Windows

HTB-Active

Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Active ❯ nmap active.htb -sV -Pn -T4 PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC 49167/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows SMB File Leak 匿名登陆SMB，发现可以读取的Replication ...

HTB-Blackfield

Box Info OS Windows Difficulty Hard Nmap [root@kali] /home/kali/Blackfield ❯ nmap Blackfield.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows 把BLACKFIELD.local添加到**/etc/hosts** ...

HTB-Cascade

Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali/Cascade ❯ nmap Cascade.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows 把cascade.local添加到**/etc/hosts** ...

HTB-Forest

Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Forest ❯ nmap forest.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.68 seconds 将htb.local加入**/etc/hosts** ...

HTB-Resolute

Box Info OS Windows Difficulty Medium Nmap [root@kali] /home/kali/Resolute ❯ nmap Resolute.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows 把megabank.local添加到**/etc/hosts** ...

HTB-Sauna

Box Info OS Windows Difficulty Easy Nmap [root@kali] /home/kali/Sauna ❯ nmap Sauna.htb -sV -T4 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 把EGOTISTICAL-BANK.LOCAL添加到**/etc/hosts** ...

HTB-EscapeTwo

Box Info OS Windows Difficulty Easy As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su Nmap root@kali: /home/kali/EscapeTwo ➜ nmap EscapeTwo.htb -sV -Pn -T4 Nmap scan report for EscapeTwo.htb PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows SMB User Crack root@kali: /home/kali/EscapeTwo ➜ crackmapexec smb escapetwo.htb -u "rose" -p "KxEPkKe6R8su" --rid-brute | grep SidTypeUser SMB EscapeTwo.htb 445 DC01 500: SEQUEL\Administrator (SidTypeUser) SMB EscapeTwo.htb 445 DC01 501: SEQUEL\Guest (SidTypeUser) SMB EscapeTwo.htb 445 DC01 502: SEQUEL\krbtgt (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1000: SEQUEL\DC01$ (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1103: SEQUEL\michael (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1114: SEQUEL\ryan (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1116: SEQUEL\oscar (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1122: SEQUEL\sql_svc (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1601: SEQUEL\rose (SidTypeUser) SMB EscapeTwo.htb 445 DC01 1607: SEQUEL\ca_svc (SidTypeUser) SMB File Leak [root@kali] /home/kali/EscapeTwo ❯ smbclient -L //10.10.xx.xx -U rose Password for [WORKGROUP\rose]: Sharename Type Comment --------- ---- ------- Accounting Department Disk ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk 在这个Accounting Department中存在表格文件 ...

HTB-Certified

Box Info OS Windows Difficulty Medium As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09 Nmap ┌──(root㉿kali)-[/home/kali/Certified] └─# nmap -sSCV -Pn -p- Certified.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 20:00 CST Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.13% done; ETC: 20:02 (0:00:15 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Nmap scan report for Certified.htb (10.10.11.41) Host is up (0.083s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-06 18:49:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49715/tcp open msrpc Microsoft Windows RPC 49737/tcp open msrpc Microsoft Windows RPC 49772/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-12-06T18:49:56 |_ start_date: N/A |_clock-skew: mean: 6h45m58s, deviation: 0s, median: 6h45m58s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 254.91 seconds GetAllUserName ┌──(root㉿kali)-[~kali/Certified] └─# crackmapexec smb certified.htb -u "judith.mader" -p "judith09" --rid-brute | grep SidTypeUser SMB Certified.htb 445 DC01 500: CERTIFIED\Administrator (SidTypeUser) SMB Certified.htb 445 DC01 501: CERTIFIED\Guest (SidTypeUser) SMB Certified.htb 445 DC01 502: CERTIFIED\krbtgt (SidTypeUser) SMB Certified.htb 445 DC01 1000: CERTIFIED\DC01$ (SidTypeUser) SMB Certified.htb 445 DC01 1103: CERTIFIED\judith.mader (SidTypeUser) SMB Certified.htb 445 DC01 1105: CERTIFIED\management_svc(SidTypeUser) SMB Certified.htb 445 DC01 1106: CERTIFIED\ca_operator (SidTypeUser) SMB Certified.htb 445 DC01 1601: CERTIFIED\alexander.huges (SidTypeUser) SMB Certified.htb 445 DC01 1602: CERTIFIED\harry.wilson (SidTypeUser) SMB Certified.htb 445 DC01 1603: CERTIFIED\gregory.cameron (SidTypeUser) Bloodhound ┌──(root㉿kali)-[~kali/Certified] └─# bloodhound-python -u judith.mader -p 'judith09' -c All -d certified.htb -ns 10.10.11.41 INFO: Found AD domain: certified.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 10 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.certified.htb INFO: Done in 00M 17S 导入到bloodhoundGUI里面进行分析 ...

HTB-Administrator

Box Info OS Windows Difficulty Medium As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich Nmap ┌──(root㉿kali)-[/home/kali/Administrator] └─# nmap -sSCV -Pn administrator.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 15:51 CST Nmap scan report for administrator.htb (10.10.11.42) Host is up (0.072s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-05 14:37:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 6h46m00s | smb2-time: | date: 2024-12-05T14:37:51 |_ start_date: N/A Crackmapexec 通过SMB服务，获取到了当前存在的用户信息 ...

HTB-Vintage

Box Info OS Windows Difficulty Hard As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123 Nmap Scan └─# nmap -sC -sV -T4 -Pn vintage.htb -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-04 01:49:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open unknown 49668/tcp open unknown 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49681/tcp open unknown 50907/tcp open unknown 65103/tcp open unknown Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: -13m55s | smb2-time: | date: 2024-12-04T01:49:48 |_ start_date: N/A 发现在3269端口这一行，存在一个名为：DC01 的域控主机，添加到/etc/hosts中 ...