# Ra

## Nmap

```
nmap 10.10.110.170 -p- -sS -sV   

PORT      STATE SERVICE             VERSION
80/tcp    open  http                Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2022-04-11 16:48:05Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2179/tcp  open  vmrdp?
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server       Microsoft Terminal Services
5222/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
5223/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
5229/tcp  open  jaxflow?
5262/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
5263/tcp  open  ssl/jabber
5269/tcp  open  xmpp                Wildfire XMPP Client
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
5275/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
5276/tcp  open  ssl/jabber
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7070/tcp  open  http                Jetty 9.4.18.v20190429
7443/tcp  open  ssl/http            Jetty 9.4.18.v20190429
7777/tcp  open  socks5              (No authentication; connection failed)
9090/tcp  open  zeus-admin?
9091/tcp  open  ssl/xmltec-xmlmail?
9389/tcp  open  mc-nmf              .NET Message Framing
49670/tcp open  msrpc               Microsoft Windows RPC
49674/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc               Microsoft Windows RPC
49676/tcp open  msrpc               Microsoft Windows RPC
49695/tcp open  msrpc               Microsoft Windows RPC
```

We have a large number of ports open on the target system. Firstly we are going to take a look at port 80.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fxaz3xOheBSVuBh8zq3HR%2Fimage.png?alt=media\&token=35e0ffcd-bfd7-4a73-89c9-ead01a9b4f13)

Part way down the page we find some employee information.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FN4uIHvMylVSAO8k4Ou0b%2Fimage.png?alt=media\&token=7c7c141a-9c4d-4277-ae91-2228b6c5b135)

Viewing the page source we see a list of usernames.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fy1Bu94TRhK5L8l6LmOqV%2Fimage.png?alt=media\&token=570e160a-3767-4718-8682-05dc26ca6fe7)

From the source we also pick up the FQDN of fire.windcorp.thm.

Running the discovered usernames against `kerbrute` reveals some are valid users accounts.

```bash
kerbrute userenum 'user.txt' --dc <IP> --domain windcorp.thm -v
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FnQVcsAOY3kjUUUNm4Sqk%2Fimage.png?alt=media\&token=13755bf8-c0d6-465d-8ab1-0e3d202e5c15)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FgZoFmh2htZx5ieX5YC8p%2Fimage.png?alt=media\&token=0cef1f34-a848-4a74-8dc9-28df61dd84c4)

A further look through the main web page shows an opportunity to reset user passwords based on a security questions.

As we know Lily's username from the page source, we can also answer her secret questions as the page source for her profile image is named "LilyleandSparky.jpg".

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fwu1UVaIlu3kVXakiSHyP%2Fimage.png?alt=media\&token=d596cd05-c399-4336-8e86-6df1889fcb4f)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjzQ0EbmAbqWMMw0IYvrB%2Fimage.png?alt=media\&token=59461ad5-df3c-4c9f-a497-ba7850d34a40)

After entering the relevant information we are given a new password for the user *lilyle*.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FcJZlUdsZwuRcKB3Oy0VR%2Fimage.png?alt=media\&token=cbf3d25e-9e42-44a7-b51b-a2e86793167d)

Which, when testing with `crackmapexec` confirms the credentials are valid.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FaPfP3vLkXViBaTt9utie%2Fimage.png?alt=media\&token=2e113887-69f2-4b97-9f63-485a6d15915d)

Using smbmap with lily's account we some readable shares.

```
smbmap -H '10.10.110.170' -u 'lilyle' -p <Password> -q
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FjwItRAlxycYoku7gWDQU%2Fimage.png?alt=media\&token=85549aaa-2ebb-4309-bbcc-58ebc021738a)

As well as the first flag for the room.

```
smbmap -H '10.10.110.170' -u 'lilyle' -p <Password> -R --depth 30
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDdO8dw9BYZi55ZDmZ2xh%2Fimage.png?alt=media\&token=e744758d-10c5-449e-928f-fb283d2001e1)