Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL input_ip.txt -oA nmap_open_tcp_portsAbout 40 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap --open -p- -sV -iL input_ips.txt -oA nmap_tcp_all
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 11:22 CEST
Nmap scan report for 10.129.76.138
Host is up (0.033s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.22 secondsAbout 14 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
PORT STATE SERVICE VERSION
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsAbout 21 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 15:42 UTC
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.097s latency).
Not shown: 65514 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-09 16:03:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49735/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 270.11 secondsAbout 26 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpAbout 10 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open httpAbout 10 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
33060/tcp open mysqlxAbout 4 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
TCP scan shows that their is only 2 ports listening.
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_portsAbout 4 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpLess than 1 minute
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpAbout 1 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 110.16 secondsAbout 6 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP scan
> nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysqlAbout 8 min
Scan
As usual, both TCP and UDP ports scan was done on the box. The TCP scan revealed that the following ports are open:
TCP scan
The TCP scan shows that there are only 2 ports listening.
nmap -p- -Pn --open -iL ../input_ip.txt -oA nmap_open_tcp_ports
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 12:54 UTC
Nmap scan report for 10.10.10.226
Host is up (0.046s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 15.93 secondsAbout 7 min
Scan
As usual, both TCP and UDP ports scan was done on the box. The TCP scan revealed that the following ports are open:
# Nmap 7.91 scan initiated Sun Nov 22 11:32:06 2020 as: nmap -A -p- --open -iL ../ip.txt -oA nmap_all_tcp
Nmap scan report for 10.10.10.216
Host is up (0.019s latency).
Not shown: 65532 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1About 12 min
Scan
As usual, both TCP and UDP ports scan was done on the box. The TCP scan revealed that the following ports are open:
The different ports were analysed. A web service that always returns an HTTP authentication page was discovered.
After multiple research, the SirepRAT repository was discovered.
About 2 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
The port TCP/8080 is a web interface but the TCP/7680 is unknown. However, it accepts TCP connections and it might be reverent later.
About 13 min
Scan
As usual, both a TCP and UDP port scan were done on the box. The TCP scan revealed that the following ports were open:
# Nmap 7.80 scan initiated Mon Aug 17 08:31:48 2020 as: nmap -p- -sV -A --open -Pn -oA nmap_all_tcp.txt 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.026s latency).
Not shown: 65527 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-17 19:44:27Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsAbout 5 min
Scan
A Masscan highlights the open TCP ports found on the box.
Then a nmap scan was conducted in order to try to identify the version of the services found opened.
User
RPC
RPC port is open, it might be possible to dump some information. It gives us the port and services that are listening.
About 7 min
Scan
As usual, both TCP and UDP ports were scanned. The TCP scan revealed that the following ports are open:
Web Discovery
The website was visited and seemed to be a blog.
About 2 min
Recon
As usual, we start with a port scan on the machine. The TCP port scan revealed that the following ports are open:
TCP/22 - SSH - Banner grabbing
The SSH version could be retrieved with NetCat.
About 6 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
The port TCP/88 is related to the Kerberos service. Founding it listening in addition to the TCP/53 port and other ports might let think that the machine is a Domain Controller. The result of the scan reveals that the Windows host belongs to the domain enum4linux -w cascade. local -a 10.10.10.182.
About 10 min
Scan
As usual, both TCP and UDP port scans were done on the box. The TCP scan revealed that the following ports are open:
TCP/22
A quick enumeration on the SSH service allows me to know that the password authentication is allowed on the server.
About 5 min
Scan
As usual, both TCP and UDP ports scan was done on the box. The TCP scan revealed that the following ports are open:
The port TCP/22 is related to the SSH service. The port TCP/80 is hosting a Web application.
About 4 min
Recon
As usual, we start with a port scan on the machine. The TCP port scan revealed that the following ports are open:
User flag
Enumeration
Enum4linux was run in order to get some information about the machine with a null session.
About 3 min