nmap 扫描 发现smba共享文件
┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.167.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 00:33 UTC
Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.58% done; ETC: 00:35 (0:00:08 remaining)
Nmap scan report for 192.168.167.64
Host is up (0.072s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
| 256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
|_ 256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| LANDesk-RC, NULL:
|_ Host '192.168.45.250' is not allowed to connect to this MariaDB server
8003/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-02-05 21:02 booked/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.38 (Debian)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=11/14%Time=673545BA%P=x86_64-pc-linux-gnu%
SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDe
SF:sk-RC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 4 hops
Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s
| smb2-time:
| date: 2024-11-14T00:35:26
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: zino
| NetBIOS computer name: ZINO\x00
| Domain name: \x00
| FQDN: zino
|_ System time: 2024-11-13T19:35:22-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 72.46 ms 192.168.45.1
2 72.43 ms 192.168.45.254
3 72.49 ms 192.168.251.1
4 73.13 ms 192.168.167.64
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.74 seconds
┌──(root㉿kali)-[~]
└─#
┌──(root㉿kali)-[~]
└─# ls
enum4linux katoolin lab reports
┌──(root㉿kali)-[~]
└─# cd enum4linux/
┌──(root㉿kali)-[~/enum4linux]
└─# ls
AUTHORS CHANGELOG COPYING.ENUM4LINUX COPYING.GPL enum4linux.pl README.md reports share-list.txt
┌──(root㉿kali)-[~/enum4linux]
└─# ./enum4linux.pl 192.168.167.64
"my" variable $which_output masks earlier declaration in same scope at ./enum4linux.pl line 280.
WARNING: polenum is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 14 01:17:02 2024
=========================================( Target Information )=========================================
Target ........... 192.168.167.64
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.167.64 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.167.64 )===============================
Looking up status of 192.168.167.64
No reply from 192.168.167.64
==================================( Session Check on 192.168.167.64 )==================================
[+] Server 192.168.167.64 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.167.64 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.167.64 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.167.64 from srvinfo:
ZINO Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.167.64 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 1028.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1031.
Use of uninitialized value $users in print at ./enum4linux.pl line 1046.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1048.
================================( Share Enumeration on 192.168.167.64 )================================
Sharename Type Comment
--------- ---- -------
zino Disk Logs
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
[+] Attempting to map shares on 192.168.167.64
//192.168.167.64/zino Mapping: OK Listing: OK Writing: N/A
//192.168.167.64/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.167.64/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.167.64 )===========================
[E] Dependent program "polenum" not present. Skipping this check. Download polenum from http://labs.portcullis.co.uk/application/polenum/
======================================( Groups on 192.168.167.64 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.167.64 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-3071547070-3972129690-4249512582 and logon username '', password ''
S-1-5-21-3071547070-3972129690-4249512582-501 ZINO\nobody (Local User)
S-1-5-21-3071547070-3972129690-4249512582-513 ZINO\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
==============================( Getting printer info for 192.168.167.64 )==============================
No printers returned.
enum4linux complete on Thu Nov 14 01:22:46 2024
查看共享文件发现信息泄露
sudo mount -t cifs //192.168.167.64/zino ./mnt -o guest,iocharset=utf8
查看里面的所有log文件 发现有admin:adminadmin 的用户名和密码 猜测是网站的
登录8003端口查看web界面更具cms查看漏洞
发现正好有payload
https://www.exploit-db.com/exploits/50594
直接利用nc 监听端口8003更具exp介绍使用
反弹shell成功
运行pspy64发现存在定时任务
直接修改cleanup.py
等待执行
提权成功
