Algernon

Dificultad de la máquina Easy

Reconocimiento

PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20  09:31PM       <DIR>          ImapRetrieval
| 08-02-24  09:31AM       <DIR>          Logs
| 04-29-20  09:31PM       <DIR>          PopRetrieval
|_04-29-20  09:32PM       <DIR>          Spool
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
9998/tcp  open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Mon, 02 Dec 2024 17:41:00 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
17001/tcp open  remoting      syn-ack ttl 125 MS .NET Remoting services
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

Explotación

Viendo por encima todos los puertos que tiene abiertos nos encontramos con la siguiente web en el puerto 9998

Viendo vulnerabilidades que tiene el servicio SmarterMail encuentro el siguiente exploit

Tiene muy buena pinta así que vamos a probarlo, no funciona, así que vamos a seguir buscando

hacemos pequeños cambios en el exploit, dejo el puerto 17001 por que es el que venia con el exploit y al estar abierto en la máquina víctima supongo que el exploit explotara por el puerto 17001

y nos devuelve una shell como administrador

AnteriorWindows SiguienteCraft

Última actualización hace 5 meses

PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 125 Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 09:31PM <DIR> ImapRetrieval | 08-02-24 09:31AM <DIR> Logs | 04-29-20 09:31PM <DIR> PopRetrieval |_04-29-20 09:32PM <DIR> Spool 80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0 |_http-title: IIS Windows |_http-server-header: Microsoft-IIS/10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE 135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ttl 125 5040/tcp open unknown syn-ack ttl 125 7680/tcp open pando-pub? syn-ack ttl 125 9998/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Microsoft-IIS/10.0 | uptime-agent-info: HTTP/1.1 400 Bad Request\x0D | Content-Type: text/html; charset=us-ascii\x0D | Server: Microsoft-HTTPAPI/2.0\x0D | Date: Mon, 02 Dec 2024 17:41:00 GMT\x0D | Connection: close\x0D | Content-Length: 326\x0D | \x0D | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D | <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D | <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D | <BODY><h2>Bad Request - Invalid Verb</h2>\x0D | <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D |_</BODY></HTML>\x0D | http-title: Site doesn't have a title (text/html; charset=utf-8). |_Requested resource was /interface/root |_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5 17001/tcp open remoting syn-ack ttl 125 MS .NET Remoting services 49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC