Enumerating as tortis
System/Kernel
c:\ColdFusion8\runtime\bin> systeminfo
systeminfo
host name: ARCTIC
os name: Microsoft Windows Server 2008 R2 Standard
os version: 6.1.7600 N/A Build 7600
os manufacturer: Microsoft Corporation
os configuration: Standalone Server
os build type: Multiprocessor Free
registered owner: Windows User
registered organization:
product id: 55041-507-9857321-84451
original install date: 22/3/2017, 11:09:45
system boot time: 18/10/2022, 4:22:01
system manufacturer: VMware, Inc.
system model: VMware Virtual Platform
system type: x64-based PC
processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
bios version: Phoenix Technologies LTD 6.00, 12/12/2018
windows directory: C:\Windows
system directory: C:\Windows\system32
boot device: \Device\HarddiskVolume1
system locale: el;Greek
input locale: en-us;English (United States)
time zone: (UTC+02:00) Athens, Bucharest, Istanbul
total physical memory: 6.143 MB
available physical memory: 5.107 MB
virtual memory: Max Size: 12.285 MB
virtual memory: Available: 11.277 MB
virtual memory: In Use: 1.008 MB
page file location(s): C:\pagefile.sys
domain: HTB
logon server: N/A
hotfix(s): N/A
network card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
connection name: Local Area Connection
dhcp enabled: No
IP address(es)
[01]: 10.10.10.11Microsoft Windows Server 2008 R2 Standard
6.1.7600 N/A Build 7600
x64-based PC
Networks
C:\ColdFusion8\runtime\bin> netstat -ano -p tcp
netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2522 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:2930 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:6085 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:6086 0.0.0.0:0 LISTENING 1080
TCP 0.0.0.0:7999 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:8500 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:9921 0.0.0.0:0 LISTENING 2236
TCP 0.0.0.0:9951 0.0.0.0:0 LISTENING 1300
TCP 0.0.0.0:9961 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:19997 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:19998 0.0.0.0:0 LISTENING 1224
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 364
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 740
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 796
TCP 0.0.0.0:49159 0.0.0.0:0 LISTENING 1164
TCP 0.0.0.0:49171 0.0.0.0:0 LISTENING 488
TCP 0.0.0.0:49175 0.0.0.0:0 LISTENING 472
TCP 10.10.10.11:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.11:8500 10.10.14.5:39454 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39466 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39470 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39474 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39598 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39614 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:39670 ESTABLISHED 1164
TCP 10.10.10.11:8500 10.10.14.5:44066 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:44070 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:50074 TIME_WAIT 0
TCP 10.10.10.11:8500 10.10.14.5:53928 TIME_WAIT 0
TCP 10.10.10.11:49350 10.10.14.5:9999 ESTABLISHED 1164
TCP 127.0.0.1:9951 127.0.0.1:49169 ESTABLISHED 1300
TCP 127.0.0.1:49169 127.0.0.1:9951 ESTABLISHED 2496
TCP 127.0.0.1:49357 127.0.0.1:9921 TIME_WAIT 0
TCP 127.0.0.1:49358 127.0.0.1:9961 TIME_WAIT 0
TCP 127.0.0.1:49359 127.0.0.1:9921 TIME_WAIT 0
TCP 127.0.0.1:49360 127.0.0.1:9961 TIME_WAIT 0
TCP 127.0.0.1:49361 127.0.0.1:9921 TIME_WAIT 0
TCP 127.0.0.1:49362 127.0.0.1:9961 TIME_WAIT 0
TCP 127.0.0.1:49363 127.0.0.1:9921 TIME_WAIT 0
TCP 127.0.0.1:49364 127.0.0.1:9961 TIME_WAIT 0Users & Groups
c:\ColdFusion8\runtime\bin> net user
net user
User accounts for \\ARCTIC
-------------------------------------------------------------------------------
Administrator Guest tolis
The command completed successfully.c:\ColdFusion8\runtime\bin> net localgroup
net localgroup
Aliases for \\ARCTIC
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.Processes
C:\ColdFusion8\runtime\bin> Powershell -Command ps
Powershell -ep bypass -Command ps
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
40 6 844 2916 41 1040 CF8DotNetsvc
38 5 2024 2600 22 0,00 3292 cmd
38 5 2056 2632 22 0,00 3560 cmd
31 5 944 2580 26 1092 conhost
31 5 1000 2656 26 0,09 1180 conhost
32 5 944 2580 26 1240 conhost
31 4 896 2408 22 2256 conhost
31 4 892 2400 22 2480 conhost
31 4 936 2420 22 0,00 3328 conhost
33 5 936 2424 22 0,03 3620 conhost
791 13 2064 4248 48 324 csrss
71 9 5904 5728 47 388 csrss
201 16 4260 11252 56 3040 dllhost
0 0 0 24 0 0 Idle
322 37 35672 23612 532 1080 JNBDotNetSide
2077 50 366200 348788 958 32,89 1172 jrun
51 6 1300 2920 23 0,11 1144 jrunsvc
264 32 8880 10888 113 1308 k2admin
445 35 9576 10508 128 2464 k2index
387 20 14876 12012 81 2248 k2server
165 25 7408 15360 86 744 LogonUI
554 19 4096 9924 44 488 lsass
136 7 2040 3592 17 496 lsm
97 12 4904 9236 59 1772 ManagementAgentHost
148 18 3412 7748 60 3216 msdtc
255 21 60100 53748 545 0,34 3232 powershell
214 13 4344 8076 38 480 services
30 2 440 1056 5 232 smss
263 19 6036 10776 80 928 spoolsv
168 9 3008 9252 41 4088 sppsvc
295 32 9408 11996 54 268 svchost
348 14 4088 9340 46 592 svchost
211 15 3100 7184 36 668 svchost
274 15 8068 10232 47 752 svchost
800 35 18080 30296 142 796 svchost
561 25 6920 13168 64 844 svchost
89 8 1608 4912 30 896 svchost
410 27 10348 14524 145 936 svchost
46 4 932 2584 13 1416 svchost
95 11 2132 5652 34 1960 svchost
216 15 3980 5760 50 1188 swagent
220 17 4256 6232 60 1232 swsoc
22 4 972 2576 15 1220 swstrtr
481 0 112 304 3 4 System
218 14 3956 9248 59 1412 TrustedInstaller
90 11 4652 10424 62 1496 VGAuthService
264 23 8980 18228 87 1748 vmtoolsd
82 10 1480 4208 48 368 wininit
76 6 1432 4124 25 432 winlogon
218 15 7048 12568 52 2040 WmiPrvSE Tasks
c:\ColdFusion8\runtime\bin> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 18/1/2023 9:00:00 �� Could not start
kernelceiptask 19/1/2023 3:30:00 �� Ready
usbceip 19/1/2023 1:30:00 �� Ready
TaskName Next Run Time Status
======================================== ====================== ===============
serverceipassistant 18/1/2023 10:14:06 �� Could not start
serverroleusagecollector 19/1/2023 12:49:16 �� Could not start
TaskName Next Run Time Status
======================================== ====================== ===============
scheduleddefrag 25/1/2023 1:23:56 �� Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
analyzesystem 24/1/2023 7:11:00 �� Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ractask 18/1/2023 6:07:57 �� Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
synchronizetime 22/1/2023 1:00:00 �� Ready
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled
Firewall & AV
C:\ColdFusion8\runtime\bin>netsh firewall show config
netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8500 TCP Enable Inbound CF
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8500 TCP Enable Inbound CF
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .Installed .NET Frameworks
C:\ColdFusion8\runtime\bin>dir /s C:\Windows\Microsoft.NET\Framework\msbuild
dir /s C:\Windows\Microsoft.NET\Framework\msbuild
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\Windows\Microsoft.NET\Framework\v2.0.50727
14/07/2009 05:20 �� <DIR> MSBuild
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
1 Dir(s) 1.434.279.936 bytes free
C:\ColdFusion8\runtime\bin>dir /A:D C:\Windows\Microsoft.NET\Framework
dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\Windows\Microsoft.NET\Framework
14/07/2009 05:20 �� <DIR> .
14/07/2009 05:20 �� <DIR> ..
14/07/2009 05:20 �� <DIR> v1.0.3705
14/07/2009 05:20 �� <DIR> v1.1.4322
22/03/2017 11:15 �� <DIR> v2.0.50727
0 File(s) 0 bytes
5 Dir(s) 1.434.279.936 bytes free
C:\ColdFusion8\runtime\bin>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727v2.0.50727