Return to forum

Exa · June 11, 2022 at 7:06 PM

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
4411/tcp  open  found
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49690/tcp open  unknown
49694/tcp open  unknown
50321/tcp open  unknown

Toto · June 11, 2022 at 7:34 PM

There's something running on 4411 (accessible through ssh, telnet) but can't seem to understand how it works yet

Exa · June 11, 2022 at 7:38 PM

(June 11, 2022, 07:34 PM)Toto Wrote: There's something running on 4411 (accessible through ssh, telnet) but can't seem to understand how it works yet

It's this tool: http://scrambled.htb/salesorders.html

You can connect to it using netcat:

nc 10.129.xxx.xxx 4411
SCRAMBLECORP_ORDERS_V1.0.3;
test
ERROR_UNKNOWN_COMMAND;

I couldn't find any valid commands.

Toto · June 11, 2022 at 7:39 PM

Yeah I know, I've been trying to find commands, QUIT in caps works, got nothing else for now

Exa · June 11, 2022 at 7:42 PM

LOGON gives ERROR_INVALID_CREDENTIALS

Toto · June 11, 2022 at 7:53 PM

How did you find that, if it's all right to share ?

deepa · June 11, 2022 at 9:53 PM

port 44f11 will be used later for debugging logs. It's been mentioned on the website.

Here are few facts gathered from the website so far :

1. Users' password can be changed by emailing the user name and the password will be reset to the username itself.
2. There must be a way to download the salesorder client software, which allows debugging to be enabled. ( Need to find the software somehow)
3. New user account form only allows get method ( options trace etc are allowed ) but not post method. It does not return anything.
4. nc 10.10.11.168 4411 and typing LOGON returns invalid credentials
5. ksimpson might be a valid username !!! - Not sure

MrFingerToes · June 11, 2022 at 10:17 PM

Valid users from kerberos
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]

infosecsy19 · June 11, 2022 at 10:22 PM

(June 11, 2022, 09:53 PM)deepa Wrote: port 44f11 will be used later for debugging logs. It's been mentioned on the website.

Here are few facts gathered from the website so far :

1. Users' password can be changed by emailing the user name and the password will be reset to the username itself.
2. There must be a way to download the salesorder client software, which allows debugging to be enabled. ( Need to find the software somehow)
3. New user account form only allows get method ( options trace etc are allowed ) but not post method. It does not return anything.
4. nc 10.10.11.168 4411 and typing LOGON returns invalid credentials
5. ksimpson might be a valid username !!! - Not sure

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (n/a) - 06/11/22 - Ronnie Flathers @ropnop

2022/06/11 22:20:48 > Using KDC(s):
2022/06/11 22:20:48 > scrm.local:88

2022/06/11 22:20:49 > [+] VALID LOGIN: [email protected]:ksimpson
2022/06/11 22:20:49 > Done! Tested 1 logins (1 successes) in 1.084 seconds

it's a valid user

deepa · June 11, 2022 at 10:33 PM

(June 11, 2022, 10:17 PM)MrFingerToes Wrote: Valid users from kerberos
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]

How did you figure this out ? Command ?

(June 11, 2022, 10:22 PM)infosecsy19 Wrote:
(June 11, 2022, 09:53 PM)deepa Wrote: port 44f11 will be used later for debugging logs. It's been mentioned on the website.

Here are few facts gathered from the website so far :

1. Users' password can be changed by emailing the user name and the password will be reset to the username itself.
2. There must be a way to download the salesorder client software, which allows debugging to be enabled. ( Need to find the software somehow)
3. New user account form only allows get method ( options trace etc are allowed ) but not post method. It does not return anything.
4. nc 10.10.11.168 4411 and typing LOGON returns invalid credentials
5. ksimpson might be a valid username !!! - Not sure

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (n/a) - 06/11/22 - Ronnie Flathers @ropnop

2022/06/11 22:20:48 > Using KDC(s):
2022/06/11 22:20:48 > scrm.local:88

2022/06/11 22:20:49 > [+] VALID LOGIN: [email protected]:ksimpson
2022/06/11 22:20:49 > Done! Tested 1 logins (1 successes) in 1.084 seconds

it's a valid user

I tested it too but smb is closed for this user :/