Recon As always I start with a simple up/down nmap scan on all tcp ports to see what's live # nmap -T4 -p- -oX /root/Desktop/HTB/Access/nmapb.xml 10.10.10.98 I then converted the output to HTML to make it pretty # xsltproc /root/Desktop/HTB/Access/nmapb.xml -o /root/Desktop/HTB/Access/nmapb.html Ports 21,23 and 80 are open let's do our next stage of our scan using the -A switch to finger the OS/Services # nmap -T4 -A -p21,23,80 -oX /root/Desktop/HTB/Access/nmapf.xml 10.10.10.98 Then convert that output to HTML also Alright so we have microsoft FTP running on port 21 with anonymous access. Port 23 is telnet, and port 80 is IIS 7.5 Let's browse to 80 and see what we see Looks like a webcam of a Data Center Just a pretty simple page. Let's see if drib can find anything else interesting here. Dirb http://10.10.10.98 http://10.10.10.98/aspnet_client/ - Which is 403 for us right now http://10.10.10.98/aspnet_client/system_we
@circusmonkey404 on the twitters; DM for contact