53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404
# Nmap 7.94SVN scan initiated Tue Jan  2 15:27:13 2024 as: nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404 -oA nmap/detail 10.10.11.152
Nmap scan report for 10.10.11.152 (10.10.11.152)
Host is up (0.096s latency).

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-01-02 15:27:21Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
|_ssl-date: 2024-01-02T15:28:57+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49729/tcp open  msrpc             Microsoft Windows RPC
57404/tcp open  msrpc             Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-02T15:28:19
|_  start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Tue Jan  2 15:29:00 2024 -- 1 IP address (1 host up) scanned in 108.03 seconds

Untitled

Untitled

dc01.timelapse.htb
timelapse.htb

Untitled

Untitled

Untitled

get zip files with password from smb, then use john to crack

Untitled

then unzip, get a .pfx file

Untitled

googling

requiring another password

pfx2john legacyy_dev_auth.pfx > pfxhash

continue cracking, then get

**thuglegacy       (legacyy_dev_auth.pfx)**

Untitled