System/Kernel
c:\tmp> systeminfo
host name: GRANNY
os name: Microsoft(R) Windows(R) Server 2003, Standard Edition
os version: 5.2.3790 Service Pack 2 Build 3790
os manufacturer: Microsoft Corporation
os configuration: Standalone Server
os build type: Uniprocessor Free
registered owner: HTB
registered organization: HTB
product id: 69712-296-0024942-44782
original install date: 4/12/2017, 5:07:40 PM
system up time: 0 Days, 1 Hours, 51 Minutes, 18 Seconds
system manufacturer: VMware, Inc.
system model: VMware Virtual Platform
system type: X86-based PC
processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
bios version: INTEL - 6040000
windows directory: C:\WINDOWS
system directory: C:\WINDOWS\system32
boot device: \Device\HarddiskVolume1
system locale: en-us;English (United States)
input locale: en-us;English (United States)
time zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
total physical memory: 1,023 MB
available physical memory: 734 MB
page file: Max Size: 2,470 MB
page file: Available: 2,284 MB
page file: In Use: 186 MB
page file location(s): C:\pagefile.sys
domain: HTB
logon server: N/A
hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
network card(s): N/AMicrosoft(R) Windows(R) Server 2003, Standard Edition
5.2.3790 Service Pack 2 Build 3790
X86-based PC
1 Processor(s)
1 Hotfix(s)
Networks
C:\tmp> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 404
TCP 0.0.0.0:5859 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:1030 10.10.14.2:9999 ESTABLISHED 3764
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1936
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 404
UDP 0.0.0.0:1027 *:* 732
UDP 0.0.0.0:4500 *:* 404
UDP 10.10.10.15:123 *:* 752
UDP 10.10.10.15:137 *:* 4
UDP 10.10.10.15:138 *:* 4
UDP 127.0.0.1:123 *:* 752
UDP 127.0.0.1:1029 *:* 7520.0.0.0:135
0.0.0.0:445
0.0.0.0:1025
0.0.0.0:1026
0.0.0.0:5859
10.10.10.15:139
127.0.0.1:1028
Users & Groups
c:\tmp> net user
User accounts for \\GRANNY
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
SUPPORT_388945a0
The command completed successfully.
c:\tmp> dir -Force "C:\Documents and Settings"
Volume in drive C has no label.
Volume Serial Number is 424C-F32D
directory of c:\tmp
File Not Found
directory of c:\Documents and Settings
04/12/2017 10:19 PM <DIR> .
04/12/2017 10:19 PM <DIR> ..
04/12/2017 09:48 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 10:19 PM <DIR> Lakis
0 File(s) 0 bytes
5 Dir(s) 1,208,823,808 bytes freeLakis
ASPNET
IUSR_GRANPA
IWAM_GRANPA
SUPPORT_388945a0
c:\tmp> net localgroup
Aliases for \\GRANNY
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*OWS_209498277_admin
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.HelpServicesGroup
IIS_WPG
OWS_209498277_admin
Processes
C:\tmp> tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 272 N/A
csrss.exe 320 N/A
winlogon.exe 344 N/A
services.exe 392 Eventlog, PlugPlay
lsass.exe 404 HTTPFilter, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 584 DcomLaunch
svchost.exe 668 RpcSs
svchost.exe 732 Dhcp, Dnscache
svchost.exe 752 LmHosts, W32Time
svchost.exe 788 AeLookupSvc, AudioSrv, CryptSvc, dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, TrkWks, winmgmt,
wuauserv, WZCSVC
spoolsv.exe 924 Spooler
msdtc.exe 952 MSDTC
cisvc.exe 1072 CiSvc
svchost.exe 1112 ERSvc
inetinfo.exe 1168 IISADMIN
svchost.exe 1204 RemoteRegistry
VGAuthService.exe 1312 VGAuthService
vmtoolsd.exe 1380 VMTools
svchost.exe 1484 W3SVC
svchost.exe 1588 TermService
dllhost.exe 1764 COMSysApp
alg.exe 1936 ALG
wmiprvse.exe 1964 N/A
wmiprvse.exe 2292 N/A
w3wp.exe 3764 N/A
cidaemon.exe 4012 N/A
cidaemon.exe 4060 N/A
cidaemon.exe 4092 N/A
davcdata.exe 228 N/A
logon.scr 2760 N/A
cmd.exe 3596 N/A
wmiprvse.exe 3044 N/A
tasklist.exe 1324 N/A Tasks
c:\tmp> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
error: Access is denied.Firewall & AV
C:\tmp> netsh firewall show config
netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
80 TCP Enable IIS
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
Access is denied.Installed .NET Frameworks
c:\tmp> dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 424C-F32D
directory of c:\Windows\Microsoft.NET\Framework
04/12/2017 05:02 PM <DIR> .
04/12/2017 05:02 PM <DIR> ..
04/12/2017 05:02 PM <DIR> 1033
04/12/2017 05:03 PM <DIR> v1.0.3705
04/12/2017 05:08 PM <DIR> v1.1.4322
0 File(s) 0 bytes
5 Dir(s) 1,208,860,672 bytes free
c:\tmp>reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v1.1.4322
OCM REG_DWORD 0x1
SP REG_DWORD 0x1
Install REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v1.1.4322\1033
OCM REG_DWORD 0x1
SP REG_DWORD 0x1
Install REG_DWORD 0x1.NET 1.1.4322