Date
Mar 20, 2025 → Mar 20, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques
192.168.247.168
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 06:39 EDT
Warning: 192.168.247.168 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.247.168
Host is up (0.057s latency).
Not shown: 65130 closed tcp ports (conn-refused), 386 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
3700/tcp open lrs-paging
4848/tcp open appserv-http
5040/tcp open unknown
6060/tcp open x11
7676/tcp open imqbrokerd
7680/tcp open pando-pub
8080/tcp open http-proxy
8181/tcp open intermapper
8686/tcp open sun-as-jmxrmi
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 06:40 EDT
Warning: 192.168.247.168 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.247.168
Host is up (0.064s latency).
Not shown: 65123 closed tcp ports (conn-refused), 393 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
3700/tcp open lrs-paging
4848/tcp open appserv-http
5040/tcp open unknown
6060/tcp open x11
7676/tcp open imqbrokerd
7680/tcp open pando-pub
8080/tcp open http-proxy
8181/tcp open intermapper
8686/tcp open sun-as-jmxrmi
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds
139,445

nothing found
3700

4848

we try use weak password to login but failed.
8080

192.168.190.168
4848
we can use this vulne to find account information about glass fish account

└─# echo aLatQQ3qEJHinsX4N/+V/45mJwFSkXN5w7vz3P6kHy4jrX+U7hXCkQ== | base64 -d | xxd -p -c 40 | sed 's/.\{64\}/&:/'
68b6ad410dea1091e29ec5f837ff95ff8e66270152917379c3bbf3dcfea41f2e:23ad7f94ee15c291

尝试去破解密码
failed
We can use Local File inclusion to find the Synaman credentials


cant but we can try other services, such as rdp

login successfully

wow, use it
this is how to use it
the anti V expired but we can got the shell via this way