NINJA HACKER ACADEMY (NHA) is written as a training challenge where GOAD was written as a lab with a maximum of vulns. You should find your way in to get domain admin on the 2 domains (academy.ninja.lan and ninja.hack)
Flags are disposed on each machine, try to grab all. Be careful all the machines are up to date with defender enabled. Some exploits needs to modify path so this lab is not very multi-players compliant (unless you do it as a team ;)) Obviously do not cheat by looking at the passwords and flags in the recipe files, the lab must start without user to full compromise.
Let’s start by doing the recon on the network by scanning it using nmap.
I normally like to scan the open ports first then enumerate the services running on the open ports, so o use the command as it is below.
Ports=$( sudo nmap -p- --min-rate 300 --max-rate 500 -Pn 192.168.58.0/24 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\\n' ',' | sed "s/,$//") sudo nmap -sC -sV -p$Ports -oN Full_TCP_Scan_245 192.168.58.0/24
192.168.58.10
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-16 11:11:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ninja.hack0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc-vil.ninja.hack
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc-vil.ninja.hack
| Not valid before: 2024-10-16T08:00:00
|_Not valid after: 2025-10-16T08:00:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ninja.hack0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc-vil.ninja.hack
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc-vil.ninja.hack
| Not valid before: 2024-10-16T08:00:00
|_Not valid after: 2025-10-16T08:00:00
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
1433/tcp filtered ms-sql-s
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ninja.hack0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-16T11:14:08+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=dc-vil.ninja.hack
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc-vil.ninja.hack
| Not valid before: 2024-10-16T08:00:00
|_Not valid after: 2025-10-16T08:00:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ninja.hack0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc-vil.ninja.hack
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc-vil.ninja.hack
| Not valid before: 2024-10-16T08:00:00
|_Not valid after: 2025-10-16T08:00:00
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc-vil.ninja.hack
| Not valid before: 2024-10-15T07:55:01
|_Not valid after: 2025-04-16T07:55:01
|_ssl-date: 2024-10-16T11:14:08+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-10-14T16:25:27
|_Not valid after: 2027-10-14T16:25:27
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp filtered unknown
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49700/tcp filtered unknown
49703/tcp open msrpc Microsoft Windows RPC
49749/tcp filtered unknown
58752/tcp filtered unknown
59321/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:A9:AB:DB (VMware)
Service Info: Host: DC-VIL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC-VIL, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:a9:ab:db (VMware)
| smb2-time:
| date: 2024-10-16T11:13:26
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
192.168.58.20
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp filtered http
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-16 11:11:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: academy.ninja.lan, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp filtered ms-sql-s
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: academy.ninja.lan, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc-ac.academy.ninja.lan
| Not valid before: 2024-10-15T07:55:00
|_Not valid after: 2025-04-16T07:55:00
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-10-14T16:27:06
|_Not valid after: 2027-10-14T16:27:06
|_ssl-date: 2024-10-16T11:14:09+00:00; +1s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp filtered unknown
49669/tcp filtered unknown
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49700/tcp filtered unknown
49703/tcp filtered unknown
49749/tcp filtered unknown
58752/tcp open msrpc Microsoft Windows RPC
59321/tcp filtered unknown
MAC Address: 00:0C:29:F6:76:29 (VMware)
Service Info: Host: DC-AC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-16T11:13:30
|_ start_date: N/A
|_nbstat: NetBIOS name: DC-AC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:f6:76:29 (VMware)
192.168.58.21
Nmap scan report for 192.168.58.21
Host is up (0.00067s latency).
Not shown: 28 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Home Page - NHA - Ninja Hacker Academy
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=web.academy.ninja.lan
| Not valid before: 2024-10-15T07:59:28
|_Not valid after: 2025-04-16T07:59:28
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-10-14T16:28:36
|_Not valid after: 2027-10-14T16:28:36
MAC Address: 00:0C:29:26:52:20 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-16T11:13:31
|_ start_date: N/A
192.168.58.22
Nmap scan report for 192.168.58.22
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
53/tcp closed domain
80/tcp closed http
88/tcp closed kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp closed ldap
445/tcp open microsoft-ds?
464/tcp closed kpasswd5
593/tcp closed http-rpc-epmap
636/tcp closed ldapssl
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 192.168.58.22:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-10-16T09:37:07
|_Not valid after: 2054-10-16T09:37:07
| ms-sql-ntlm-info:
| 192.168.58.22:1433:
| Target_Name: ACADEMY
| NetBIOS_Domain_Name: ACADEMY
| NetBIOS_Computer_Name: SQL
| DNS_Domain_Name: academy.ninja.lan
| DNS_Computer_Name: sql.academy.ninja.lan
| DNS_Tree_Name: academy.ninja.lan
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
3268/tcp closed globalcatLDAP
3269/tcp closed globalcatLDAPssl
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: ACADEMY
| NetBIOS_Domain_Name: ACADEMY
| NetBIOS_Computer_Name: SQL
| DNS_Domain_Name: academy.ninja.lan
| DNS_Computer_Name: sql.academy.ninja.lan
| DNS_Tree_Name: academy.ninja.lan
| Product_Version: 10.0.17763
|_ System_Time: 2024-10-16T11:13:25+00:00
| ssl-cert: Subject: commonName=sql.academy.ninja.lan
| Not valid before: 2024-10-15T07:59:28
|_Not valid after: 2025-04-16T07:59:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-10-16T11:14:09+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-10-14T16:30:08
|_Not valid after: 2027-10-14T16:30:08
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp closed adws
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp closed unknown
49674/tcp closed unknown
49689/tcp closed unknown
49700/tcp open msrpc Microsoft Windows RPC
49703/tcp closed unknown
49749/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 192.168.58.22:49749:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 49749
|_ssl-date: 2024-10-16T11:14:09+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| 192.168.58.22:49749:
| Target_Name: ACADEMY
| NetBIOS_Domain_Name: ACADEMY
| NetBIOS_Computer_Name: SQL
| DNS_Domain_Name: academy.ninja.lan
| DNS_Computer_Name: sql.academy.ninja.lan
| DNS_Tree_Name: academy.ninja.lan
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-10-16T09:37:07
|_Not valid after: 2054-10-16T09:37:07
58752/tcp closed unknown
59321/tcp closed unknown
MAC Address: 00:0C:29:5E:96:FC (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: SQL, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:5e:96:fc (VMware)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-16T11:13:35
|_ start_date: N/A