┌──(root㉿kali)-[~] └─# nmap --min-rate=10000 -p- anthem Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-28 06:21 UTC Nmap scan report for anthem (10.10.238.135) Host is up (0.0034s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 5985/tcp open wsman MAC Address: 02:DD:10:B3:76:5D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 20.23 seconds
┌──(root㉿kali)-[~] └─# nmap -sC -sT -sV -O -p80,3389,5985 anthem Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-28 06:23 UTC Nmap scan report for anthem (10.10.238.135) Host is up (0.00049s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-04-28T06:25:19+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: WIN-LU09299160F | NetBIOS_Domain_Name: WIN-LU09299160F | NetBIOS_Computer_Name: WIN-LU09299160F | DNS_Domain_Name: WIN-LU09299160F | DNS_Computer_Name: WIN-LU09299160F | Product_Version: 10.0.17763 |_ System_Time: 2024-04-28T06:24:14+00:00 | ssl-cert: Subject: commonName=WIN-LU09299160F | Not valid before: 2024-04-27T06:18:05 |_Not valid after: 2024-10-27T06:18:05 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found MAC Address: 02:DD:10:B3:76:5D (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose Running (JUST GUESSING): AVtech embedded (87%), Microsoft Windows XP (85%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%), Microsoft Windows XP SP3 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.20 seconds
┌──(root㉿kali)-[~] └─# nmap --script=vuln -p80,3389,5985 anthem Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-28 06:24 UTC Nmap scan report for anthem (10.10.238.135) Host is up (0.00049s latency).
PORT STATE SERVICE 80/tcp open http | http-enum: | /blog/: Blog | /rss/: RSS or Atom feed | /robots.txt: Robots file | /categories/viewcategory.aspx: MS Sharepoint | /categories/allcategories.aspx: MS Sharepoint |_ /authors/: Potentially interesting folder | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=anthem | Found the following possible CSRF vulnerabilities: | | Path: http://anthem:80/ | Form id: | Form action: /search | | Path: http://anthem:80/categories | Form id: | Form action: /search | | Path: http://anthem:80/archive/a-cheers-to-our-it-department/ | Form id: | Form action: /search | | Path: http://anthem:80/tags | Form id: | Form action: /search | | Path: http://anthem:80/search | Form id: | Form action: /search | | Path: http://anthem:80/archive/we-are-hiring/ | Form id: |_ Form action: /search |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) 3389/tcp open ms-wbt-server 5985/tcp open wsman MAC Address: 02:DD:10:B3:76:5D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 130.22 seconds
添加hosts:anthem.com
Web
在robots.txt
UmbracoIsTheBest!
# Use for all search robots User-agent: *
# Define the directories not to crawl Disallow: /bin/ Disallow: /config/ Disallow: /umbraco/ Disallow: /umbraco_client/
User Name SID ================== ============================================== win-lu09299160f\sg S-1-5-21-3886845925-2521176483-1368255183-1000
GROUP INFORMATION -----------------
Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
