信息收集

# nmap -sn 192.168.101.0/24 -oN live.nmap               
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 19:14 CST
Nmap scan report for 192.168.101.1
Host is up (0.00050s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.101.2
Host is up (0.00038s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.101.130
Host is up (0.00035s latency).
MAC Address: 00:0C:29:25:7B:C9 (VMware)
Nmap scan report for 192.168.101.254
Host is up (0.00057s latency).
MAC Address: 00:50:56:F0:0F:88 (VMware)
Nmap done: 256 IP addresses (6 hosts up) scanned in 27.94 seconds

靶机192.168.101.130是新增加的IP地址，判断为是目标靶机的IP地址！

# nmap -sT --min-rate 10000 -p- 192.168.101.130 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 19:15 CST
Nmap scan report for 192.168.101.130
Host is up (0.00030s latency).
Not shown: 65523 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1337/tcp  open  waste
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
39925/tcp open  unknown
57377/tcp open  unknown
MAC Address: 00:0C:29:25:7B:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds

端口开放的可够多的！ftp ssh http rpc samba 后面的不知道是什么服务，哦 还有nfs！

# nmap -sT -sC -sV -O -p21,22,80,111,139,445,1337,2049,2121,20048,39925,57377 192.168.101.130 -oN details.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 21:48 CST
Nmap scan report for 192.168.101.130
Host is up (0.00062s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.101.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19  2020 pub [NSE: writeable]
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
111/tcp   open  rpcbind     2-4 (RPC #100000)
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp   open  �
�,,V      Samba smbd 4.9.1 (workgroup: SAMBA)
1337/tcp  open  waste?
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie: 
|_    Why are you here ?!
2049/tcp  open  nfs         3-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx   3 root     root           16 Feb 19  2020 pub [NSE: writeable]
20048/tcp open  mountd      1-3 (RPC #100005)
39925/tcp open  nlockmgr    1-4 (RPC #100021)
57377/tcp open  status      1 (RPC #100024)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94%I=7%D=2/22%Time=65D750B5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(GetRequest,14,"Wh
SF:y\x20are\x20you\x20here\x20\?!\n")%r(HTTPOptions,14,"Why\x20are\x20you\
SF:x20here\x20\?!\n")%r(RTSPRequest,14,"Why\x20are\x20you\x20here\x20\?!\n
SF:")%r(Help,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(TerminalServerCook
SF:ie,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(Kerberos,14,"Why\x20are\x
SF:20you\x20here\x20\?!\n")%r(LPDString,14,"Why\x20are\x20you\x20here\x20\
SF:?!\n")%r(LDAPSearchReq,14,"Why\x20are\x20you\x20here\x20\?!\n")%r(SIPOp
SF:tions,14,"Why\x20are\x20you\x20here\x20\?!\n");
MAC Address: 00:0C:29:25:7B:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.4 - 3.10
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2024-02-23T03:19:24+05:30
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-22T21:49:34
|_  start_date: N/A
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 6h10m00s, deviation: 3h10m30s, median: 7h59m59s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.27 seconds

端口的服务信息探测结果似乎存在比较感兴趣的点！首先是FTP似乎存在匿名登录！同时存在2049端口NFS！可能也会存在信息泄露！

# nmap -sT --script=vuln -p21,22,80,111,139,445,1337,2049,2121,20048,39925,57377 192.168.101.130 -oN vuls.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 19:22 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.101.130
Host is up (0.00100s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1337/tcp  open  waste
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
20048/tcp open  mountd
39925/tcp open  unknown
57377/tcp open  unknown
MAC Address: 00:0C:29:25:7B:C9 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false

默认漏洞脚本的探测结果似乎也没什么特别有价值的，还是需要去看具体的服务上是否存在利用点！进行UDP端口的探测：

# nmap -sU --min-rate 10000 -p- 192.168.101.130 -oN udp.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 21:49 CST
Warning: 192.168.101.130 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.101.130
Host is up (0.0014s latency).
Not shown: 65458 open|filtered udp ports (no-response), 73 closed udp ports (port-unreach)
PORT      STATE SERVICE
111/udp   open  rpcbind
2049/udp  open  nfs
40747/udp open  unknown
49910/udp open  unknown
MAC Address: 00:0C:29:25:7B:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 86.00 seconds

UDP端口上再次看到了2049 NFS服务！

寻找立足点

FTP服务

先看一下ftp服务，是否存在利用点：

FTP匿名登录成功之后，发现存在一个目录是pub！进入之后，又发现了log目录，再次进入该目录！

之后我们再次查看目录中的内容，发现存在大量的日志等文件信息！尝试全部下载下来！

利用mget命令将文件全部下载下来，这里有部分文件无法下载！下载到了登录日志，但是似乎没什么信息呢？（登录到FTP之后，需要切换到binary模式，这是一个良好的习惯，不然有可能出现下载下来的文件是不可读的）

其他的文件也看了一下，似乎找不到凭据信息

samba服务

只允许192.168.56.0/24网段能够访问到；于是更改了一下整个的网卡IP地址；挂载一下smbdata这个目录！到本地，查看里面的内容：

看到了一个note.txt文件，查看了一下里面的内容，发现了

似乎用户为了安全起见删除了find命令，但是没删除getcap，还说觉得别人都不知道'getcap & capsh'，暂时不去管这是什么，因为我们现在需要先拿到立足点！挨个文件看，发现了secure文件：

找到了一个用户，shell环境也是存在的！上面还有id_rsa! 尝试直接利用私钥文件进行ssh登录！

但是需要id_rsa的密码，这里也不知道密码是什么！但是之前打过一个靶场也是相同的情况进行了爆破，利用ssh2john将id_rsa转换为hash，进行爆破！

ssh2john id_rsa>id_rsa_hash
john --wordlist=/usr/share/wordlist/rockyou.txt id_rsa_hash

最终能得到密码 password 后来写笔记的时候，爆破不出来了，不知道原因是什么！出现了如下的报错：

命令是没变的，不知道为什么，有大佬知道的，还请指点！

拿到了初始的立足点！准备提权了！

提权

关于提权，由于不存在find命令，所以也就没法查找suid文件，查看了sudo命令，但是需要输入当前用户smbuser的密码，（密码就是password）这里并不知道smbuser的密码是什么！所以也就无法知道是否具有sudo权限！（查询到sudo的权限为空）

查看到/etc/passwd文件，发现还存在一个用户：

bla用户！查看/etc/shadow影子文件，发现了三个用户的加密密码，尝试复制出来利用john进行爆破解密：

尝试爆破的时候，仅发现了smbuser用户的密码，其他的两个用户，并没有成功拿到密码！

既然之前提示我们getcap&capsh 那就查找一下具有capabilities的可执行文件有哪些！

发现存在如上的几个可执行文件，就在查看capabilities的时候，发现john那边又有了新的突破！

又拿到了一个密码，尝试切换到bla用户，看看sudo权限有没有！

确实有信息的，免密执行了capsh 和 setcap！利用GTFOBins进行提权命令查询：

尝试提权：

最终提权成功！查找一下flag文件：

bla的flag！以及root用户的flag文件：