21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh
| ssh-hostkey:
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6699/tcp open napster
8443/tcp open https-alt
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-20T12:27:50
|_ start_date: N/A
ftp可以匿名访问,看到两个txt。
image-20220420234955539
image-20220420235012831
访问80端口谷歌搜索得到任意文件读取的nday,读取密码。
image-20220420235127371
然后爆破确认账号密码
image-20220420235614017
ssh连接确定。
image-20220420235717656
之前搜过8443的NSClient上面有两个洞,一个是RCE一个是提权。
于是很自然想到尝试利用提权,先混到密码。(这里最开始就利用80的洞读取了一下,不知道为什么失败了,看来权限设置的挺死的)
type "C:\\Program Files\\NSClient++\\nsclient.ini"
image-20220421000405943
然后没啥了,一搜照做就行了,唯一的点就是要本地访问,做个端口映射就好了