┌──(root㉿kali)-[~/Desktop] └─# nmap --min-rate=10000 -p- 10.10.151.66 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-29 08:10 UTC Warning: 10.10.151.66 giving up on port because retransmission cap hit (10). Nmap scan report for ip-10-10-151-66.eu-west-1.compute.internal (10.10.151.66) Host is up (0.032s latency). Not shown: 50591 closed tcp ports (reset), 14929 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5900/tcp open vnc 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49672/tcp open unknown 49678/tcp open unknown MAC Address: 02:05:91:37:1D:B1 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 40.51 seconds
┌──(root㉿kali)-[~/Desktop] └─# nmap -sC -sT -sV -O -p21,80,135,139,443,445,3389,5900 10.10.151.66 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-29 08:13 UTC Nmap scan report for ip-10-10-151-66.eu-west-1.compute.internal (10.10.151.66) Host is up (0.016s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_11-14-20 04:26PM 173 notice.txt | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Simple Slide Show 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.11) | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 | tls-alpn: |_ http/1.1 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11 |_ssl-date: TLS randomness does not represent time |_http-title: 400 Bad Request 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server? |_ssl-date: 2024-04-29T08:15:03+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=DESKTOP-997GG7D | Not valid before: 2024-04-28T08:09:28 |_Not valid after: 2024-10-28T08:09:28 5900/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: | Ultra (17) |_ VNC Authentication (2) MAC Address: 02:05:91:37:1D:B1 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 10 1703 (92%), Microsoft Windows Server 2008 SP2 (92%), Microsoft Windows 7 Enterprise SP1 (92%), Microsoft Windows 8 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 10 1709 - 1803 (92%), Microsoft Windows 10 1809 - 1909 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.20 seconds
──(root㉿kali)-[~/Desktop] └─# nmap --script=vuln -p21,80,135,139,443,445,3389,5900 10.10.151.66 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-29 08:16 UTC Nmap scan report for ip-10-10-151-66.eu-west-1.compute.internal (10.10.151.66) Host is up (0.00054s latency).
PORT STATE SERVICE 21/tcp open ftp 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /icons/: Potentially interesting folder w/ directory listing | /images/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1g php/7.4.11' |_ /img/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1g php/7.4.11' |_http-trace: TRACE is enabled |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-trace: TRACE is enabled |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 8 | Public Key Length: 1024 | References: |_ https://weakdh.org | http-enum: | /icons/: Potentially interesting folder w/ directory listing | /images/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1g php/7.4.11' |_ /img/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1g php/7.4.11' |_http-csrf: Couldn't find any CSRF vulnerabilities. 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5900/tcp open vnc MAC Address: 02:05:91:37:1D:B1 (Unknown)
Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 325.04 seconds
Getshell
匿名登录ftp,得到一张纸条
NOTICE ======
Due to customer complaints about using FTP we have now moved 'images' to a hidden windows file share for upload and management of images.
- Dev Team
┌──(mikannse㉿kali)-[~/桌面] └─$ smbclient -L pwn.thm Password for [WORKGROUP\mikannse]:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share images$ Disk Installs$ Disk IPC$ IPC Remote IPC Users Disk tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT Reconnecting with SMB1 for workgroup listing. do_connect: Connection to pwn.thm failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
