Nmap -sS -sC -sV -A 10.10.11.106 Nmap scan report for 10.10.11.106 Host is up (0.24s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\\x0D |\_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |\_ Potentially risky methods: TRACE |\_http-title: Site doesn't have a title (text/html; charset=UTF-8). |\_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 10 1511 - 1607 (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), FreeBSD 6.2-RELEASE (86%), Microsoft Windows 10 1607 (85%), Microsoft Windows 10 1511 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3.1.1: |\_ Message signing enabled but not required | smb-security-mode: | account\_used: guest | authentication\_level: user | challenge\_response: supported |\_ message\_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-03-04T18:18:39 |\_ start\_date: 2022-03-04T18:16:38 |\_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m57s TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 241.00 ms 10.10.14.1 2 241.00 ms 10.10.11.106 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap -sS -T4 -p- -sC -sV 10.10.11.106 Nmap scan report for 10.10.11.106 Host is up (0.30s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |\_http-title: Site doesn't have a title (text/html; charset=UTF-8). | http-methods: |\_ Potentially risky methods: TRACE | http-auth: | HTTP/1.1 401 Unauthorized\\x0D |\_ Basic realm=MFP Firmware Update Center. Please enter password for admin |\_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |\_http-title: Not Found |\_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3.1.1: |\_ Message signing enabled but not required | smb-security-mode: | authentication\_level: user | challenge\_response: supported |\_ message\_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-03-04T20:15:13 |\_ start\_date: 2022-03-04T18:16:38 |\_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
这里出现了一个刚刚没有发现的端口 5985 这个端口存在着漏洞,可以直接获取到交互式的shell
使用工具:evil-winrm 安装命令:gem install evil-winrm
命令:evil-winrm -i ip -u username -p passwd 这里username和passwd都获取到了,直接填写,进入即可,可以看到登陆成功,并且拿到了用户flag