# TryHackMe-Offline ## NMAP ``` Nmap scan report for 10.10.48.159 Host is up (0.17s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 55:15:8d:d0:54:38:1b:d6:a9:9e:3f:b0:0b:b3:14:34 (RSA) | 256 cf:5b:e2:de:ce:3b:04:e6:8c:24:6c:2f:37:25:05:c5 (ECDSA) |_ 256 82:bf:bb:09:69:a7:25:5d:66:58:ea:c6:53:d8:c8:8e (ED25519) 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND LOCK UNLOCK PROPPATCH MKCOL PUT DELETE MOVE |_http-server-header: Microsoft-IIS/8.5 |_http-svn-info: ERROR: Script execution failed (use -d to debug) |_http-title: Offline TV | http-webdav-scan: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK | WebDAV type: Unknown | Server Type: Microsoft-IIS/8.5 | Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK | Server Date: Tue, 22 Sep 2020 15:00:07 GMT | Directory Listing: | http://10.10.48.159/ | http://10.10.48.159/iis-85.png | http://10.10.48.159/iisstart.htm [31/105] | http://10.10.48.159/otv.jpg | http://10.10.48.159/Scarras_Super_Secret_Password.txt | Exposed Internal IPs: |_ 10.10.48.159 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-22 14:57:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds | fingerprint-strings: | SMBProgNeg: |_ SMBr 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ssl/ms-wbt-server? |_ssl-date: 2020-09-22T15:00:22+00:00; 0s from scanner time. 9999/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Site doesn't have a title (text/plain). 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/ submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=9/22%Time=5F6A10ED%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: OFFLINE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h45m00s, deviation: 3h30m00s, median: 0s |_nbstat: NetBIOS name: OFFLINE, NetBIOS user: , NetBIOS MAC: 02:14:84:5e:69:a1 (unknown) | smb-os-discovery: | OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3) | OS CPE: cpe:/o:microsoft:windows_server_2012::- | Computer name: Offline | NetBIOS computer name: | Domain name: kingofthe.domain | Forest name: kingofthe.domain | FQDN: Offline.kingofthe.domain |_ System time: 2020-09-22T08:00:07-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-09-22T15:00:07 |_ start_date: 2020-09-22T14:56:06 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 350.03 seconds ``` ## Gobuster ``` ``` ## PORT 80 Found a password when looking at the source of web page `OfflineTV2020` ### /Scarras_Super_Secret_Password.txt username : `scarras` password :`LeagueIsMyLove` ## Metasploit Used msfconsole , `search eternalblue ` , used `4`.