└─$sudonmap-Pn-sV-O-A-iLfping_out.txtNmapscanreportfor172.16.64.101Notshown:997closedportsPORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.2p2Ubuntu4ubuntu2.8 (Ubuntu Linux; protocol2.0)8080/tcpopenhttpApacheTomcat/CoyoteJSPengine1.1|http-methods:|_Potentiallyriskymethods:PUTDELETE|_http-server-header:Apache-Coyote/1.1|_http-title:Apache2UbuntuDefaultPage:Itworks9080/tcpopenhttpApacheTomcat/CoyoteJSPengine1.1|http-methods:|_Potentiallyriskymethods:PUTDELETE|_http-server-header:Apache-Coyote/1.1|_http-title:Apache2UbuntuDefaultPage:ItworksMACAddress:00:50:56:A0:66:F6 (VMware)Aggressive OS guesses: Linux 3.2 - 4.9 (95%), DD-WRT (Linux 3.18) (95%), DD-WRT v3.0 (Linux 4.4.2) (95%), Linux 4.4 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Android 4.1.1 (94%), Android 4.2.2 (Linux 3.4) (94%), Android 4.1.2 (94%)
NoexactOSmatchesforhost (test conditionsnon-ideal).NetworkDistance:1hopServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelNmapscanreportfor172.16.64.140Notshown:999closedportsPORTSTATESERVICEVERSION80/tcpopenhttpApachehttpd2.4.18 ((Ubuntu))|_http-server-header:Apache/2.4.18 (Ubuntu)|_http-title:404HTMLTemplatebyColorlibMACAddress:00:50:56:A0:3E:67 (VMware)Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), DD-WRT v3.0 (Linux 4.4.2) (95%), Linux 4.4 (95%), Linux 3.16 (95%), Android 4.1.1 (95%), Android 4.2.2 (Linux 3.4) (95%), DD-WRT (Linux 3.18) (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%)
NoexactOSmatchesforhost (test conditionsnon-ideal).NetworkDistance:1hopNmapscanreportfor172.16.64.182Notshown:999closedportsPORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.2p2Ubuntu4ubuntu2.8 (Ubuntu Linux; protocol2.0)MACAddress:00:50:56:A0:CC:94 (VMware)Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
NoexactOSmatchesforhost (test conditionsnon-ideal).NetworkDistance:1hopServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelNmapscanreportfor172.16.64.199Notshown:996closedportsPORTSTATESERVICEVERSION135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn445/tcpopenmicrosoft-ds?1433/tcpopenms-sql-sMicrosoftSQLServer2014|ms-sql-ntlm-info:|Target_Name:WIN10|NetBIOS_Domain_Name:WIN10|NetBIOS_Computer_Name:WIN10|DNS_Domain_Name:WIN10|DNS_Computer_Name:WIN10|_Product_Version:10.0.10586MACAddress:00:50:56:A0:F6:41 (VMware)Aggressive OS guesses: Microsoft Windows 10 (96%), Microsoft Windows 10 1507 (96%), Microsoft Windows 10 1507 - 1607 (96%), Microsoft Windows 10 1511 (96%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (96%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows 10 10586 - 14393 (93%), Microsoft Windows 10 1607 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%), Microsoft Windows Server 2008 SP1 (93%)
NoexactOSmatchesforhost (test conditionsnon-ideal).NetworkDistance:1hopServiceInfo:OS:Windows; CPE:cpe:/o:microsoft:windowsHostscriptresults:|_clock-skew:mean:1s,deviation:0s,median:0s|ms-sql-info:|172.16.64.199:1433:|Version:|name:MicrosoftSQLServer2014RTM|number:12.00.2000.00|Product:MicrosoftSQLServer2014|Servicepacklevel:RTM|Post-SPpatchesapplied:false|_TCPport:1433|_nbstat:NetBIOSname:WIN10,NetBIOSuser:<unknown>,NetBIOSMAC:00:50:56:a0:f6:41 (VMware)|smb2-security-mode:|2.02:|_Messagesigningenabledbutnotrequired|smb2-time:|date:2021-08-16T04:10:22|_start_date:2021-08-15T10:34:56
/backups: looks interesting doing same against it we will discover /test:
inside it there are intersting info regarding the SQL server we will use it to attack our fourth target now.
Third Target (Ubuntu Host):
172.16.64.182
apparently it got hacked by hacking 4'th target we found the ssh cred.
Fourth Target (Win10 SQL Server):
172.16.64.199
really healpfull:
from target 2 we got Username/pass let's try to log-in with them in metasploit console: