emmm这次镜像拖了很久。。。#Symfonos2
p1
首先上nmap结果:
root@HLKali:~# nmap -p- -A -sV 172.16.64.133
Starting Nmap 7.40 ( https://nmap.org ) at 2019-08-25 11:27 EDT
Nmap scan report for 172.16.64.133
Host is up (0.00064s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
|_ftp-bounce: no banner
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|_ 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
80/tcp open http WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:1D:C0:6B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2019-08-25T10:27:44-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 172.16.64.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.91 seconds
可以看到开放了21,22,80,139,445端口,开放了139和445意味着有smb可以探测,直接上enum4linux
p2
可以看到空密码。。。
直接smbclient连接
p3
直接看到有个anonymous文件夹
p4
拿下日志文件,查看一番发现用户名aeolus,尝试ftp以及ssh密码爆破。。。爆破ssh密码为sergioteamo
直接连接以后发现还开放其他端口
p5
外面没扫到8080,应该是http服务,所以可以直接找找漏洞。。。
这里肯定要做所谓的端口转发,端口转发分本地端口转发以及远程端口转发,区别在于ssh连接以及转发的服务连接方向是否一致,一致则为本地端口转发。
这里命令如下:
ssh -L 7001:localhost:8080 aeolus@172.16.64.133
7001为我的端口,8080为对面端口。
p6
这里直接访问7001端口就能转发了。
p7
这里librenms cms有漏洞,可参考(https://www.anquanke.com/post/id/169295)
这里登录账号密码同ssh,aeolus:sergioteamo
p8
p9
然后尝试提权,先sudo -l看看有哪些特权程序
p10
这样直接uuid提权
p11
p12
The end...
