West-wild

信息收集

# nmap -sn 192.168.1.0/24 -oN live.nmap                     
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 14:45 CST
Nmap scan report for 192.168.1.1
Host is up (0.00063s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00021s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.101
Host is up (0.00026s latency).
MAC Address: 00:0C:29:86:15:5B (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00020s latency).
MAC Address: 00:50:56:E9:BE:3C (VMware)
Nmap scan report for 192.168.1.60
Host is up.

192.168.1.101是新增加的靶机IP！

# nmap -sT --min-rate 10000 -p- 192.168.1.101 -oN port.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 14:45 CST
Nmap scan report for 192.168.1.101
Host is up (0.00085s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:86:15:5B (VMware)

开放端口四个，分别是22 80 139 445端口 分别对应着ssh http和smb服务！

# nmap -sT -sC -sV -O -p22,80,139,445 192.168.1.101 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 14:48 CST
Nmap scan report for 192.168.1.101
Host is up (0.00063s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6f:ee:95:91:9c:62:b2:14:cd:63:0a:3e:f8:10:9e:da (DSA)
|   2048 10:45:94:fe:a7:2f:02:8a:9b:21:1a:31:c5:03:30:48 (RSA)
|   256 97:94:17:86:18:e2:8e:7a:73:8e:41:20:76:ba:51:73 (ECDSA)
|_  256 23:81:c7:76:bb:37:78:ee:3b:73:e2:55:ad:81:32:72 (ED25519)
80/tcp  open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  DDtb        Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:86:15:5B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: WESTWILD; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2024-02-04T06:48:14
|_  start_date: N/A
|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: westwild
|   NetBIOS computer name: WESTWILD\x00
|   Domain name: \x00
|   FQDN: westwild
|_  System time: 2024-02-04T09:48:14+03:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.14 seconds

端口的详细信息展示了80端口是Apache 2.4.7起的服务，操作系统是Ubuntu系统，同时smb服务也暴露出来了相关的信息！

# nmap -sT --script=vuln -p22,80,139,445 192.168.1.101 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 14:48 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.101
Host is up (0.0012s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:86:15:5B (VMware)

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false

Nmap done: 1 IP address (1 host up) scanned in 345.64 seconds

80端口上没什么信息，然后就是smb服务可能存在漏洞，之后做了一下UDP端口的探测：

发现开放的端口是137端口！先看一下smb服务，是否开启了什么共享，没突破的话还是重点放在80端口上！

寻找立足点

smbclient尝试列出服务器所分享的所有资源信息：

发现了存在共享，其中的print是打印机，看一下wave吧：

发现存在文件，直接全部下载：

下载完成退出即可！

发现flag文件中疑似是base64编码的字符串，直接解码！得到了一对用户和密码信息，再看看另一个文件：

这是一个邮件，aveng发送给wave的，说是他的密码不记得了，让我们给他重置！既然上面拿到了一组凭据信息，就尝试去ssh登陆一下：

没错，确实利用这个账号和密码登录上来，建立了初始的立足点！

提权

当前用户无sudo，查看了suid文件，发现了pkexec，暂时先不用，因为另一个文件提示我们说更改avong的密码；但是我不知道如何去更改他的密码，于是上传了linpeas进行提权的信息枚举！

发现了一个名字很奇怪的文件，这个文件名就很像重置密码的脚本！查看这个文件的内容：

看到了aveng的密码！不知道是不是，先尝试一下：

没错，这个就是他的密码！看看sudo吧：

提权成功！