# Nmap 7.95 scan initiated Mon Sep 29 03:40:54 2025 as: /usr/lib/nmap/nmap --privileged -vvv -p 53,80,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49673,49666,49668,49674,49676,49692 -4 -sC -sV -o scan_result.txt 192.168.117.122
Nmap scan report for 192.168.117.122
Host is up, received echo-reply ttl 125 (0.068s latency).
Scanned at 2025-09-29 03:40:55 EDT for 97s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-webdav-scan:
| Server Type: Microsoft-IIS/10.0
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
| Server Date: Mon, 29 Sep 2025 07:41:50 GMT
|_ WebDAV type: Unknown
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2025-09-29 07:41:01Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49692/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: HUTCHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 5343/tcp): CLEAN (Timeout)
| Check 2 (port 64444/tcp): CLEAN (Timeout)
| Check 3 (port 37363/udp): CLEAN (Timeout)
| Check 4 (port 33349/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-09-29T07:41:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 0s
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 29 03:42:32 2025 -- 1 IP address (1 host up) scanned in 97.61 seconds
首先在 nmap 掃描結果中可以看到 Domain name 為 hutch.offsec0
可以利用 ldapsearch
來找找資訊
ldapsearch -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.117.122"
結果發現了帳號跟密碼
之後就可以利用 WebDeV 的漏洞達成 RCE
有了本地使用者以後可以利用他搜尋本地 Admin 的帳號密碼
搜尋出來是 Administrator:7-v3]Ay26-[2o2
之後可以用 psexec.py 進行登入就可以取得 proof.txt