internal
00 min
2025-3-15
Source
https://portal.offsec.com/labs/practice
Date
Mar 15, 2025 → Mar 15, 2025
Tag
Nmap
Service Enumeration
User Enumeration

192.168.182.40

Nmap

nmap -sT -p- --min-rate 5000 192.168.182.40
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-15 01:47 EDT Warning: 192.168.182.40 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.182.40 Host is up (0.064s latency). Not shown: 65309 closed tcp ports (conn-refused), 213 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 22.17 seconds
各种http端口都无返回,53使用
也无相应返回
使用rpc看看是否可以匿名登录
我们可以进行登录
notion image
rpcclient $> ls command not found: ls rpcclient $> Display all 227 possibilities? (y or n) ? dfsenum eventlog_reporteventsource lsacreateaccount querydominfo adddriver dfsenumex exit lsadelpriv querygroup addform dfsgetinfo fetch_attributes lsaenumacctrights querygroupmem addpermachineconnection dfsremove fetch_properties lsaenumprivsaccount querymultiplevalues addprinter dfsversion fss_create_expose lsaenumsid querymultiplevalues2 AsyncNotify dscracknames fss_delete lsalookupprivvalue querysecret capabilities dsenumdomtrusts fss_get_mapping lsaquery queryuser change_trust_pw dsgetdcinfo fss_get_sup_version lsaquerysecobj queryuseraliases chgpasswd dsgetncchanges fss_has_shadow_copy lsaquerytrustdominfo queryusergroups chgpasswd2 dsr_enumtrustdom fss_is_path_sup lsaquerytrustdominfobyname quit chgpasswd3 dsr_getdcname fss_recovery_complete lsaquerytrustdominfobysid Register chgpasswd4 dsr_getdcnameex getanydcname lsaremoveacctrights RegisterEx clusapi_create_enum dsr_getdcnameex2 getcoreprinterdrivers lsasettrustdominfo retrieveprivatedata clusapi_create_enumex dsr_getforesttrustinfo getdata netconnenum rffpcnex clusapi_get_cluster_name dsr_getsitename getdataex netdiskenum samlogon clusapi_get_cluster_version dsroledominfo getdcname netfileenum samlookupnames clusapi_get_cluster_version2 dswriteaccountspn getdcsitecoverage netfilegetsec samlookuprids clusapi_get_quorum_resource echoaddone getdispinfoidx netnamevalidate samquerysecobj clusapi_get_resource_state echodata getdispname netremotetod setdriver clusapi_offline_resource enumalsgroups getdompwinfo netrenumtrusteddomains setform clusapi_online_resource enumdata getdriver netrenumtrusteddomainsex setjob clusapi_open_cluster enumdataex getdriverdir netsessdel setprinter clusapi_open_resource enumdomains getdriverpackagepath netsessenum setprinterdata
看看是否有有用的函数给我们使用
可以尝试枚举域名,但是不可用
notion image
其他端口枚举
enum4linux 192.168.182.40
notion image
notion image
smbclient -N -L \\\\192.168.182.40\\

3389

虽然我们不知道用户名和密码,但是我们也可以使用这个来尝试获取到相关信息
notion image
但还是没什么作用

5357

notion image
notion image
通过搜索我们拿到了这个端口可能的RCE,先来试试看是否可行
notion image
notion image
生成我们自己的shell
notion image
需要修改一下内部的代码以兼容python3
然后启动监听器,注意我们使用的是Meterpreter shell,所以要使用正确的监听器
不行啊,换一个方法
notion image
in
 
上一篇
HB
下一篇
AZ-900