Pentestit.ru V.9 (Part 8) – Token Terminal2
So here we are again, but this time to show how we have got the Token from Terminal2 machine.
Doing an nmap scan to the target machine and enumerating it’s services we noticed that this server have a remote desktop port open.
d.nash@tl9-ssh:~$ nmap 192.168.3.2 Starting Nmap 6.00 ( http://nmap.org ) at 2016-09-19 11:21 MSK Nmap scan report for 192.168.3.2 Host is up (0.00052s latency). Not shown: 989 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown 49159/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 1.42 seconds
We this information we start to try the username and passwords combinations we got.
Guess what? One of them worked:
sudo proxychains rdesktop -u d.rector -p J***a*** 192.168.3.2
With access to our server, we see that we have a file on the desktop with the name token_terminal2.
We open the file, and there it is. Our Token!!! i***x**f