Lookback

Challenge: Lookback

For this challenge we are asked to run a vulnerability test on a production environment.

We start with an AutoRecon against our target. 

PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
443/tcp  open  ssl/https     syn-ack ttl 127
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7
| Subject Alternative Name: DNS:WIN-12OUO7A66M7, DNS:WIN-12OUO7A66M7.thm.local
| Issuer: commonName=WIN-12OUO7A66M7
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-01-25T21:34:02
| Not valid after:  2028-01-25T21:34:02
| MD5:   84e0:805f:3667:c38f:d820:4e7c:1da0:4215
| SHA-1: 0845:8fd9:d9bf:c4c6:48db:1f82:d3e7:324e:a924:52d7
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: Outlook
|_Requested resource was https://10.10.173.178/owa/auth/logon.aspx?url=https%3a%2f%2f10.10.173.178%2fowa%2f&reason=0
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM
|   NetBIOS_Domain_Name: THM
|   NetBIOS_Computer_Name: WIN-12OUO7A66M7
|   DNS_Domain_Name: thm.local
|   DNS_Computer_Name: WIN-12OUO7A66M7.thm.local
|   DNS_Tree_Name: thm.local
|   Product_Version: 10.0.17763
|_  System_Time: 2025-11-19T10:58:21+00:00
| ssl-cert: Subject: commonName=WIN-12OUO7A66M7.thm.local
| Issuer: commonName=WIN-12OUO7A66M7.thm.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T10:51:23
| Not valid after:  2026-05-20T10:51:23
| MD5:   4170:7106:9b97:9a56:8767:49dd:9016:ea08
| SHA-1: d9e9:e033:5782:6933:38fd:0820:72fc:1246:81df:bcdf
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2019
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Windows Server 2019 (92%)
No exact OS matches for host (test conditions non-ideal).

We add the hostname of the machine to our /etc/hosts: 

10.10.109.226 WIN-12OUO7A66M7.thm.local

In our AutoRecon output we see a webpage for OWA (Outlook Web Authentication) so we surf there:

https://win-12ouo7a66m7.thm.local/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwin-12ouo7a66m7.thm.local%2fowa%2f

Let's enumerate using fff: