第一次打window 从简单的开始打起吧

nmap 
└─# nmap -p- -A 192.168.150.65

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 00:19 UTC

Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan

NSE Timing: About 97.50% done; ETC: 00:24 (0:00:00 remaining)

Nmap scan report for 192.168.150.65

Host is up (0.071s latency).

Not shown: 65520 closed tcp ports (reset)

PORT      STATE SERVICE       VERSION

21/tcp    open  ftp           Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 04-29-20  09:31PM       <DIR>          ImapRetrieval

| 12-09-24  04:19PM       <DIR>          Logs

| 04-29-20  09:31PM       <DIR>          PopRetrieval

|_04-29-20  09:32PM       <DIR>          Spool

| ftp-syst:

|_  SYST: Windows_NT

80/tcp    open  http          Microsoft IIS httpd 10.0

|_http-server-header: Microsoft-IIS/10.0

|_http-title: IIS Windows

| http-methods:

|_  Potentially risky methods: TRACE

135/tcp   open  msrpc         Microsoft Windows RPC

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds?

5040/tcp  open  unknown

7680/tcp  open  pando-pub?

9998/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D

| Content-Type: text/html; charset=us-ascii\x0D

| Server: Microsoft-HTTPAPI/2.0\x0D

| Date: Tue, 10 Dec 2024 00:24:05 GMT\x0D

| Connection: close\x0D

| Content-Length: 326\x0D

| \x0D

| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D

| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D

| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D

| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D

| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D

|_</BODY></HTML>\x0D

| http-title: Site doesn't have a title (text/html; charset=utf-8).

|_Requested resource was /interface/root

|_http-server-header: Microsoft-IIS/10.0

17001/tcp open  remoting      MS .NET Remoting services

49664/tcp open  msrpc         Microsoft Windows RPC

49665/tcp open  msrpc         Microsoft Windows RPC

49666/tcp open  msrpc         Microsoft Windows RPC

49667/tcp open  msrpc         Microsoft Windows RPC

49668/tcp open  msrpc         Microsoft Windows RPC

49669/tcp open  msrpc         Microsoft Windows RPC

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.94SVN%E=4%D=12/10%OT=21%CT=1%CU=43118%PV=Y%DS=4%DC=T%G=Y%TM=675

OS:78A35%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%TS=U)SEQ(

OS:SP=106%GCD=1%ISR=10A%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M

OS:578NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFF

OS:F%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)

OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=

OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T

OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=1

OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 4 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:

|   3:1:1:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2024-12-10T00:24:08

|_  start_date: N/A

TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   69.46 ms 192.168.45.1

2   69.45 ms 192.168.45.254

3   70.07 ms 192.168.251.1

4   70.55 ms 192.168.150.65

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 292.72 seconds

访问9998端口



发现cms但是没版本

搜索exp 由于他是easy难度所以觉得应该不会太难

https://www.exploit-db.com/exploits/49216

尝试这个exp

成功 而且好像就是system了 不用提权

Algernon pg walkthrough Window的更多相关文章

  1. ZK 长时操作带进度条

    LongProcess.zul: <?xml version="1.0" encoding="UTF-8"?> <window id=&quo ...

  2. algernon 基于golang 的独立的支持redis lua pg。。。 的web server

    algernon 看到github 的介绍很很强大,一下子想到了openresty,功能看着很强大,支持 redis pg lua markdown quic http2 mysql 限速 pongo ...

  3. JavaScript_解决safari浏览器window.open无法实现的问题

    解决 safari window.open 无法实现的问题 先说下问题是什么吧: safari 中没办法在回调函数里面执行window.open, 原因是safari的安全机制将其阻挡了(具体的原因可 ...

  4. Walkthrough: Arranging Controls on Windows Forms Using Snaplines

    https://msdn.microsoft.com/en-us/library/t5b5kc41(v=vs.110).aspx Spacing and Aligning Controls Using ...

  5. Burp Suite Walkthrough(英文版)

    Burp Suite is one of the best tools available for web application testing. Its wide variety of featu ...

  6. Burp Suite Walkthrough

    Burp Suite is one of the best tools available for web application testing. Its wide variety of featu ...

  7. Making your first driver - complete walkthrough(使用VisualDDK)

    This article describes how to create, build and debug your first driver using Visual Studio and Visu ...

  8. [转帖]PG的简单备份恢复 找时间进行测试

    转帖PG的简单使用 https://blog.csdn.net/lk_db/article/details/77971634 一: 纯文件格式的脚本: 示例:1. 只导出postgres数据库的数据, ...

  9. [Windows Azure] Walkthrough to Configure System Center Management Pack for Windows Azure Fabric Preview for SCOM 2012 SP1 (with a MetricsHub Bonus)

    The wait is finally over. This is a huge update to the Azure Management Pack over the one that was r ...

  10. window postgresql 10.4安装

    window installer下载地址:https://www.enterprisedb.com/downloads/postgres-postgresql-downloads 其他版本官网下载地址 ...

随机推荐

  1. 《刚刚问世》系列初窥篇-Java+Playwright自动化测试-4-启动浏览器-基于Maven(详细教程)

    1.简介 上一篇文章,宏哥已经在搭建的java项目环境中添加jar包实践了如何启动浏览器,今天就在基于maven项目的环境中给小伙伴们或者童鞋们演示一下如何启动浏览器. 2.eclipse中新建mav ...

  2. 使用flask进行Mock Server模拟接口操作及问题解决

    1.flask介绍 flask是一个轻量级的python web 微框架 2.Mock Server介绍 Mock Server是一个开源的模拟服务器,它可以定义和记录API交互,支持各种http方法 ...

  3. VTable-Gantt:功能强大、性能优异的开源甘特图组件

    甘特图的基本概念 在项目管理中,甘特图是一种常用的工具,用于展示项目任务的时间安排和进度. 我们将甘特图拆分成以下几个部分: 左侧任务列表:显示项目的任务列表,通常在图的左侧. 顶部时间轴:显示项目的 ...

  4. 使用 ibatis 处理复杂对象数据关系的实例

    如何使用 ibatis 处理复杂对象数据关系 iBatis 是一个开源的对象关系映射程序,其工作是将对象映射到 SQL 语句.和其它 O/R Mapping 框架不同,iBatis 开发者需要自己编写 ...

  5. ThreeJs-05纹理材质高级操作

    1.纹理操作 1.1 重复.旋转.位移.缩放 重复 但是要在水平方向上重复,还得允许 按照刚才的重复方式 如果设置为镜像重复 位移 旋转 1.2 翻转与alpha生成颜色 正常的图 不翻转默认是翻转的 ...

  6. 在window 使用 docker 安装redis 踩坑记

    1. 安装REDIS 在安装的时候,使用 docker pull redis 就可以了. 但是 实际上 发现镜像居然拉不下来. 修改了一下 docker 镜像. 配置如下: "registr ...

  7. 斐波那契数列(Java实现)

    斐波那契数列 题目描述: 悲波那契数列(Fibonacci sequence)又称黄金分割数列,因数学家莱昂纳多·裴波那契(LeonardodaFibonacci)以兔子繁殖为例子而引入,故又称为&q ...

  8. 高精度计算库math.js使用踩坑记

    前情 最近在做一个后端需求,需求中需要前端做一些金额数字计算,前端对于小数的计算一直都有精度问题,如0.1+0.2计算的结果并不是0.3,而是0.30000000000000004,于是引入高精度计算 ...

  9. fiddler:The system proxy was changed.Click to reenable capturing

    前情 最近在开发一个老旧项目,由于本地环境已难跑起,于是想通过代理线上代码进行功能开发. 坑位 启动fiddler后,fiddler菜单栏会警告,大概意思是代理被更改了,点击重启fillder代理,但 ...

  10. Flutter查漏补缺2

    Flutter的理念架构 Flutter架构分为三层 参考官方文档 Framework层(dart) flutter engine层(C/C++) embeder层(platform-specific ...