SCRAMBLECORP_ORDERS
Nmap discovered an unknown service on the target port 4411
As the service could not be identified during the Recon phase, an additional Nmap scan will be performed
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ nmap -sV -sC -p4411 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-11-17 19:48 CET
Nmap scan report for dc1 (10.10.11.168)
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
4411/tcp open found?
| fingerprint-strings:
| dnsstatusrequesttcp, dnsversionbindreqtcp, genericlines, javarmi, kerberos, landesk-rc, ldapbindreq, ldapsearchreq, ncp, null, notesrpc, rpccheck, smbprogneg, sslsessionreq, tlssessionreq, terminalserver, terminalservercookie, wmsrequest, x11probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| fourohfourrequest, getrequest, httpoptions, help, lpdstring, rtsprequest, sipoptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
1 service unrecognized despite returning data. if you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
sf-port4411-tcp:V=7.94%I=7%D=11/17%Time=6557B587%P=x86_64-pc-linux-gnu%r(N
sf:ULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBLE
sf:CORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\
sf:.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORDE
sf:RS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBLE
sf:CORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"SC
sf:RAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLECO
sf:RP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDERS
sf:_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKN
sf:OWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\
sf:n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TL
sf:SSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCRA
sf:MBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V1
sf:\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Four
sf:OhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAN
sf:D;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN
sf:_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")
sf:%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35,
sf:"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDes
sf:k-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRAM
sf:BLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\
sf:r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,"
sf:SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDER
sf:S_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%
sf:r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLECO
sf:RP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
sf:);
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 164.22 secondsAlthough the service does appear to have an header, SCRAMBLECORP_ORDERV1.0.3, it doesn’t reveal much
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ nc $IP 4411
SCRAMBLECORP_ORDERS_V1.0.3;
ls
ERROR_UNKNOWN_COMMAND;
help
ERROR_UNKNOWN_COMMAND;
commands
ERROR_UNKNOWN_COMMAND;
order
ERROR_UNKNOWN_COMMAND;
password
ERROR_UNKNOWN_COMMAND;
id
ERROR_UNKNOWN_COMMAND;
SESSION_TIMED_OUT;Manually connecting to the service via Netcat suggests that the service is likely a custom application