Skip to content

Hepet

May 26, 2021

Intermediate

Macro exploit

Port scan

$ ports=$(nmap 192.168.208.140 -p- --min-rate=1000 -T4 | grep -E '[0-9]\/tcp' | awk -F '/' '{print $1}' | tr '\n' ',')

$ echo $ports
25,79,105,106,110,135,139,143,443,445,2224,5040,7680,8000,11100,20001,33006,49664,49665,49666,49667,49668,49669,

$ nmap 192.168.208.140 -sCV -p $ports
PORT      STATE SERVICE        VERSION
25/tcp    open  smtp           Mercury/32 smtpd (Mail server account Maiser)
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME
79/tcp    open  finger         Mercury/32 fingerd
| finger: Login: Admin         Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp   open  ph-addressbook Mercury/32 PH addressbook server
106/tcp   open  pop3pw         Mercury/32 poppass service
110/tcp   open  pop3           Mercury/32 pop3d
|_pop3-capabilities: EXPIRE(NEVER) APOP USER TOP UIDL
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
143/tcp   open  imap           Mercury/32 imapd 4.62
|_imap-capabilities: AUTH=PLAIN OK IMAP4rev1 CAPABILITY complete X-MERCURY-1A0001
443/tcp   open  ssl/http       Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
| http-methods: 
|_  Potentially risky methods: TRACE
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds?
2224/tcp  open  http           Mercury/32 httpd
|_http-title: Mercury HTTP Services
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8000/tcp  open  http           Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Time Travel Company Page
11100/tcp open  vnc            VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    Unknown security type (40)
20001/tcp open  ftp            FileZilla ftpd 0.9.41 beta
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp            312 Oct 20  2020 .babelrc
| -r--r--r-- 1 ftp ftp            147 Oct 20  2020 .editorconfig
| -r--r--r-- 1 ftp ftp             23 Oct 20  2020 .eslintignore
| -r--r--r-- 1 ftp ftp            779 Oct 20  2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp            167 Oct 20  2020 .gitignore
| -r--r--r-- 1 ftp ftp            228 Oct 20  2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp            346 Oct 20  2020 .tern-project
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 build
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 config
| -r--r--r-- 1 ftp ftp           1376 Oct 20  2020 index.html
| -r--r--r-- 1 ftp ftp         425010 Oct 20  2020 package-lock.json
| -r--r--r-- 1 ftp ftp           2454 Oct 20  2020 package.json
| -r--r--r-- 1 ftp ftp           1100 Oct 20  2020 README.md
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 src
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 static
|_-r--r--r-- 1 ftp ftp            127 Oct 20  2020 _redirects
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
|_ftp-bounce: bounce working!
33006/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, GetRequest, HTTPOptions, Help, LANDesk-RC, LDAPBindReq, NCP, NULL, RPCCheck, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, giop: 
|_    Host '192.168.45.179' is not allowed to connect to this MariaDB server
49664/tcp open  msrpc          Microsoft Windows RPC
49665/tcp open  msrpc          Microsoft Windows RPC
49666/tcp open  msrpc          Microsoft Windows RPC
49667/tcp open  msrpc          Microsoft Windows RPC
49668/tcp open  msrpc          Microsoft Windows RPC
49669/tcp open  msrpc          Microsoft Windows RPC

Check SMB anonymous login, no luck

$ smbmap -H 192.168.208.140 -u 'anonymous' -p 'anonymous'
$ smbmap -H 192.168.208.140 -u '' -p ''

Port 79 finger

pentestmonkey / finger-user-enum

$ ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.208.140 | grep -v 'is not known'

admin@192.168.208.140: Login: admin         Name: Mail System Administrator..
agnes@192.168.208.140: Login: agnes         Name: Agnes....[No profile information]..
charlotte@192.168.208.140: Login: charlotte         Name: Charlotte....[No profile information]..
jonas@192.168.208.140: Login: jonas         Name: Jonas....[No profile information]..
magnus@192.168.208.140: Login: magnus         Name: Magnus....[No profile information]..
martha@192.168.208.140: Login: martha         Name: Martha....[No profile information]..

alt text