nmap -sV -sC 10.129.227.141 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 09:26 EDT Nmap scan report for 10.129.227.141 Host is up (0.23s latency). Not shown: 973 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 25/tcp open smtp Microsoft Exchange smtpd | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 | smtp-commands: dc.edelweiss.htb Hello [10.10.14.3], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8, XRDST |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title. 81/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: 403 - Forbidden: Access is denied. 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 13:27:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 443/tcp open ssl/http Microsoft IIS httpd 10.0 | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 |_http-server-header: Microsoft-IIS/10.0 444/tcp open ssl/http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Runtime Error | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 587/tcp open smtp Microsoft Exchange smtpd |_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 | smtp-commands: dc.edelweiss.htb Hello [10.10.14.3], SIZE 37748736, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING, SMTPUTF8 |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 808/tcp open ccproxy-http? 1801/tcp open msmq? 2103/tcp open msrpc Microsoft Windows RPC 2105/tcp open msrpc Microsoft Windows RPC 2107/tcp open msrpc Microsoft Windows RPC 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: edelweiss.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc | Subject Alternative Name: DNS:dc, DNS:dc.edelweiss.htb | Not valid before: 2022-10-30T13:36:06 |_Not valid after: 2027-10-30T13:36:06 6001/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 6502/tcp open msrpc Microsoft Windows RPC 6543/tcp open msrpc Microsoft Windows RPC 6565/tcp open msrpc Microsoft Windows RPC 6689/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: dc.edelweiss.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 177.55 seconds
It appears to be a domain controller for edelweiss.htb, running exchange.
Anonymous SMB and LDAP had little to nothing.
The website on port 443 has an OWA login page.
The website on port 444 brings us to an error page.
I wasnβt able to enumerate the version of the exchange server, tried via nc etc.
1 2 3
nc -vn 10.129.227.141 25 (UNKNOWN) [10.129.227.141] 25 (smtp) open 220 dc.edelweiss.htb Microsoft ESMTP MAIL Service ready at Sat, 13 Jul 2024 21:10:07 -0700
The name of the machine makes me want to try ProxyLogon, which results in pre-authenticated RCE. The issue is that this requires a valid email on the domain, which we donβt currently have.
The metasploit module scanner/http/exchange_proxylogon confirmed that this host should be vulnerable.
π Exploitation
I decided to give ProxyShell and ProxyLogon a shot, becuase ProxyShell doesnβt need a valid email, and I was hoping it might be able to enumerate some emails.
Sadly that was not the case. I decided to try ProxyLogon with a couple emails that could potentially be valid. We donβt have any username information, but [email protected] and [email protected] are a pretty safe bet.
windows/http/exchange_proxylogon_rce was successfully able to pop a meterpreter session using the [email protected] email. The session starts as NT AUTHORITY\SYSTEM, so I used it to grab both flags.