⛵Resourced

nmap -sCV -A -p- 192.168.110.175 --min-rate=10000 -oA Resourced.txt

rustscan --addresses 192.168.110.175 --ulimit 5000 -- -A -sC -Pn -sV -T 1500

After running an nmap scan, the discovered hosts have been added to the /etc/hosts file.

Will try login using rpc client as anonymous.

rpcclient -U "" -N resourced.local

srvinfo returned nothing but querydispinfo returned list of users and found some reminder. May be this is the password of v.ventz user.

V.Ventz /HotelCalifornia194!

I attempted to use this password xfreerdp, evil-winrm, and impacket-psexec but was unsuccessful. However, I was able to list shares using smbmap.

smbmap -u v.ventz -p 'HotelCalifornia194!' -d resourced -H resourced.local

In the Password Audit Share, I found two directories, Active Directory and Registry. Inside the directories, I found the NTDS.DIT and SYSTEM files, which are used for password auditing.

Start with a Nmap TCP scan:

nmap -Pn -n 192.168.110.175 -sC -sV -p- --open

Start with a Nmap UDP scan:

nmap -Pn -n $IP -sU --top-ports=100 --reason

Even if it comes up empty, scanning the UDP ports as well is best practice.

We can see it has a domain named of ‘resourced.local’ as indicated on port 3389 (RDP). I like to add that to my /etc/hosts file right away.

Port 53 — DNS

We can try a domain transfer.

dig @$IP axfr domain.name