vmdak
00 min
2025-3-27
Date
Mar 27, 2025
Tag
Nmap
Brute Force
Credential Harvesting

192.168.125.103

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT Nmap scan report for 192.168.125.103 Host is up (0.051s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 9443/tcp open tungsten-https
Nmap done: 1 IP address (1 host up) scanned in 14.55 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT Warning: 192.168.125.103 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.125.103 Host is up (0.050s latency). All 65535 scanned ports on 192.168.125.103 are in ignored states. Not shown: 65387 open|filtered udp ports (no-response), 148 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 144.90 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:42 EDT Nmap scan report for 192.168.125.103 Host is up (0.064s latency). Not shown: 64592 closed tcp ports (reset), 939 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 1752 Sep 19 2024 config.xml | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.251.125 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.5 - secure, fast, stable |End of status 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA) | 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.58 (Ubuntu) 9443/tcp open ssl/http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=vmdak.local/organizationName=PrisonManagement/stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:vmdak.local | Not valid before: 2024-08-20T09:21:33 |Not valid after: 2025-08-20T09:21:33 | tls-alpn: | http/1.1 |_http-server-header: Apache/2.4.58 (Ubuntu) |_ssl-date: TLS randomness does not represent time Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.17 seconds

21

notion image
  • Config.xml
notion image
After brute-forcing, we found more accounts that we could log into
notion image
username
password
ftp
ftp
anonymous
anonymous
ftp
b1uRR3
notion image
same item

22

notion image
nothing

80

notion image
notion image
nothing

9443

notion image
notion image
nothing
notion image
notion image
notion image
notion image
login successfully
notion image
admin:admin123
notion image
notion image
notion image
Malcom:RonnyCache001
notion image
notion image
cant login
notion image
the image can replace our code, I try every reverse shell not work, but bind shell can work
notion image
notion image
the password we got before is for user vmdak

PE

./chisel_amd64 client 192.168.45.160:8082 R:8085:127.0.0.1:8080
to forward port 8080, seems suspicious
need forward but network problem cant
notion image
notion image
 
上一篇
HB
下一篇
AZ-900