Lab2 - writeup

Everyone has access on the int network

A user named HTB has been created.

Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

Enum4linux gives nothing

nmap $HOST -sV -T2 -vv
111/tcp  open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
2049/tcp open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

For RDP
PORT     STATE SERVICE       VERSION       
3389/tcp open  ms-wbt-server Microsoft Terminal Services                         
| rdp-enum-encryption:                  
|   Security layer               
|     CredSSP (NLA): SUCCESS 
|     CredSSP with Early User Auth: SUCCESS  
|_    RDSTLS: SUCCESS                
| rdp-ntlm-info:         
|   Target_Name: WINMEDIUM
|   NetBIOS_Domain_Name: WINMEDIUM
|   NetBIOS_Computer_Name: WINMEDIUM        
|   DNS_Domain_Name: WINMEDIUM
|   DNS_Computer_Name: WINMEDIUM           
|   Product_Version: 10.0.17763       
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

For WIN-RM
nmap -sV -sC $HOST -p5985,5986 --disable-arp-ping -n
5985/tcp open   http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp closed wsmans
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

For SMB
nmap $HOST -sV -sC -p139,445                                                               
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-17 03:59 EDT
Nmap scan report for 10.129.202.41
Host is up (0.033s latency).
                                               
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-10-17T07:59:47
|_  start_date: N/A

RDP connection impossible without creds

RPC denied

SMB can’t enumerate

Win-RM denied

→ We see NFS