Internal Enumeration

Internal Enumeartion

Host discovery:

for i in $(seq 254); do ping 172.16.8.$i -c1 -W1 & done | grep from
64 bytes from 172.16.8.3: icmp_seq=1 ttl=64 time=26.1 ms
64 bytes from 172.16.8.20: icmp_seq=1 ttl=64 time=19.5 ms
64 bytes from 172.16.8.50: icmp_seq=1 ttl=64 time=13.4 ms
64 bytes from 172.16.8.120: icmp_seq=1 ttl=64 time=11.1 ms

We add that into a file and run nmap on all the discovered hosts:

nmap --open -iL live_hosts
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 16:45 CST
Nmap scan report for 172.16.8.3
Host is up (0.024s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Nmap scan report for 172.16.8.20
Host is up (0.024s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.8.50
Host is up (0.016s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

Nmap scan report for 172.16.8.120
Host is up (0.014s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
993/tcp  open  imaps
995/tcp  open  pop3s
8080/tcp open  http-proxy

Nmap done: 4 IP addresses (4 hosts up) scanned in 1.19 seconds

Looks like three of them are Windows domain joined machines and 172.16.8.3 is the DC.

Enum4linux

Unfortunately couldnt get any usernames, or password policy.

Web Pages

We see we got two webpages on hosts:

172.16.8.50:8080

Its running Tomcat. Version is Apache Tomcat/10.0.21.

Starting with sub d fuzzing:

After that I ran scanner/http/tomcat_mgr_login but no successful login

172.16.8.20:80

Its a DNN CMS page. We can log in, register.

Registration isn't straight forward. We get 'An email with your details has been sent to the Site Administrator for verification. You will be notified by email when your registration has been approved. In the meantime you can continue to browse this site.'

NFS

We also see that on host .20, port 2049 NFS is open. We can enumerate NFS for sensitive informations.

We cannot mount it through the tunnel but we can with our compromised foothold linux host where we have root access.

Here we see a folder named DNN.

Cat ing web.config:

We are able to log in with these creds. And we can access the admin dashboard. We see our previous registration request

Getting version info

PreviousPivotingNextExploiting DNN

Last updated