Open WDavid404 opened 1 month ago
21/tcp open ftp syn-ack ttl 125 Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 10:31PM <DIR> ImapRetrieval | 07-11-24 09:08PM <DIR> Logs | 04-29-20 10:31PM <DIR> PopRetrieval |_04-29-20 10:32PM <DIR> Spool | ftp-syst: |_ SYST: Windows_NT 80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0 |_http-title: IIS Windows | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ttl 125 9998/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-title: Site doesn't have a title (text/html; charset=utf-8). |_Requested resource was /interface/root |_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Microsoft-IIS/10.0 | uptime-agent-info: HTTP/1.1 400 Bad Request\x0D | Content-Type: text/html; charset=us-ascii\x0D | Server: Microsoft-HTTPAPI/2.0\x0D | Date: Fri, 12 Jul 2024 04:11:34 GMT\x0D | Connection: close\x0D | Content-Length: 326\x0D | \x0D | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D | <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D | <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D | <BODY><h2>Bad Request - Invalid Verb</h2>\x0D | <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D |_</BODY></HTML>\x0D Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP (90%)
ftp with anonymouse succeed, downloads all files from Logs dir ---> didn't find useful info
Access http://192.168.237.65:9998/ and see the source code of page -->
search exploit --> https://www.exploit-db.com/exploits/49216 (SmarterMail Build 6985 - Remote Code Execution) modify LHOST and RHOST in 49216.py
python3 49216.py --> we can get a reverse shell from the target host.
we can get proof.txt in administrator/desktop folder.
ftp with anonymouse succeed, downloads all files from Logs dir ---> didn't find useful info
Access http://192.168.237.65:9998/ and see the source code of page -->
search exploit --> https://www.exploit-db.com/exploits/49216 (SmarterMail Build 6985 - Remote Code Execution) modify LHOST and RHOST in 49216.py
python3 49216.py --> we can get a reverse shell from the target host.
we can get proof.txt in administrator/desktop folder.