Skip to content

Initial Enumeration of the Domain

ℹ️ Informations

❓Question

From your scans, what is the "commonName" of host 172.16.5.5?

πŸ“‹ Walkthrough

Let's connect to the host via SSH using the credentials htb-student:HTB_@cademy_stdnt! and run fping to scan the network. But first, we need to determine which network we are on.

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.5.225  netmask 255.255.254.0  broadcast 172.16.5.255
        inet6 fe80::32e6:baa0:e3aa:25da  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:94:b2:a1  txqueuelen 1000  (Ethernet)
        RX packets 30347  bytes 2683090 (2.5 MiB)
        RX errors 0  dropped 14  overruns 0  frame 0
        TX packets 873  bytes 61686 (60.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

We need to scan the entire 172.16.5.0/24 network.

β”Œβ”€[htb-student@ea-attack01]─[~]
└──╼ $fping -asgq 172.16.5.0/24
172.16.5.5
172.16.5.130
172.16.5.225

     254 targets
       3 alive
     251 unreachable
       0 unknown addresses

    1004 timeouts (waiting for response)
    1007 ICMP Echos sent
       3 ICMP Echo Replies received
    1004 other ICMP received

 0.041 ms (min round trip time)
 0.916 ms (avg round trip time)
 2.02 ms (max round trip time)
        9.563 sec (elapsed real time)

Now that we have found the host 172.16.5.5, let's use nmap to discover the commonName.

β”Œβ”€[βœ—]─[htb-student@ea-attack01]─[~]
└──╼ $nmap -sC -sV 172.16.5.5
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-30 14:26 EDT
Nmap scan report for inlanefreight.local (172.16.5.5)
Host is up (0.038s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-30 18:26:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after:  2024-10-26T13:11:32
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after:  2024-10-26T13:11:32
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after:  2024-10-26T13:11:32
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT.LOCAL, DNS:INLANEFREIGHT
| Not valid before: 2023-10-27T13:11:32
|_Not valid after:  2024-10-26T13:11:32
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
| Not valid before: 2025-02-11T06:08:03
|_Not valid after:  2025-08-13T06:08:03
| rdp-ntlm-info: 
|   Target_Name: INLANEFREIGHT
|   NetBIOS_Domain_Name: INLANEFREIGHT
|   NetBIOS_Computer_Name: ACADEMY-EA-DC01
|   DNS_Domain_Name: INLANEFREIGHT.LOCAL
|   DNS_Computer_Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
|   Product_Version: 10.0.17763
|_  System_Time: 2025-03-30T18:27:16+00:00
|_ssl-date: 2025-03-30T18:27:24+00:00; 0s from scanner time.
Service Info: Host: ACADEMY-EA-DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: ACADEMY-EA-DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:eb:bb (VMware)
| smb2-time: 
|   date: 2025-03-30T18:27:16
|_  start_date: N/A
Answer

ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

❓Question

What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name)

πŸ“‹ Walkthrough

Let's scan the remaining two IPs.

β”Œβ”€[βœ—]─[htb-student@ea-attack01]─[~]
└──╼ $sudo nmap -O 172.16.5.130 172.16.5.225
Starting Nmap 7.92 ( https://nmap.org ) at 2025-03-30 14:35 EDT
Nmap scan report for 172.16.5.130
Host is up (0.0015s latency).
Not shown: 992 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
808/tcp   open  ccproxy-http
1433/tcp  open  ms-sql-s
3389/tcp  open  ms-wbt-server
16001/tcp open  fmsascon
MAC Address: 00:50:56:94:6F:7E (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 1 hop

Nmap scan report for 172.16.5.225
Host is up (0.00074s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 50.81 seconds
Even though the operating system was not detected precisely, we can deduce that the IP running SQL Server is 172.16.5.130 due to the presence of port 1433.

Answer

172.16.5.130