111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open nlockmgr 1-4 (RPC #100021) 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=WINMEDIUM | Not valid before: 2025-01-17T10:41:26 |Not valid after: 2025-07-19T10:41:26 | rdp-ntlm-info: | Target_Name: WINMEDIUM | NetBIOS_Domain_Name: WINMEDIUM | NetBIOS_Computer_Name: WINMEDIUM | DNS_Domain_Name: WINMEDIUM | DNS_Computer_Name: WINMEDIUM | Product_Version: 10.0.17763 | System_Time: 2025-01-18T12:12:14+00:00 |_ssl-date: 2025-01-18T12:12:22+00:00; 0s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Method : Mount nfs , get alex creds in ticket
lol123!mD
then access smb to get sa creds in important.txt
sa:87N1ns@slls83
launch sql manager as admin with same password
then go to db find HTB password as lnch7ehrdn43i7AoqVPK4zWR