10-Enumeration
DNS...
Added 10.10.10.103 into /etc/resolv.conf
Discovery nslookup
> HTB.LOCAL
Server: 10.10.10.103
Address: 10.10.10.103#53
Name: HTB.LOCAL
Address: 10.10.10.103
Name: HTB.LOCAL
Address: dead:beef::23
Name: HTB.LOCAL
Address: dead:beef::49da:9144:be86:9a3e
LDAP...
➜ Discovery ldapsearch -H ldap://10.10.10.103 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=HTB,DC=LOCAL
namingContexts: CN=Configuration,DC=HTB,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=HTB,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=HTB,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
➜ www ldapsearch -H ldap://10.10.10.103 -x -b "DC=HTB,DC=LOCAL"
# extended LDIF
#
# LDAPv3
# base <DC=HTB,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
# numResponses: 1
Found nothing in ldap accept some domains. We need credentials.
www...
Discovery gobuster dir -u http://10.10.10.103 -w /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt -x html,txt,bbak,aspx,php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.103
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,bbak,aspx,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client/ (Status: 403) [Size: 1233]
/certenroll/ (Status: 403) [Size: 1233]
/certsrv/.html (Status: 401) [Size: 1293]
/certsrv/.txt (Status: 401) [Size: 1293]
/certsrv/ (Status: 401) [Size: 1293]
/certsrv/.bbak (Status: 401) [Size: 1293]
/certsrv/.php (Status: 401) [Size: 1293]
/certsrv/.aspx (Status: 401) [Size: 1293]
Certsrc asks for creds.
SMB...
➜ Sizzle smbclient -L ////10.10.10.103//
Password for [WORKGROUP\nakul]:
Sharename Type Comment --------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Department Shares Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Operations Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.103 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
➜ Sizzle
The Department Share gave us directory listing
➜ Sizzle smbclient //10.10.10.103/Department\ Shares
Password for [WORKGROUP\nakul]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 3 20:52:32 2018
.. D 0 Tue Jul 3 20:52:32 2018
Accounting D 0 Tue Jul 3 00:51:43 2018
Audit D 0 Tue Jul 3 00:44:28 2018
Banking D 0 Tue Jul 3 20:52:39 2018
CEO_protected D 0 Tue Jul 3 00:45:01 2018
Devops D 0 Tue Jul 3 00:49:33 2018
Finance D 0 Tue Jul 3 00:41:57 2018
HR D 0 Tue Jul 3 00:46:11 2018
Infosec D 0 Tue Jul 3 00:44:24 2018
Infrastructure D 0 Tue Jul 3 00:43:59 2018
IT D 0 Tue Jul 3 00:42:04 2018
Legal D 0 Tue Jul 3 00:42:09 2018
M&A D 0 Tue Jul 3 00:45:25 2018
Marketing D 0 Tue Jul 3 00:44:43 2018
R&D D 0 Tue Jul 3 00:41:47 2018
Sales D 0 Tue Jul 3 00:44:37 2018
Security D 0 Tue Jul 3 00:51:47 2018
Tax D 0 Tue Jul 3 00:46:54 2018
Users D 0 Wed Jul 11 03:09:32 2018
ZZ_ARCHIVE D 0 Tue Jul 3 01:02:58 2018
7779839 blocks of size 4096. 3665695 blocks available
I ll mount this to my system.
Sizzle sudo mount -t cifs //10.10.10.103/Department\ Shares /mnt/htb/sizzle
[sudo] password for root
Password for root@//10.10.10.103/Department Shares:
We ll Enumerate SMB.