mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-09-20 14:21:55 +00:00
9.2 KiB
9.2 KiB
TryHackMe-Offline
NMAP
Nmap scan report for 10.10.48.159
Host is up (0.17s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 55:15:8d:d0:54:38:1b:d6:a9:9e:3f:b0:0b:b3:14:34 (RSA)
| 256 cf:5b:e2:de:ce:3b:04:e6:8c:24:6c:2f:37:25:05:c5 (ECDSA)
|_ 256 82:bf:bb:09:69:a7:25:5d:66:58:ea:c6:53:d8:c8:8e (ED25519)
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND LOCK UNLOCK PROPPATCH MKCOL PUT DELETE MOVE
|_http-server-header: Microsoft-IIS/8.5
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title: Offline TV
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/8.5
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Server Date: Tue, 22 Sep 2020 15:00:07 GMT
| Directory Listing:
| http://10.10.48.159/
| http://10.10.48.159/iis-85.png
| http://10.10.48.159/iisstart.htm [31/105]
| http://10.10.48.159/otv.jpg
| http://10.10.48.159/Scarras_Super_Secret_Password.txt
| Exposed Internal IPs:
|_ 10.10.48.159
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-22 14:57:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds
| fingerprint-strings:
| SMBProgNeg:
|_ SMBr
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-09-22T15:00:22+00:00; 0s from scanner time.
9999/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/plain).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/22%Time=5F6A10ED%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: OFFLINE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h45m00s, deviation: 3h30m00s, median: 0s
|_nbstat: NetBIOS name: OFFLINE, NetBIOS user: <unknown>, NetBIOS MAC: 02:14:84:5e:69:a1 (unknown)
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: Offline
| NetBIOS computer name:
| Domain name: kingofthe.domain
| Forest name: kingofthe.domain
| FQDN: Offline.kingofthe.domain
|_ System time: 2020-09-22T08:00:07-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-22T15:00:07
|_ start_date: 2020-09-22T14:56:06
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 350.03 seconds
Gobuster
PORT 80
Found a password when looking at the source of web page OfflineTV2020
/Scarras_Super_Secret_Password.txt
username : scarras password :LeagueIsMyLove
Metasploit
Used msfconsole , search eternalblue , used 4.