HOLLYWOOD

Nmap Scan Result

PORT      STATE SERVICE        VERSION

21/tcp    open  ftp            FileZilla ftpd 0.9.41 beta

| ftp-syst:

|_  SYST: UNIX emulated by FileZilla

25/tcp    open  smtp           Mercury/32 smtpd (Mail server account Maiser)

|*smtp-commands: localhost Hello [nmap.scanme.org](<http://nmap.scanme.org/>); ESMTPs are:, TIME

79/tcp    open  finger         Mercury/32 fingerd

| finger: Login: Admin         Name: Mail System Administrator\\x0D

| \\x0D

|*[No profile information]\\x0D

80/tcp    open  http           Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820

| http-title: Welcome to XAMPP

|_Requested resource was <http://10.150.150.219/dashboard/>

|_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38

105/tcp   open  ph-addressbook Mercury/32 PH addressbook server

106/tcp   open  pop3pw         Mercury/32 poppass service

110/tcp   open  pop3           Mercury/32 pop3d

|_pop3-capabilities: UIDL APOP EXPIRE(NEVER) USER TOP

135/tcp   open  msrpc          Microsoft Windows RPC

139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn

143/tcp   open  imap           Mercury/32 imapd 4.62

|*imap-capabilities: complete CAPABILITY X-MERCURY-1A0001 AUTH=PLAIN OK IMAP4rev1

443/tcp   open  ssl/http       Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)

| tls-alpn:

|*  http/1.1

|_ssl-date: TLS randomness does not represent time

|*http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38

| http-methods:

|*  Supported Methods: GET HEAD POST OPTIONS

*D

| http-title: Welcome to XAMPP

|Requested resource was <https://10.150.150.219/dashboard/>

445/tcp   open  microsoft-ds   Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

554/tcp   open  rtsp?

1883/tcp  open  mqtt

| mqtt-subscribe:

|   Topics and their most recent payloads:

|     ActiveMQ/Advisory/MasterBroker:

|    ActiveMQ/Advisory/Consumer/Topic/#:

2224/tcp  open  http           Mercury/32 httpd

| http-methods:

|*  Supported Methods: GET HEAD

|_http-title: Mercury HTTP Services

2869/tcp  open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

3306/tcp  open  mysql          MariaDB (unauthorized)

5672/tcp  open  amqp?

|*amqp-info: ERROR: AMQP:handshake connection closed unexpectedly while reading frame header

| fingerprint-strings:

|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GetRequest, HTTPOptions, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:

|*    AMQP

8009/tcp  open  ajp13          Apache Jserv (Protocol v1.3)

|_ajp-methods: Failed to get a valid response for the OPTION request

8080/tcp  open  http           Apache Tomcat/Coyote JSP engine 1.1

|_http-open-proxy: Proxy might be redirecting requests

|_http-server-header: Apache-Coyote/1.1

|*http-title: Apache Tomcat/7.0.56

| http-methods:

|*  Supported Methods: GET HEAD POST OPTIONS

|_http-favicon: Apache Tomcat

8089/tcp  open  ssl/http       Splunkd httpd

|*http-server-header: Splunkd

| http-robots.txt: 1 disallowed entry

|*/

|_http-title: splunkd

| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser

| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2019-10-28T09:17:32

| Not valid after:  2022-10-27T09:17:32

| MD5:   34d4:9be3:d6fd:5896:d091:86e6:436b:217b

|*SHA-1: 3e84:22d1:37ac:3526:a8a2:9f08:bb4f:8a92:a4f2:13dd

| http-methods:

|*  Supported Methods: GET HEAD OPTIONS

8161/tcp  open  http           Jetty 8.1.16.v20140903

|*http-server-header: Jetty(8.1.16.v20140903)

| http-methods:

|*  Supported Methods: GET HEAD

|_http-title: Apache ActiveMQ

|_http-favicon: Unknown favicon MD5: 05664FB0C7AFCD6436179437E31F3AA6

10243/tcp open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-title: Not Found

|*http-server-header: Microsoft-HTTPAPI/2.0

49251/tcp open  tcpwrapped

61613/tcp open  stomp          Apache ActiveMQ 5.10.1 - 5.11.1

61614/tcp open  http           Jetty 8.1.16.v20140903

| http-methods:

|   Supported Methods: GET HEAD TRACE OPTIONS

|*  Potentially risky methods: TRACE

|_http-server-header: Jetty(8.1.16.v20140903)

|*http-title: Error 500 Server Error

61616/tcp open  apachemq       ActiveMQ OpenWire transport

| fingerprint-strings:

|   NULL:

|     ActiveMQ

|     TcpNoDelayEnabled

| 

|*    MaxInactivityDurationInitalDelay

2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at <https://nmap.org/cgi-bin/submit.cgi?new-service> :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SFPE: cpe:/o:microsoft:windows

Taking a look at the web service running on port 80. I noticed it's ActiveMQ which has known vulnerablity but the exploit is Authenticated which means we need to have valid credentials. Luckily, admin:admin worked.

Now, we'ved succefully logged in, to try our exploit at https://www.exploit-db.com/exploits/48181 we'll used Metasploit

We got user, used msfvemon to cretate a Meterpreter revese shell payload