Footprinting Lab - Medium
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Footprinting
- 🔗 Link: Footprinting Lab - Medium
❓Question¶
Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.
📋 Walkthrough¶
Let's start with a fast scan
nmap --min-rate=10000 10.129.75.203 -p-
PORT STATE SERVICE
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49679/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
smb server on port 445 Now start a script scan. nmap -sVC -p111,135,139,445,2049,3389,5985,47001,49664,49665,49666,49667,49668,49679,49680,49681 10.129.75.203
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open mountd 1-3 (RPC #100005)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WINMEDIUM
| NetBIOS_Domain_Name: WINMEDIUM
| NetBIOS_Computer_Name: WINMEDIUM
| DNS_Domain_Name: WINMEDIUM
| DNS_Computer_Name: WINMEDIUM
| Product_Version: 10.0.17763
|_ System_Time: 2024-08-25T13:32:14+00:00
| ssl-cert: Subject: commonName=WINMEDIUM
| Not valid before: 2024-08-24T13:29:00
|_Not valid after: 2025-02-23T13:29:00
|_ssl-date: 2024-08-25T13:32:23+00:00; -1h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h59m59s, deviation: 0s, median: -1h59m59s
| smb2-time:
| date: 2024-08-25T13:32:15
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
http services. On both port it gaves me 404 Not Found. I run a directory scan using ffuf ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.75.203:5985/FUZZ --ac
nfs service is hidding something Let's mount it Checking the content folder we can see a lot of tickets, one of them hide some credentials. Try these credentials with freexrdp. There's a Microsoft SQL Server Management. We can try same credentials with no luck. Ont he filesystem there's a file named important.txt that reveal some credentials. Try them on MSSQL. No luck, maybe is the admin passowrd? Got it! We can see a table dbo.devsacc that seems to store some users credentials. HTB is hiding here. Answer
[REDACTED]