Attacking Common Services - Easy Lab
May 27, 2024
# Nmap 7.94 scan initiated Tue May 28 14:21:46 2024 as: nmap -sC -sV -oN nmap 10.129.11.207
Nmap scan report for 10.129.11.207
Host is up (0.37s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp
|_ssl-date: 2024-05-28T06:23:45+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after: 2032-04-18T19:27:17
| fingerprint-strings:
| GenericLines:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| Command unknown, not supported or not allowed...
| Command unknown, not supported or not allowed...
| NULL, SMBProgNeg:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
| SSLSessionReq:
| 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered
|_ Command unknown, not supported or not allowed...
25/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
| http-title: Welcome to XAMPP
|_Requested resource was http://10.129.11.207/dashboard/
443/tcp open ssl/https Core FTP HTTPS Server
|_ssl-date: 2024-05-28T06:23:45+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US
| Not valid before: 2022-04-21T19:27:17
|_Not valid after: 2032-04-18T19:27:17
|_http-server-header: Core FTP HTTPS Server
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date:Tue, 28 Apr 2024 06:22:35 GMT
| Server: Core FTP HTTPS Server
| Connection: close
| WWW-Authenticate: Basic realm="Restricted Area"
| Content-Type: text/html
| Content-length: 61
| <BODY>
| <HTML>
| HTTP/1.1 401 Unauthorized
| </BODY>
|_ </HTML>
587/tcp open smtp hMailServer smtpd
| smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 11
| Capabilities flags: 63486
| Some Capabilities: FoundRows, Support41Auth, ODBCClient, Speaks41ProtocolOld, LongColumnFlag, IgnoreSigpipes, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, InteractiveClient, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsCompression, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: fJ~[0x2-)$z[;RkDRQ|>
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-EASY
| NetBIOS_Domain_Name: WIN-EASY
| NetBIOS_Computer_Name: WIN-EASY
| DNS_Domain_Name: WIN-EASY
| DNS_Computer_Name: WIN-EASY
| Product_Version: 10.0.17763
|_ System_Time: 2024-05-28T06:22:48+00:00
|_ssl-date: 2024-05-28T06:23:44+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=WIN-EASY
| Not valid before: 2024-05-27T06:20:20
|_Not valid after: 2024-11-26T06:20:20
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94%I=7%D=5/28%Time=6655781C%P=x86_64-pc-linux-gnu%r(NULL
SF:,41,"220\x20Core\x20FTP\x20Server\x20Version\x202\.0,\x20build\x20725,\
SF:x2064-bit\x20Unregistered\r\n")%r(GenericLines,AD,"220\x20Core\x20FTP\x
SF:20Server\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered
SF:\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20allo
SF:wed\.\.\.\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20no
SF:t\x20allowed\.\.\.\r\n")%r(SSLSessionReq,77,"220\x20Core\x20FTP\x20Serv
SF:er\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n50
SF:2\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20allowed\.\
SF:.\.\r\n")%r(SMBProgNeg,41,"220\x20Core\x20FTP\x20Server\x20Version\x202
SF:\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.94%T=SSL%I=7%D=5/28%Time=66557828%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,110,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:Tue,\x2028\
SF:x20Apr\x202024\x2006:22:35\x20GMT\r\nServer:\x20Core\x20FTP\x20HTTPS\x2
SF:0Server\r\nConnection:\x20close\r\nWWW-Authenticate:\x20Basic\x20realm=
SF:\"Restricted\x20Area\"\r\nContent-Type:\x20text/html\r\nContent-length:
SF:\x2061\r\n\r\n<BODY>\r\n<HTML>\r\nHTTP/1\.1\x20401\x20Unauthorized\r\n<
SF:/BODY>\r\n</HTML>\r\n\r\n");
Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 14:24:01 2024 -- 1 IP address (1 host up) scanned in 135.70 seconds
When im uploading the FTP im not getting any revshell instead it just downloading the file and not executing any of the code inside the rev shell.
So i move to php which is in xampp htdocs
Finding flag in Windows cmd
Retrieving the flag
Last updated