预备知识
ftp anonymous登录、任意文件上传、msfvenom生成webshell、meterpreter后渗透
信息收集
nmap 探测一下开放端口和服务
nmap 10.10.10.5
结果如下
Nmap scan report for 10.10.10.5
Host is up (0.34s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 29.83 seconds
有个http的80端口,那么应该有web服务了,老规矩扫一下目录
扫一下目录
dirb http://10.10.10.5/
在扫目录的间歇,扫一扫有没有已知的漏洞nmap -script=vuln 10.10.10.5
不过后来没有扫出来什么
两边都在扫,不浪费时间,试一试ftp能不能匿名登录
ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
发现这里有个目录比较有趣
ftp> cd aspnet_client
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> dir
200