第一次打window 从简单的开始打起吧

nmap 
└─# nmap -p- -A 192.168.150.65

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 00:19 UTC

Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 97.50% done; ETC: 00:24 (0:00:00 remaining)

Nmap scan report for 192.168.150.65

Host is up (0.071s latency).

Not shown: 65520 closed tcp ports (reset)

PORT      STATE SERVICE       VERSION

21/tcp    open  ftp           Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 04-29-20  09:31PM       <DIR>          ImapRetrieval

| 12-09-24  04:19PM       <DIR>          Logs

| 04-29-20  09:31PM       <DIR>          PopRetrieval

|_04-29-20  09:32PM       <DIR>          Spool

| ftp-syst:

|_  SYST: Windows_NT

80/tcp    open  http          Microsoft IIS httpd 10.0

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows

| http-methods:

|_  Potentially risky methods: TRACE

135/tcp   open  msrpc         Microsoft Windows RPC

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds?

5040/tcp  open  unknown

7680/tcp  open  pando-pub?

9998/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D

| Content-Type: text/html; charset=us-ascii\x0D

| Server: Microsoft-HTTPAPI/2.0\x0D

| Date: Tue, 10 Dec 2024 00:24:05 GMT\x0D

| Connection: close\x0D

| Content-Length: 326\x0D

| \x0D

| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D

| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D

| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D

| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D

| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D

|_</BODY></HTML>\x0D

| http-title: Site doesn't have a title (text/html; charset=utf-8).

|_Requested resource was /interface/root

|_http-server-header: Microsoft-IIS/10.0

17001/tcp open  remoting      MS .NET Remoting services

49664/tcp open  msrpc         Microsoft Windows RPC

49665/tcp open  msrpc         Microsoft Windows RPC

49666/tcp open  msrpc         Microsoft Windows RPC

49667/tcp open  msrpc         Microsoft Windows RPC

49668/tcp open  msrpc         Microsoft Windows RPC

49669/tcp open  msrpc         Microsoft Windows RPC

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.94SVN%E=4%D=12/10%OT=21%CT=1%CU=43118%PV=Y%DS=4%DC=T%G=Y%TM=675

OS:78A35%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(

OS:SP=106%GCD=1%ISR=10A%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M

OS:578NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFF

OS:F%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)

OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=

OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T

OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=1

OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 4 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:

|   3:1:1:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2024-12-10T00:24:08

|_  start_date: N/A

TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   69.46 ms 192.168.45.1

2   69.45 ms 192.168.45.254

3   70.07 ms 192.168.251.1

4   70.55 ms 192.168.150.65

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 292.72 seconds

访问9998端口



发现cms但是没版本

搜索exp 由于他是easy难度所以觉得应该不会太难

https://www.exploit-db.com/exploits/49216

尝试这个exp

成功 而且好像就是system了 不用提权

Algernon pg walkthrough Window的更多相关文章

  1. ZK 长时操作带进度条

    LongProcess.zul: <?xml version="1.0" encoding="UTF-8"?> <window id=&quo ...

  2. algernon 基于golang 的独立的支持redis lua pg。。。 的web server

    algernon 看到github 的介绍很很强大,一下子想到了openresty,功能看着很强大,支持 redis pg lua markdown quic http2 mysql 限速 pongo ...

  3. JavaScript_解决safari浏览器window.open无法实现的问题

    解决 safari window.open 无法实现的问题 先说下问题是什么吧: safari 中没办法在回调函数里面执行window.open, 原因是safari的安全机制将其阻挡了(具体的原因可 ...

  4. Walkthrough: Arranging Controls on Windows Forms Using Snaplines

    https://msdn.microsoft.com/en-us/library/t5b5kc41(v=vs.110).aspx Spacing and Aligning Controls Using ...

  5. Burp Suite Walkthrough(英文版)

    Burp Suite is one of the best tools available for web application testing. Its wide variety of featu ...

  6. Burp Suite Walkthrough

    Burp Suite is one of the best tools available for web application testing. Its wide variety of featu ...

  7. Making your first driver - complete walkthrough(使用VisualDDK)

    This article describes how to create, build and debug your first driver using Visual Studio and Visu ...

  8. [转帖]PG的简单备份恢复 找时间进行测试

    转帖PG的简单使用 https://blog.csdn.net/lk_db/article/details/77971634 一: 纯文件格式的脚本: 示例:1. 只导出postgres数据库的数据, ...

  9. [Windows Azure] Walkthrough to Configure System Center Management Pack for Windows Azure Fabric Preview for SCOM 2012 SP1 (with a MetricsHub Bonus)

    The wait is finally over. This is a huge update to the Azure Management Pack over the one that was r ...

  10. window postgresql 10.4安装

    window installer下载地址:https://www.enterprisedb.com/downloads/postgres-postgresql-downloads 其他版本官网下载地址 ...

随机推荐

  1. DDCA —— 大缓存、虚拟内存:多核缓存、NUCA缓存、页表等

    1. 缓存中的多核问题 1.1 多核系统中的缓存 Intel Montecito缓存 两个 core,每个都有一个私有的12 MB的L3缓存和一个1 MB的L2缓存,图中深蓝色部分均为L3缓存. 在多 ...

  2. 《刚刚问世》系列初窥篇-Java+Playwright自动化测试-4-启动浏览器-基于Maven(详细教程)

    1.简介 上一篇文章,宏哥已经在搭建的java项目环境中添加jar包实践了如何启动浏览器,今天就在基于maven项目的环境中给小伙伴们或者童鞋们演示一下如何启动浏览器. 2.eclipse中新建mav ...

  3. 基于antlr的表达式解析器——函数生成(通过freemarker)

    第一步.新建一个模板文件以.ftl结尾. Max.ftl /* * Copyright 2002-2007 Robert Breidecker. * * Licensed under the Apac ...

  4. Consul 学习总结

    什么是Consul? Consul是一种服务网络解决方案,使团队能够管理服务之间以及跨本地和多云环境和运行时的安全网络连接.Consul提供服务发现.服务网格(service mesh).流量管理和网 ...

  5. 【Amadeus原创】域密码到期发送提醒邮件的超简单方法

    1,AD服务器下载安装免费的卓豪AD管理工具 https://www.manageengine.cn/products/self-service-password/free-password-expi ...

  6. JVM 语言的探索发现

    又在 WIKI 上溜达了一下 https://en.wikipedia.org/wiki/List_of_JVM_languages,有一些新的发现: ColdFusion Markup Langua ...

  7. DSL 和 reactive 噩梦

    Kotlin 之美-DSL篇 - 掘金 像 Compose 那样写代码 :Kotlin DSL 原理与实战_fundroid_方卓的博客-CSDN博客 先找好一个靶子: val yesterday = ...

  8. Windows 11 下 Virtualbox 6.1.34 出现 End kernel panic - not syncing: attempted to kill the idle task

    前言小半年没用 Virtualbox 了,切换到了 VMware,今天又切换回去(无聊),但是安装虚拟机出现这个错误. 解决方法根据 Virtualbox 论坛的讨论[1]和[2],首先明确 系统必须 ...

  9. Qt/C++音视频开发81-采集本地麦克风/本地摄像头带麦克风/桌面采集和麦克风/本地设备和桌面推流

    一.前言 随着直播的兴起,采集本地摄像头和麦克风进行直播推流,也是一个刚需,最简单的做法是直接用ffmpeg命令行采集并推流,这种方式简单粗暴,但是不能实时预览画面,而且不方便加上一些特殊要求.之前就 ...

  10. Qt/C++音视频开发79-采集websocket视频流/打开ws开头的地址/音视频同步/保存到MP4文件/视频回放

    一.前言 随着音视频的爆发式的增长,各种推拉流应用场景应运而生,基本上都要求各个端都能查看实时视频流,比如PC端.手机端.网页端,在网页端用websocket来接收并解码实时视频流显示,是一个非常常规 ...