Nmap scan report for 10.10.10.5 Host is up (0.13s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 03-18-17 02:06AM <DIR> aspnet_client | 05-11-20 12:47AM 0 dontputmeinFTP.txt | 05-11-20 01:03AM 2858 ex.asp | 05-11-20 12:55AM 2822 ex.aspx | 03-17-17 05:37PM 689 iisstart.htm |03-17-17 05:37PM 184946 welcome.png | ftp-syst: | SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose|phone Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (90%) OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 127.42 ms 10.10.14.1 2 126.44 ms 10.10.10.5
In this we can see that there is information disclosure with the tcp port with the httpd version 7.5 being the information disclosed via the header (In general this is not a good practice because we shouldnt disclose )
And by the looks of the http title we can see that its a basic website
Ftp is open with anonymous login so thats bad.Why is it allowed .Something to write in a assesment.
So we can put an payload using msfvenom in the ftp because anonymous access is allowed and then execute the payload in the web server that was left open for us and then we listen on a port where we wanna get the shell and boom thats it