V.9 (Part 8) – Token Terminal2

Categories Tutorials

So here we are again, but this time to show how we have got the Token from Terminal2 machine.
Doing an nmap scan to the target machine and enumerating it’s services we noticed that this server have a remote desktop port open.

d.nash@tl9-ssh:~$ nmap

Starting Nmap 6.00 ( ) at 2016-09-19 11:21 MSK
Nmap scan report for
Host is up (0.00052s latency).
Not shown: 989 closed ports
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49159/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds

We this information we start to try the username and passwords combinations we got.
Guess what? One of them worked:

sudo proxychains rdesktop -u d.rector -p  J***a***

With access to our server, we see that we have a file on the desktop with the name token_terminal2.
We open the file, and there it is. Our Token!!! i***x**f

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *