Date
Mar 25, 2025 → Mar 25, 2025
Tag
Nmap
Network Scanning
Web Application Security
192.168.134.93
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-25 03:56 EDT
Nmap scan report for 192.168.134.93
Host is up (0.053s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp closed domain
80/tcp open http
6379/tcp open redis
10091/tcp closed unknown
10092/tcp closed unknown
10093/tcp closed unknown
10094/tcp closed unknown
10095/tcp closed unknown
10096/tcp closed unknown
10097/tcp closed unknown
10099/tcp closed unknown
10100/tcp closed itap-ddtp
Nmap done: 1 IP address (1 host up) scanned in 26.53 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-25 03:56 EDT
Nmap scan report for 192.168.134.93
Host is up (0.31s latency).
All 65535 scanned ports on 192.168.134.93 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 29.04 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-25 03:57 EDT
Nmap scan report for 192.168.134.93
Host is up (0.065s latency).
Not shown: 65519 filtered tcp ports (no-response), 12 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.160
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|drwxrwxrwx 2 0 0 6 Apr 01 2020 pub [NSE: writeable]
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 21:94:de:d3:69:64:a8:4d:a8:f0:b5:0a:ea:bd:02:ad (RSA)
| 256 67:42:45:19:8b:f5:f9:a5:a4:cf:fb:87:48:a2:66:d0 (ECDSA)
| 256 f3:e2:29:a3:41:1e:76:1e:b1:b7:46:dc:0b:b9:91:77 (ED25519)
80/tcp open http?
| http-robots.txt: 11 disallowed entries
| /config/ /system/ /themes/ /vendor/ /cache/
| /changelog.txt /composer.json /composer.lock /composer.phar /search/
|/admin/
6379/tcp open redis Redis key-value store 5.0.9
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 336.47 seconds
21

nothing found

found some password we can used

also nothing
80

found a login page

admin:admin
fail login
nothing useful

6379

we can know the target machine redis version is 5.0.9, so we can try this script
we need to compile exp.so and import to redis

we can login it

add our id into their authorized_keys then we can login without password
got in to it
forget noted down……