遇到扫描不到的情况,可以尝试改靶机的网络为NAT模式,在靶机启动时按”esc“,进入Advanced options for Ubantu,选择recovery mode,选择network,按方向键”→“,OK,然后resume,等靶机启动后,kali就能扫描到了。(至少我的是这样。)
#nmap -sn 192.168.1.0/24 -oN live.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-06 21:59 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00016s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.83 (192.168.1.83)
Host is up (0.000094s latency).
MAC Address: 00:0C:29:47:DE:EF (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00019s latency).
MAC Address: 00:50:56:E3:34:04 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds
探测到主机的地址为192.168.1.83
# nmap -sT --min-rate 10000 -p- 192.168.1.83 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-07 13:36 CST
Nmap scan report for 192.168.1.83 (192.168.1.83)
Host is up (0.00099s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
MAC Address: 00:0C:29:47:DE:EF (VMware)
端口信息探测结果显示开放了四个端口,分别是22 80 110 143端口
# nmap -sT -sC -sV -O -p22,80,110,143 192.168.1.83 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-07 13:36 CST
Nmap scan report for 192.168.1.83 (192.168.1.83)
Host is up (0.00060s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Fowsniff Corp - Delivering Solutions
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) CAPA RESP-CODES UIDL TOP USER AUTH-RESP-CODE PIPELINING
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed AUTH=PLAINA0001 more have post-login IDLE OK ID Pre-login SASL-IR IMAP4rev1 capabilities ENABLE LOGIN-REFERRALS LITERAL+
MAC Address: 00:0C:29:47:DE:EF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (98%), Linux 3.10 - 4.11 (95%), Linux 3.18 (95%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (95%), Sony Android TV (Android 5.0) (95%), Android 5.1 (95%), Android 7.1.2 (Linux 3.4) (95%), Linux 3.2 - 3.16 (95%), Android 4.0 (94%), Linux 3.12 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
22端口还是ssh,80端口是Apache 2.4.18起的http服务!110是pop3 143是imap这两个是邮箱相关的服务!
这是第一次遇到邮件相关的协议;
# nmap -sT --script=vuln -p22,80,110,143 192.168.1.83 -oN vuln.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-07 13:37 CST
Nmap scan report for 192.168.1.83 (192.168.1.83)
Host is up (0.00042s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
| http-enum:
| /robots.txt: Robots file
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
110/tcp open pop3
143/tcp open imap
MAC Address: 00:0C:29:47:DE:EF (VMware)
漏洞脚本信息探测的结果是,出现了内网IP地址的信息泄露,同时存在几个目录出现!其他的信息就没了;这里我们先尝试看看80端口上的信息,实在没有什么突破的话,再去看看邮件相关的协议吧
首页就是如上所示!
下面出现了一些背景性的语句;在说Fowsniff内部系统遭受了数据泄露,导致员工用户名和密码泄露:
进行例行的目录扫描,发现了更多的信息:
查看到security.txt文件:
这里貌似在说fowsniff集团已经被B1gN1nj4给穿了?首页可以看到推特的官方账号,尝试利用Google去搜索,发现了相关的信息。无奈现在已经是404了~
于是便直接将大佬当时得到的信息拿了过来:
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
这里尝试将其进行处理,之后拿去破解,看起来是md5加密的密码!
cat info | awk -F':' '{ print $2}' > passwd
最终解密得到了如上的这些密码!之后尝试直接利用hydra,同时我们已经有了username和passwd,直接爆破了ssh,没成功,一个用户都登陆不上~
然后知道存在pop3,于是便再次利用hydra对pop3进行爆破!
成功了一个,尝试去登录!利用telnet 进行登录:
获取邮件信息:
stat:请求服务器发回关于邮箱的统计资料,显示邮件数量和全部邮件大小(单位是字节)
list:返回邮件数量和每个邮件的大小
top:命令格式 top n 服务器将返回有参数标识的邮件的前n行内容,n必须是正整数
retr:返回由参数标识的邮件的全部文本 命令格式为retr n
因此我们利用list等命令查看服务器的邮件数量等信息:
于是我们可以看到存在两封邮件,利用retr n命令开查看邮件的详细信息!
具体的信息我也没看,上来就看到了临时的ssh登录账号和密码信息!(瞎了,只是得到了密码但是我们没有账号? 之前拿到的账号,喷洒试试?)
这是第二封邮件!回到ssh上面,因为拿到了临时的ssh密码,说不定有人还没有改密码? 尝试hydra进行喷洒试试?
hydra -L username -p "S1ck3nBluff+secureshell" ssh://192.168.1.83/
确实有一个用户,尝试ssh登录啦
接下来便是提权啦!
当前的目录下面存在一个term文件,但是我不太理解文件中的内容是什么意思;查看了当前用户的sudo权限:
没有sudo的权限~ 当前用户的目录下面还有一个目录,看名字应该是邮箱的目录!
存在如上的这些用户!查看到当前的目录下面存在隐藏文件:
发现.viminfo文件,查看时发现里面存在需要敏感的文件:
最终收集起来所有的文件名:
利用find命令挨个查找吧:最终找到了cube.sh这个文件,当然了.viminfo里面直接给出了该文件的路径:
于是发现这个文件就是我们利用ssh链接的时候,出现的欢迎界面!于是想到了MOTD提权!于是我们去找/etc目录下面的update-motd文件夹!找到00-header文件!看看能不能修改!
可以看到我们并没修改权限,查看00-header文件的时候,发现了该文件中的最下面,执行了cube.sh这个文件!
然而,如果我们能修改这个cube文件,将提权内容写进去也是可以实现的!
果然这个文件是我们当前用户可以修改的! users组具有读写执行权限,而当前用户便是users组中的用户!所以我们将提权代码写入到cube中,然后重新ssh链接的时候,便可以执行我们的代码!
利用nc起一个监听。重新利用ssh进行连接!
拿到了根目录下面的flag文件: