π Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.199.141 -- -sS -sV -sC -oN 10.10.199.141.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Fri Dec 17 17:13:20 2021 as: nmap -Pn -vvv -p 80,3389 -sS -sV -sC -oN 10.10.199.141.anthem.nmap.txt 10.10.199.141
Nmap scan report for 10.10.199.141
Host is up, received user-set (0.15s latency).
Scanned at 2021-12-17 17:13:21 PST for 12s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-robots.txt: 4 disallowed entries
|_/bin/ /config/ /umbraco/ /umbraco_client/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Anthem.com - Welcome to our blog
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2021-12-18T01:13:29+00:00
|_ssl-date: 2021-12-18T01:13:33+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Issuer: commonName=WIN-LU09299160F
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-17T01:02:32
| Not valid after: 2022-06-18T01:02:32
| MD5: b160 cd82 bf83 ca71 0862 b283 034d cefd
| SHA-1: cc91 f9e4 add1 a33a e741 e9f8 2fcf 3b60 85ee bb4a
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQHhZhLST8qKxEL26+A3EAcDANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tTFUwOTI5OTE2MEYwHhcNMjExMjE3MDEwMjMyWhcNMjIw
| NjE4MDEwMjMyWjAaMRgwFgYDVQQDEw9XSU4tTFUwOTI5OTE2MEYwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIDHZi+WhcbXVzODAJmdgVGLkThvL1H1LB
| gVY1UNKxkXrK0raEFwQ2FPEg/EAtp7qiohCm+goU7FSLK+kU4TO1NTphlugDB6QI
| WwZp05e/pLAtVrOqZMVYrmwXr32ERRmXmUrnErLsgK0rTmZK3rvdxM7IrSnnD/kq
| JsESmcbnUybh/UlFPAxQMGNbAnqtX4jn0zpS69CaME5F22oFzTAdPjRt1T353jl9
| 56uPN2p95+IsONvfaLyEkbeTJ/y4useh9MY2z4wnlQXJPDuk1yVofO5tS1NgCt37
| UWF2kon8rnxbG9gy5iuUbgCFz9UUE8QSxd0m+HH0zSKs1poGKYK9AgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAl/yrFL6gwTW0UJ91aqx4fhV/55+KA7M+v+uOWHZzYpkjyHVN1TtecDje
| OMedP09gRKHNNAzhqRS60lM0vJKhDUDWKVNT3U//Pvq/jJeMqswjkYyr+s3YITyD
| Ot8P6bfRGU/lF4ue2bpP/p1vWp7OM0J6vBqzIS8+TM8l4HqExEIyYs5kzuuDt7Fs
| rLyzevOE3lGUf8pD1ceOmoxUCkDfML3SRSWQc7hRKFeCjQFtEDs56Nwes5zHPZhx
| Idosj4UewBS3gfE0KoALCIR4E2xU03iNYjd2WR5HIKuXNpcXoMaMw83MYkO64BK6
| m+k6LqpfuOgWFKd5D5CYFfy2FdCFow==
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Fri Dec 17 17:13:33 2021 -- 1 IP address (1 host up) scanned in 13.25 seconds
| Port | Service |
|---|---|
| 80 | Webserver running Microsoft HTTPAPI httpd 2.0 |
| 3389 | Microsoft Remote Desktop |
We eventually find the username because the name of the poem is Solomon Grundy. Okay. Whatever. Never heard of that over here state side.
[email protected]:UmbracoIsTheBest!
You can use the sg username and the UmbracoIsTheBest! to get a Remote Desktop session on the machine.
In c:\\backups you can find a text file that you donβt have permissions to read. However, you do have permission to change your.... permission. So give yourself permission to read the file and read the password: ChangeMeBaby1MoreTime.
From here you can get an Administrator command prompt:
runas /user:Administrator cmd.exe
π₯