Fire - HackMD

# Fire └─$ nmap -sV -sT -sC 10.129.172.231 127 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 18:28 PDT Nmap scan report for 10.129.172.231 Host is up (0.090s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 8080/tcp open http Apache httpd 2.4.48 ((Win64) PHP/8.0.7) | http-methods: |_ Potentially risky methods: TRACE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.48 (Win64) PHP/8.0.7 |_http-title: Fire Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -1s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-25T01:28:26 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.63 seconds └─$ smbclient -L //10.129.172.231 -N 1 ⨯ session setup failed: NT_STATUS_ACCESS_DENIED ─$ dirb http://10.129.172.231 /usr/share/wfuzz/wordlist/vulns/iis.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Jul 24 23:04:47 2021 URL_BASE: http://10.129.172.231/ WORDLIST_FILES: /usr/share/wfuzz/wordlist/vulns/iis.txt ----------------- GENERATED WORDS: 58 ---- Scanning URL: http://10.129.172.231/ ---- ==> DIRECTORY: http://10.129.172.231/aspnet_client/ ---- Entering directory: http://10.129.172.231/aspnet_client/ ---- ==> DIRECTORY: http://10.129.172.231/aspnet_client/system_web/ ---- Entering directory: http://10.129.172.231/aspnet_client/system_web/ ---- ----------------- END_TIME: Sat Jul 24 23:05:04 2021 DOWNLOADED: 174 - FOUND: 0 ---- Scanning URL: http://10.129.172.231/aspnet_client/ ---- + http://10.129.172.231/aspnet_client/%3f/ (CODE:400|SIZE:3420) + http://10.129.172.231/aspnet_client/Trace.axd (CODE:403|SIZE:2452) http://10.129.172.231:8080/info.php https://www.exploit-db.com/exploits/29914