PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-12 10:06:51Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.darkzero.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb | Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-07-29T11:40:00 | Not valid after: 2026-07-29T11:40:00 | MD5: ce57 1ac8 da76 eb62 efe8 4e85 045b d440 | SHA-1: 603a f638 aabb 7eaa 1bdb 4256 5869 4de2 98b6 570c 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 16.00.1000.00 | ms-sql-ntlm-info: | Target_Name: darkzero | NetBIOS_Domain_Name: darkzero | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: darkzero.htb | DNS_Computer_Name: DC01.darkzero.htb | DNS_Tree_Name: darkzero.htb |_ Product_Version: 10.0.26100 2179/tcp open vmrdp? syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49686/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49687/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49909/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49947/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49993/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 54502/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s | ms-sql-info: | 10.10.11.89:1433: | Version: | name: Microsoft SQL Server | number: 16.00.1000.00 | Product: Microsoft SQL Server |_ TCP port: 1433 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 47014/tcp): CLEAN (Timeout) | Check 2 (port 35679/tcp): CLEAN (Timeout) | Check 3 (port 7628/udp): CLEAN (Timeout) | Check 4 (port 13287/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled and required
msf6 post(multi/recon/local_exploit_suggester) > run # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable. 2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable. 3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022 4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable. 5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default 6 exploit/windows/local/cve_2024_30085_cloud_files Yes The target appears to be vulnerable. 7 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113 8 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022 9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.