$ nmap -p- --min-rate 4000 192.168.219.65
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:33 +08
Nmap scan report for 192.168.219.65
Host is up (0.17s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
7680/tcp open pando-pub
9998/tcp open distinct32
17001/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Lots of ports open.
Rabbit Holes
Port 80 just shows an IIS server default page, with no further directories. FTP does allow for anonymous access, but there aren't any files within it.
SmarterMail RCE
Port 9998 shows a login page for SmarterMail:
If we view the page source, we can sort of find the version that is running:
The product build listed above is 6919, which is older than the RCE exploit for Build 6985. As such, we can use that exploit. Just change the IP addresses and leave the ports.
Running that gives us a reverse shell as the SYSTEM user:
