渗透测试实用指南vulnhub

2019-08-25-Vulnhub渗透测试实战writeup(

2019-08-26  本文已影响0人  最初的美好_kai

emmm这次镜像拖了很久。。。#Symfonos2


p1

首先上nmap结果:

root@HLKali:~# nmap -p- -A -sV 172.16.64.133

Starting Nmap 7.40 ( https://nmap.org ) at 2019-08-25 11:27 EDT
Nmap scan report for 172.16.64.133
Host is up (0.00064s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.5
|_ftp-bounce: no banner
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|_  256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
80/tcp  open  http        WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:1D:C0:6B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos2
|   NetBIOS computer name: SYMFONOS2\x00
|   Domain name: \x00
|   FQDN: symfonos2
|_  System time: 2019-08-25T10:27:44-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 172.16.64.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.91 seconds

可以看到开放了21,22,80,139,445端口,开放了139和445意味着有smb可以探测,直接上enum4linux


p2

可以看到空密码。。。
直接smbclient连接


p3
直接看到有个anonymous文件夹
p4

拿下日志文件,查看一番发现用户名aeolus,尝试ftp以及ssh密码爆破。。。爆破ssh密码为sergioteamo
直接连接以后发现还开放其他端口


p5
外面没扫到8080,应该是http服务,所以可以直接找找漏洞。。。
这里肯定要做所谓的端口转发,端口转发分本地端口转发以及远程端口转发,区别在于ssh连接以及转发的服务连接方向是否一致,一致则为本地端口转发。
这里命令如下:
ssh -L 7001:localhost:8080 aeolus@172.16.64.133

7001为我的端口,8080为对面端口。

p6
这里直接访问7001端口就能转发了。
p7
这里librenms cms有漏洞,可参考(https://www.anquanke.com/post/id/169295)
这里登录账号密码同ssh,aeolus:sergioteamo
p8
p9
然后尝试提权,先sudo -l看看有哪些特权程序
p10
这样直接uuid提权
p11
p12
The end...
上一篇下一篇

猜你喜欢

热点阅读