nmap -T4 -p- -A 10.10.10.152shows port 21 (ftp) with anonymous login enabled and lists possibly the
C:drive, port 80 (http) running
Indy httpd 184.108.40.20646, and ports 135/139/445 (rpc) reveal machine is running
Microsoft Windows Server 2008 R2, two webservers running on 5985 and 47001 both are 404s. Webpage probably in
10.10.10.152and shows login. Google
PRTG Network Monitor default credentialsshows
prgtadmin:prgtadminthat don't work. Google for
PRTG Network Monitor exploitfinds PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution which needs authentication.
cd "Users\All Users\Application Data\"is access denied. Try
cd "Users\All Users\Application Data\Paessler\PRTG Network Monitor"which works.
PRTG Configuration.datand searching for
prtgadmin(the default username) finds encrypted password. Test the
oldfile which is encrypted too. Test the
old.backwhich has the unencrypted password.
./exploit.sh -u http://10.10.10.152 -c "OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"to create admin user with credentials
pentest:P3nT3st!on the computer not the webinterface.
psexec.pyis less likely to trigger antivirus than metasploit verion. But, both
smbexec.pyare the least likely to trigger antivirus.