New machine from 2022-07-30.

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49664/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  unknown
49684/tcp open  unknown
49699/tcp open  unknown
63003/tcp open  unknown

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;support.htb. IN ANY

;; ANSWER SECTION:
support.htb. 600 IN A 10.129.25.230
support.htb. 3600 IN NS dc.support.htb.
support.htb. 3600 IN SOA dc.support.htb. hostmaster.support.htb. 315 900 600 86400 3600

;; ADDITIONAL SECTION:
dc.support.htb. 3600 IN A 10.129.25.230

Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-30 19:05:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -17s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-07-30T19:06:24
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 30 15:07:35 2022 -- 1 IP address (1 host up) scanned in 119.98 seconds

SMB enumeration:
.. D 0 Sat May 28 13:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 13:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 13:19:55 2022
putty.exe A 1273576 Sat May 28 13:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 13:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 19:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 13:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 13:19:43 2022

smb anonymous login allowed, there's a peculiar zip file with a peculiar .exe file... wish I had a working windows vm

(July 30, 2022, 07:28 PM)ILoveNSA Wrote: smb anonymous login allowed, there's a peculiar zip file with a peculiar .exe file... wish I had a working windows vm

I am installing the Window VM =)) didn't prepare for this situation =))

userinfo.exe dnspy/ilspy UserInfo.Services.Protected class

(July 30, 2022, 07:46 PM)fukingfuck Wrote: userinfo.exe dnspy/ilspy UserInfo.Services.Protected class

How do we use this without usernames

(July 30, 2022, 07:52 PM)JINXX Wrote:

(July 30, 2022, 07:46 PM)fukingfuck Wrote: userinfo.exe dnspy/ilspy UserInfo.Services.Protected class

How do we use this without usernames

There is username in Ldap q DirectoryEntry("LDAP://support.htb", "support\\ldap", password);

there is a valid username discovered when using dnspy but the program does not seem to work