Day 18. Kevin

2025 iThome 鐵人賽

DAY 18

Security

滲透測試 30 天：從基礎到實戰系列第 18 篇

17th鐵人賽

鯊鯊

團隊我都沒什麼意見 :D

2025-10-02 21:31:31

68 瀏覽

分享至

偵查

PORT    STATE SERVICE      REASON          VERSION
80/tcp  open  http         syn-ack ttl 125 GoAhead WebServer
| http-title: HP Power Manager
|_Requested resource was http://192.168.134.45/index.asp
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: GoAhead-Webs
445/tcp open  microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 51791/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 7266/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 16654/udp): CLEAN (Timeout)
|   Check 4 (port 45428/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::-
|   Computer name: kevin
|   NetBIOS computer name: KEVIN\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-10-02T05:38:25-07:00
| nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:b9:07 (VMware)
| Names:
|   KEVIN<00>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   KEVIN<20>            Flags: <unique><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   00:50:56:ab:b9:07:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-10-02T12:38:25
|_  start_date: 2025-10-02T12:36:07

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.95 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

漏洞利用

打開網頁發現有一個 HP Power Managment 的網頁
之後去 exploit DB 中找找看有沒有這個漏洞，發現有一個 Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
這個拿去用用看，使用 msfconsole 之後發現怎麼都沒辦法用
之後知道要把 shellcode 改掉，改完後就可以了