PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 554/tcp open rtsp? 1100/tcp open java-rmi Java RMI Registry | rmi-dumpregistry: | creamtec/ajaxswing/JVMFactory | com.creamtec.ajaxswing.core.JVMFactory_Stub | @10.11.1.73:49157 | extends | java.rmi.server.RemoteStub | extends |_ java.rmi.server.RemoteObject 2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 3306/tcp open mysql MySQL (unauthorized; French) 3389/tcp open ms-wbt-server? |_ssl-date: 2019-05-09T12:17:10+00:00; -22s from scanner time. 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5800/tcp open vnc-http TightVNC (user: gamma; VNC TCP port: 5900) |_http-title: TightVNC desktop [gamma] 5900/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: | VNC Authentication (2) | Tight (16) | Tight auth subtypes: |_ STDV VNCAUTH_ (2) 8080/tcp open http Apache httpd 2.4.9 ((Win32) PHP/5.5.12) |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 1 disallowed entry |_/testmysql.php |_http-server-header: Apache/2.4.9 (Win32) PHP/5.5.12 |_http-title: Site doesn’t have a title (text/html). 10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open rmiregistry Java RMI 49159/tcp open rmiregistry Java RMI

http://10.11.1.73:8080/robots.txt

User-agent: * Allow: /PHP/

http://10.11.1.73:8080/PHP/

https://www.ovidentia.org/index.php?tg=posts&flat=1&forum=7&thread=219&pos=

default admin credentials is

admin@admin.bab:012345678

在网站设置处更改网站上传文件限制sites/name/File upload configuration/

change the size limit more and change the path to C:\wamp\www\PHP\/images

upload file in the forum and the file can be found in http://10.11.1.73:8080/PHP/images/forums/

upload webshell to it

use netstat -an found servel port which dont have appear in the nmap scan result.

the local machine installed Symantec Endpoint Protection Manager which has RCE

https://www.exploit-db.com/exploits/31853

forward the port 9090 to local and use exp to get root