Walkthrough of BillyBoss

Introduction

This write-up details an intermediate-level box from Offsec's labs, rated as "Very Hard" by the community. The lab can be accessed here.

Enumeration

We start by running an Nmap scan to collect key information about the target system.

sudo nmap -Pn -n $IP -sC -sV -p- --open
  • -Pn to skip host discovery and assume the host is up
  • -n to ignore DNS resolution
  • -sC to apply default scripts
  • -sV to identify version information
  • -p- to scan all ports
  • --open to apply scripts only on open ports

Nmap Output

Nmap Output:

┌──(kali㉿kali)-[~/offsec-labs]
└─$ sudo nmap -Pn -n 192.168.207.187 -sC -sV -p- --open

Output:

┌──(kali㉿kali)-[~/offsec-labs]
└─$ sudo nmap -Pn -n 192.168.207.187 -sC -sV -p- --open
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-05 12:14 EDT
Nmap scan report for 192.168.207.187
Host is up (0.082s latency).
Not shown: 65514 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Access The Event
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-05 16:17:08Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49734/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-05T16:18:02
|_  start_date: N/A

Key results:

  • The presence of ports 53 (DNS), 88 (Kerberos), and 389 (LDAP) suggests this is likely a Domain Controller, with the domain identified as access.offsec.
  • An Apache HTTP server is running on port 80.
  • SMB services are active on ports 139 and 445, potentially allowing remote management access through WinRM on port 5985.

Starting Gobuster

Since a web server is present, we initiate a Gobuster scan to enumerate directories:

sudo gobuster dir -w '/home/kali/Desktop/wordlists/dirbuster/directory-list-2.3-medium.txt' -u http://$IP:80 -t 42 -b 400,403,404