Enumeration As with every engagement, it starts with information gathering. Ran the standard nmap scan and found the following port open on the target system. A scan for UDP ports was also done but nothing interesting was seen. Initial Access The first thing I did was see if there was any low hanging fruit by performing a simple brute force against TCP port 22. Unfortunately, no credentials were found so moved on to TCP port 80. Simply navigating to the target system’s IP in the browser revealed that there should be some sort of ticketing system that is only accessible…

Enumeration As with every machine, I like to start off with an nmap scan of all TCP ports using the standard NSE scripts and gather version information. Additionally, I did a scan of the top UDP ports. The results of the scans show TCP ports 22, 80, 8338, and 55555 as open as well as UDP port 68 being open. Looking closer at the results, TCP ports 80 and 8338 are showing as filtered. This means there is a firewall or filter in place that is preventing a successful connection from the attack box to the target box. Initial Access…

Introduction This box taught me a lot. It provided many opportunities to learn how to enumerate services, even if nothing ultimately was gleaned from it. It also taught me that sometimes getting fresh air and resetting is the best thing to do. Sometimes you need to try harder, but that is not always the case. And finally, do not get stuck on using the same tools or wordlists for a specific job. Different tools can give different results, so expand your arsenal. Sometimes you might not get results because of the tool, not because of something you are inherently doing…

Learned a lot doing this box. It starts off with accessing an open SMB share that contains a password protected ZIP. Cracking the password for the ZIP allowed access to a PFX file. After cracking the password associated with the PFX file I was able to extract a .crt and .key file. Using those files, I was able to login via WinRM. After doing some recon on the local box I discovered a clear text password for another user in the PowerShell history file. Said user was part of a group that could read LAPS passwords. And it just so…