HTB-LAME
机器信息
lame
状态
退役
系统
linux
技巧
ftp服务器 vsftp 2.3.4 以及smb samba 3.0.20 用户枚举漏洞 msf getshell
循例信息收集
## └─# nmap -sS -p- 10.10.10.3 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 16:06 CSTNmap scan report for 10.10.10.3Host is up (0.016s latency).Not shown: 65531 filtered tcp ports (no-response)PORT
STATE SERVICE21/tcp open ftp22/tcp open ssh139/tcp open netbios-ssn445/tcp open microsoft-ds## 详细信息PORT
STATE SERVICE
VERSION21/tcp open ftp
vsftpd 2.3.4|_ftp-anon: Anonymous FTP login allowed (FTP code 230)22/tcp open ssh
OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey: | 1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)|_ 2048 5656240f211ddea72bae61b1243de8f3 (RSA)139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:| smb-security-mode: | account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)|_smb2-time: Protocol negotiation failed (SMB2)|_clock-skew: -3m49s
ftp端口 21
强扫描一下ftp
PORT STATE SERVICE VERSION21/tcp open ftp
vsftpd 2.3.4|_ftp-bounce: bounce working!Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 2.4.XOS CPE: cpe:/o:linux:linux_kernel:2.4.37OS details: DD-WRT v24-sp2 (Linux 2.4.37)Network Distance: 2 hopsService Info: OS: Unix
445smb协议
看一下smb如何打
[smb 445| SMB 协议端口利用]
PORT
STATE SERVICE445/tcp open microsoft-dsHost script results:| smb-enum-users: | LAME\backup (RID: 1068)|
Full name: backup|
Flags:
Account disabled, Normal user account| LAME\bin (RID: 1004)|
Full name: bin|
Flags:
Account disabled, Normal user account| LAME\bind (RID: 1210)|
Flags:
Account disabled, Normal user account| LAME\daemon (RID: 1002)|
Full name: daemon|
Flags:
Account disabled, Normal user account| LAME\dhcp (RID: 1202)|
Flags:
Account disabled, Normal user account| LAME\distccd (RID: 1222)|
Flags:
Account disabled, Normal user account| LAME\ftp (RID: 1214)|
Flags:
Account disabled, Normal user account| LAME\games (RID: 1010)|
Full name: games|
Flags:
Account disabled, Normal user account| LAME\gnats (RID: 1082)|
Full name: Gnats Bug-Reporting System (admin)|
Flags:
Account disabled, Normal user account| LAME\irc (RID: 1078)|
Full name: ircd|
Flags:
Account disabled, Normal user account| LAME\klog (RID: 1206)|
Flags:
Account disabled, Normal user account| LAME\libuuid (RID: 1200)|
Flags:
Account disabled, Normal user account| LAME\list (RID: 1076)|
Full name: Mailing List Manager|
Flags:
Account disabled, Normal user account| LAME\lp (RID: 1014)|
Full name: lp|
Flags:
Account disabled, Normal user account| LAME\mail (RID: 1016)|
Full name: mail|
Flags:
Account disabled, Normal user account| LAME\man (RID: 1012)|
Full name: man|
Flags:
Account disabled, Normal user account| LAME\msfadmin (RID: 3000)|
Full name: msfadmin,,,|
Flags:
Normal user account| LAME\mysql (RID: 1218)|
Full name: MySQL Server,,,|
Flags:
Account disabled, Normal user account| LAME\news (RID: 1018)|
Full name: news|
Flags:
Account disabled, Normal user account| LAME\nobody (RID: 501)|
Full name: nobody|
Flags:
Account disabled, Normal user account| LAME\postfix (RID: 1212)|
Flags:
Account disabled, Normal user account| LAME\postgres (RID: 1216)|
Full name: PostgreSQL administrator,,,|
Flags:
Account disabled, Normal user account| LAME\proftpd (RID: 1226)|
Flags:
Account disabled, Normal user account| LAME\proxy (RID: 1026)|
Full name: proxy|
Flags:
Account disabled, Normal user account| LAME\root (RID: 1000)|
Full name: root|
Flags:
Account disabled, Normal user account| LAME\service (RID: 3004)|
Full name: ,,,|
Flags:
Account disabled, Normal user account| LAME\sshd (RID: 1208)|
Flags:
Account disabled, Normal user account| LAME\sync (RID: 1008)|
Full name: sync|
Flags:
Account disabled, Normal user account| LAME\sys (RID: 1006)|
Full name: sys|
Flags:
Account disabled, Normal user account| LAME\syslog (RID: 1204)|
Flags:
Account disabled, Normal user account| LAME\telnetd (RID: 1224)|
Flags:
Account disabled, Normal user account| LAME\tomcat55 (RID: 1220)|
Flags:
Account disabled, Normal user account| LAME\user (RID: 3002)|
Full name: just a user,111,,|
Flags:
Normal user account| LAME\uucp (RID: 1020)|
Full name: uucp|
Flags:
Account disabled, Normal user account| LAME\www-data (RID: 1066)|
Full name: www-data|_
Flags:
Account disabled, Normal user account#### 用户信息些用户是指在某个计算机系统或网络中创建的用户帐户。每个用户帐户都有一个唯一的标识符(RID),通常有一个用户名和一些其他信息,如全名或描述。用户帐户可以用来登录系统、执行特定任务或访问特定资源,具体取决于其权限和角色。Account disabled" 意味着该用户帐户已被禁用或停用。| smb-enum-shares: | account_used: <blank>| \\10.10.10.3\ADMIN$: |
Type: STYPE_IPC|
Comment: IPC Service (lame server (Samba 3.0.20-Debian))|
Users: 1|
Max Users: <unlimited>|
Path: C:\tmp|
Anonymous access: <none>| \\10.10.10.3\IPC$: |
Type: STYPE_IPC|
Comment: IPC Service (lame server (Samba 3.0.20-Debian))|
Users: 1|
Max Users: <unlimited>|
Path: C:\tmp|
Anonymous access: READ/WRITE| \\10.10.10.3\opt: |
Type: STYPE_DISKTREE|
Comment: |
Users: 1|
Max Users: <unlimited>|
Path: C:\tmp|
Anonymous access: <none>| \\10.10.10.3\print$: |
Type: STYPE_DISKTREE|
Comment: Printer Drivers|
Users: 1|
Max Users: <unlimited>|
Path: C:\var\lib\samba\printers|
Anonymous access: <none>| \\10.10.10.3\tmp: |
Type: STYPE_DISKTREE|
Comment: oh noes!|
Users: 1|
Max Users: <unlimited>|
Path: C:\tmp|_
Anonymous access: READ/WRITE解析:- `\\10.10.10.3\ADMIN
HTB-LAME - 安全员小周 | ROOT
HTB-LAME
: 这是一个 IPC(Interprocess Communication)服务,允许管理员通过网络管理远程系统。它的路径是 `C:\tmp`,并且没有匿名访问权限。
- `\\10.10.10.3\IPC
HTB-LAME - 安全员小周 | ROOT
HTB-LAME
: 同样是一个 IPC 服务,路径也是 `C:\tmp`,但是允许匿名用户读写访问。
- `\\10.10.10.3\opt`: 这是一个磁盘树类型的共享资源,没有设置注释,路径是 `C:\tmp`,并且没有匿名访问权限。
- `\\10.10.10.3\print
HTB-LAME - 安全员小周 | ROOT
HTB-LAME
: 这是一个用于打印机驱动程序的共享资源,路径是 `C:\var\lib\samba\printers`,没有匿名访问权限。
- `\\10.10.10.3\tmp`: 这是一个磁盘树类型的共享资源,注释是 "oh noes!",路径是 `C:\tmp`,并且允许匿名用户读写访问。
|客户端链接共享资源|找到特定的资源如何做?
链接获取资源
Password for [WORKGROUP\root]:Anonymous login successful
Sharename
Type
Comment
---------
----
-------
print$
Disk
Printer Drivers
tmp
Disk
oh noes!
opt
Disk
IPC$
IPC
IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$
IPC
IPC Service (lame server (Samba 3.0.20-Debian))Reconnecting with SMB1 for workgroup listing.Anonymous login successful
Server
Comment
---------
-------
Workgroup
Master
---------
-------
WORKGROUP
LAME
看了一圈啥也没得唯一一个收获就是拿到了
samba 3.0.20-Debian 知道了版本 查一下
Exploit Title
| Path------------------------------------ ---------------------------------Samba 3.0.10 < 3.3.5 - Format Strin | multiple/remote/10095.txtSamba 3.0.20 < 3.0.25rc3 - 'Usernam | unix/remote/16320.rbSamba < 3.0.20 - Remote Heap Overfl | linux/remote/7701.txtSamba < 3.6.2 (x86) - Denial of Ser | linux_x86/dos/36741.py
注意一波这个***Samba 3.0.20 < 3.0.25rc3 - ‘Usernam | unix/remote/16320.rb
samba复现
samba 漏洞利用
msf 集成了 samba的漏洞
0 exploit/multi/samba/usermap_script
2007-05-14
excellent No
Samba "username map script" Command Execution
设置好直接开始用就可 直接就拿到 shell了
直接在makdis下查看user.txt
和root下查看