PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 GoAhead WebServer
| http-title: HP Power Manager
|_Requested resource was http://192.168.134.45/index.asp
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: GoAhead-Webs
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 51791/tcp): CLEAN (Couldn't connect)
| Check 2 (port 7266/tcp): CLEAN (Couldn't connect)
| Check 3 (port 16654/udp): CLEAN (Timeout)
| Check 4 (port 45428/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::-
| Computer name: kevin
| NetBIOS computer name: KEVIN\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-10-02T05:38:25-07:00
| nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:b9:07 (VMware)
| Names:
| KEVIN<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1e> Flags: <group><active>
| KEVIN<20> Flags: <unique><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 00:50:56:ab:b9:07:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-10-02T12:38:25
|_ start_date: 2025-10-02T12:36:07
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:38
Completed NSE at 08:38, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.95 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
打開網頁發現有一個 HP Power Managment 的 網頁
之後去 exploit DB 中找找看有沒有這個漏洞,發現有一個 Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
這個拿去用用看,使用 msfconsole 之後發現怎麼都沒辦法用
之後知道要把 shellcode 改掉,改完後就可以了