HTB Lame[Hack The Box HTB靶场]writeup系列1

首先祈祷一下SARS病情尽快过去，武汉加油！湖北加油！

为了不给国家添乱，所以我在HTB订阅了VIP，准备搞下Retired Machines的靶机。

 

目录

0x00 靶场介绍

0x01 扫描端口

0x02 ftp服务

0x03 smb服务

---

0x00 靶场介绍

 我们从第一个lame开始。

如何注册账号，购买vip，网上有大把文章，这里我就不再记录了。

这个系列主要是记录我的攻击过程和思考过程。

0x01 扫描端口

root@kali:~# nmap -T5 -A -v 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-31 19:34 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Initiating Ping Scan at 19:34
Scanning 10.10.10.3 [4 ports]
Completed Ping Scan at 19:34, 0.59s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:34
Completed Parallel DNS resolution of 1 host. at 19:34, 0.10s elapsed
Initiating SYN Stealth Scan at 19:34
Scanning 10.10.10.3 [1000 ports]
Discovered open port 21/tcp on 10.10.10.3
Discovered open port 445/tcp on 10.10.10.3
Discovered open port 22/tcp on 10.10.10.3
Discovered open port 139/tcp on 10.10.10.3
Completed SYN Stealth Scan at 19:35, 25.75s elapsed (1000 total ports)
Initiating Service scan at 19:35
Scanning 4 services on 10.10.10.3
Completed Service scan at 19:35, 12.09s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.3
Retrying OS detection (try #2) against 10.10.10.3
Initiating Traceroute at 19:35
Completed Traceroute at 19:35, 0.49s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 19:35
Completed Parallel DNS resolution of 2 hosts. at 19:35, 0.23s elapsed
NSE: Script scanning 10.10.10.3.
Initiating NSE at 19:35
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 19:35, 40.07s elapsed
Initiating NSE at 19:35
Completed NSE at 19:36, 1.19s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Nmap scan report for 10.10.10.3
Host is up (0.36s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.20
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%), Linux 2.6.18 (ClarkConnect 4.3 Enterprise Edition) (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.872 days (since Thu Jan 30 22:40:01 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=196 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   485.19 ms 10.10.14.1
2   485.32 ms 10.10.10.3

NSE: Script Post-scanning.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.19 seconds
           Raw packets sent: 3089 (139.504KB) | Rcvd: 50 (2.888KB)

我们看到开放了21、22、139、445端口。

简单分析一下，这里包括ftp，ssh和smb端口，没有web服务和其他tcp服务端口。那么我们可以肯定就是ftp服务或者smb服务上有漏洞。

0x02 ftp服务

看下ftp服务:vsftpd2.3.4

检查一下这个服务是否有漏洞：

root@kali:/# searchsploit vsftp
------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                      |  Path
                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------ ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Aut