偵查

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.0.6001 (17714650)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Service
| ssl-cert: Subject: commonName=internal
| Issuer: commonName=internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-01-05T19:52:51
| Not valid after:  2025-07-07T19:52:51
| MD5:   7c2b:85a9:1fe2:c264:4be8:ed3e:e16b:274a
| SHA-1: 05e9:c5e9:7ac6:242e:0a18:ca56:e1b5:1c38:31db:d393
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQFHV8TrpYYLdKV58423mJ8zANBgkqhkiG9w0BAQUFADAT
| MREwDwYDVQQDEwhpbnRlcm5hbDAeFw0yNTAxMDUxOTUyNTFaFw0yNTA3MDcxOTUy
| NTFaMBMxETAPBgNVBAMTCGludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAsuNdIa0z31V1iHCg2TtuOK+FoyVu3aXcVxL/Q8jUvhOtpe0fWn9j
| qpT+smMeA0XpJfeS917Tpy5t5gqyqUCAXPOwoeGnZu1IrvxwcMlpMImPGXeMZ+0q
| Cb/3LdlwA7WEUaZtAxpMHBx7UNbcEnj38BsrWY6zr/K7TDlFgsrsITDDuyddIjNz
| 2VU8gFBPPwzHZGMGsMgo2v3mCZnA6Xkp8tmwGq137fxrwbvzC3vNdt1/m5icsyYD
| hMglYmztE9vp0rwKB0CB5K+mwc9U7isWsRbORWutqkBbp4XI08RbSklP3A6XPUNu
| eUb1rIMV4ZbTbRTOKOGa12X7isXq6cVzOwIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAE0duqOsApBP
| OvE8znZxfUgAF5f+WR+GsAPYwhV0c6GWv7PnghnTAFfoBy+8Gy1PeyrAwfL2PQqT
| AHIBgpfbkEWwA/idfGpTJNDF2n8uZ3W8hOBU7elqRAHtvj749IqnMz15n5WwsGvW
| A6hsOIoEKyluekiV9kOosMjKG9jtB+iwOe88L5EqHrEfPeml2mpvhH6VhvJZnXlJ
| 1l0/GDRRXslgyBir672iqHy25PNqJQYlEMSooxZCwKUpo345E4J6BIxeayvNeLca
| W+SKB84s3A/9pXnPEXLD7IT6I4ln9ZQeYXHK0n3U2LcSCt8JtEr1vfi4LMSboxxi
| lRXQzPUUSW8=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-30T10:04:47+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: INTERNAL
|   NetBIOS_Domain_Name: INTERNAL
|   NetBIOS_Computer_Name: INTERNAL
|   DNS_Domain_Name: internal
|   DNS_Computer_Name: internal
|   Product_Version: 6.0.6001
|_  System_Time: 2025-09-30T10:04:39+00:00
5357/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49156/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49157/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 26934/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 49283/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 16981/udp): CLEAN (Timeout)
|   Check 4 (port 47684/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: internal
|   NetBIOS computer name: INTERNAL\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-09-30T03:04:39-07:00
| smb2-security-mode: 
|   2:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-09-30T10:04:39
|_  start_date: 2025-02-20T21:30:47
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:93:68 (VMware)
| Names:
|   INTERNAL<00>         Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   INTERNAL<20>         Flags: <unique><active>
| Statistics:
|   00:50:56:ab:93:68:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.38 seconds
           Raw packets sent: 17 (724B) | Rcvd: 14 (600B)

列舉

• DNS
  • 可以加進去 hosts 中
• HTTP
  • WSDAPI
• Samba
  • 有使用 smbmap 但沒有爆出東西
• RDP
  • 憑證已經過期，好像沒有什麼用

利用

首先找找看 WSDAPI 的漏洞，發現有 MS09-050 的漏洞
應該可以嘗試，但 exploit db 的 code 是 python2 的
所以只能用 msfconsole 來用 (我不會改 code w)
就這樣成功取得 system ㄌ