Post

RustKey 🔒

La maquina RustKey esta activa. Este artĂ­culo se publicarĂĄ para acceso pĂșblico una vez que la maquina se retire, segĂșn la polĂ­tica de HackTheBox.

Posted
Preview Image
By litio7
3 min read
RustKey 🔒

Machine Information

As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A

Information Gathering

El anĂĄlisis inicial comienza con el comando ping para confirmar la accesibilidad de la mĂĄquina objetivo en la red.

1
2
3
4
5
6
7

/home/kali/Documents/htb/machines/rustykey:-$ ping -c 1 10.129.194.131
PING 10.129.194.131 (10.129.194.131) 56(84) bytes of data.
64 bytes from 10.129.194.131: icmp_seq=1 ttl=127 time=157 ms

--- 10.129.194.131 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 156.723/156.723/156.723/0.000 ms

Realizo un escaneo agresivo de puertos con nmap, lo que me permite identificar rĂĄpidamente todos los puertos abiertos.

1
2
3

/home/kali/Documents/htb/machines/rustykey:-$ sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG nmap/nmap1 10.129.92.115
Host: 10.129.92.115 ()	Status: Up
Host: 10.129.92.115 ()	Ports: 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 5985/open/tcp//wsman///, 9389/open/tcp//adws///, 47001/open/tcp//winrm///, 49664/open/tcp/////, 49665/open/tcp/////, 49666/open/tcp/////, 49667/open/tcp/////, 49669/open/tcp/////, 49670/open/tcp/////, 49671/open/tcp/////, 49673/open/tcp/////, 49674/open/tcp/////, 49677/open/tcp/////, 49692/open/tcp/////	Ignored State: closed (65510)

Profundizo en los puertos detectados, recopilando informaciĂłn detallada sobre los servicios y versiones en ejecuciĂłn.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

/home/kali/Documents/htb/machines/rustykey:-$ sudo nmap -sCV -vvv -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49673,49674,49677,49692 -oN nmap/nmap2 10.129.92.115
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-29 03:06:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=6/28%Time=68603D5A%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 8977/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 61925/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 24685/udp): CLEAN (Failed to receive data)
|   Check 4 (port 45996/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 7h59m52s
| smb2-time: 
|   date: 2025-06-29T03:07:47
|_  start_date: N/A

RustyKey Machine from Hack The Box has been Pwned

Una mĂĄquina puede estar activa o retirada. Retirada, significa que la mĂĄquina no cuenta para los puntos de temporada.

Hack The Box, Machines
windows hack the box
This post is licensed under CC BY 4.0 by the author.