(root💀kali)-[~/hackthebox/machine/timelapse] └─ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 26 19:11:03 2022
========================== | Target Information | ========================== Target ........... 10.10.11.152 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==================================================== | Enumerating Workgroup/Domain on 10.10.11.152 | ==================================================== [E] Can't find workgroup/domain
============================================ | Nbtstat Information for 10.10.11.152 | ============================================ Looking up status of 10.10.11.152 No reply from 10.10.11.152
===================================== | Session Check on 10.10.11.152 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.11.152 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name:
=========================================== | Getting domain SID for 10.10.11.152 | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: TIMELAPSE Domain Sid: S-1-5-21-671920749-559770252-3318990721 [+] Host is part of a domain (not a workgroup)
====================================== | OS information on 10.10.11.152 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.11.152 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 10.10.11.152 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
============================= | Users on 10.10.11.152 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
========================================= | Share Enumeration on 10.10.11.152 | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640. do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.152
==================================================== | Password Policy Information for 10.10.11.152 | ==================================================== [E] Unexpected error from polenum:
[+] Attaching to 10.10.11.152 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.11.152)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[E] Failed to get password policy with rpcclient
============================== | Groups on 10.10.11.152 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
[+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
[+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================= | Users on 10.10.11.152 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.
============================================= | Getting printer info for 10.10.11.152 | ============================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991. Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Mar 26 19:12:25 2022
|