Talk is cheap, show me writeup
用到的工具和知识
nmap、searchsploit、enum4linux
靶机下载
0x01 信息搜集 nmap探查端口
服务
操作系统、脚本等扫描
可见有http、samba等
访问一下网页
dirb扫描
nikto扫描
enum4linux扫描(略多)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 root@kali:~# enum4linux -a 192.168.0.103 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Apr 1 15:08:27 2020 ========================== | Target Information | ========================== Target ........... 192.168.0.103 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 192.168.0.103 | ===================================================== [+] Got domain/workgroup name: MYGROUP ============================================= | Nbtstat Information for 192.168.0.103 | ============================================= Looking up status of 192.168.0.103 KIOPTRIX <00> - B <ACTIVE> Workstation Service KIOPTRIX <03> - B <ACTIVE> Messenger Service KIOPTRIX <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name MYGROUP <1d> - B <ACTIVE> Master Browser MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ====================================== | Session Check on 192.168.0.103 | ====================================== [+] Server 192.168.0.103 allows sessions using username '', password '' ============================================ | Getting domain SID for 192.168.0.103 | ============================================ Domain Name: MYGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 192.168.0.103 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.0.103 from smbclient: [+] Got OS info for 192.168.0.103 from srvinfo: KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server platform_id : 500 os version : 4.5 server type : 0x9a03 ============================== | Users on 192.168.0.103 | ============================== Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. ========================================== | Share Enumeration on 192.168.0.103 | ========================================== Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- KIOPTRIX Samba Server Workgroup Master --------- ------- MYGROUP KIOPTRIX [+] Attempting to map shares on 192.168.0.103 //192.168.0.103/IPC$ [E] Can't understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \* //192.168.0.103/ADMIN$ [E] Can't understand response: tree connect failed: NT_STATUS_WRONG_PASSWORD ===================================================== | Password Policy Information for 192.168.0.103 | ===================================================== [E] Unexpected error from polenum: [+] Attaching to 192.168.0.103 using a NULL share [+] Trying protocol 445/SMB... [!] Protocol failed: [Errno Connection error (192.168.0.103:445)] [Errno 111] Connection refused [+] Trying protocol 139/SMB... [!] Protocol failed: SMB SessionError: 0x5 [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 =============================== | Groups on 192.168.0.103 | =============================== [+] Getting builtin groups: group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Power Users] rid:[0x223] group:[Account Operators] rid:[0x224] group:[System Operators] rid:[0x225] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] [+] Getting builtin group memberships: Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators Group 'Users' (RID: 545) has member: Couldn't find group Users Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators Group 'Guests' (RID: 546) has member: Couldn't find group Guests Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users [+] Getting local groups: group:[sys] rid:[0x3ef] group:[tty] rid:[0x3f3] group:[disk] rid:[0x3f5] group:[mem] rid:[0x3f9] group:[kmem] rid:[0x3fb] group:[wheel] rid:[0x3fd] group:[man] rid:[0x407] group:[dip] rid:[0x439] group:[lock] rid:[0x455] group:[users] rid:[0x4b1] group:[slocate] rid:[0x413] group:[floppy] rid:[0x40f] group:[utmp] rid:[0x415] [+] Getting local group memberships: [+] Getting domain groups: group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] [+] Getting domain group memberships: Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users ======================================================================== | Users on 192.168.0.103 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-5-21-4157223341-3243572438-1405127623 [+] Enumerating users using SID S-1-5-21-4157223341-3243572438-1405127623 and logon username '', password '' S-1-5-21-4157223341-3243572438-1405127623-500 KIOPTRIX\ (0) S-1-5-21-4157223341-3243572438-1405127623-501 KIOPTRIX\ (0) S-1-5-21-4157223341-3243572438-1405127623-502 KIOPTRIX\unix_group.2147483399 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-503 KIOPTRIX\unix_group.2147483399 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-504 KIOPTRIX\unix_group.2147483400 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-505 KIOPTRIX\unix_group.2147483400 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-506 KIOPTRIX\unix_group.2147483401 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-507 KIOPTRIX\unix_group.2147483401 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-508 KIOPTRIX\unix_group.2147483402 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-509 KIOPTRIX\unix_group.2147483402 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-510 KIOPTRIX\unix_group.2147483403 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-511 KIOPTRIX\unix_group.2147483403 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-512 KIOPTRIX\Domain Admins (Local Group) S-1-5-21-4157223341-3243572438-1405127623-513 KIOPTRIX\Domain Users (Local Group) S-1-5-21-4157223341-3243572438-1405127623-514 KIOPTRIX\Domain Guests (Local Group) S-1-5-21-4157223341-3243572438-1405127623-515 KIOPTRIX\unix_group.2147483405 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-516 KIOPTRIX\unix_group.2147483406 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-517 KIOPTRIX\unix_group.2147483406 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-518 KIOPTRIX\unix_group.2147483407 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-519 KIOPTRIX\unix_group.2147483407 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-520 KIOPTRIX\unix_group.2147483408 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-521 KIOPTRIX\unix_group.2147483408 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-522 KIOPTRIX\unix_group.2147483409 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-523 KIOPTRIX\unix_group.2147483409 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-524 KIOPTRIX\unix_group.2147483410 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-525 KIOPTRIX\unix_group.2147483410 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-526 KIOPTRIX\unix_group.2147483411 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-527 KIOPTRIX\unix_group.2147483411 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-528 KIOPTRIX\unix_group.2147483412 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-529 KIOPTRIX\unix_group.2147483412 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-530 KIOPTRIX\unix_group.2147483413 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-531 KIOPTRIX\unix_group.2147483413 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-532 KIOPTRIX\unix_group.2147483414 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-533 KIOPTRIX\unix_group.2147483414 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-534 KIOPTRIX\unix_group.2147483415 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-535 KIOPTRIX\unix_group.2147483415 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-536 KIOPTRIX\unix_group.2147483416 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-537 KIOPTRIX\unix_group.2147483416 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-538 KIOPTRIX\unix_group.2147483417 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-539 KIOPTRIX\unix_group.2147483417 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-540 KIOPTRIX\unix_group.2147483418 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-541 KIOPTRIX\unix_group.2147483418 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-542 KIOPTRIX\unix_group.2147483419 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-543 KIOPTRIX\unix_group.2147483419 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-544 KIOPTRIX\unix_group.2147483420 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-545 KIOPTRIX\unix_group.2147483420 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-546 KIOPTRIX\unix_group.2147483421 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-547 KIOPTRIX\unix_group.2147483421 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-548 KIOPTRIX\unix_group.2147483422 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-549 KIOPTRIX\unix_group.2147483422 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-550 KIOPTRIX\unix_group.2147483423 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1000 KIOPTRIX\root (Local User) S-1-5-21-4157223341-3243572438-1405127623-1001 KIOPTRIX\root (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1002 KIOPTRIX\bin (Local User) S-1-5-21-4157223341-3243572438-1405127623-1003 KIOPTRIX\bin (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1004 KIOPTRIX\daemon (Local User) S-1-5-21-4157223341-3243572438-1405127623-1005 KIOPTRIX\daemon (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1006 KIOPTRIX\adm (Local User) S-1-5-21-4157223341-3243572438-1405127623-1007 KIOPTRIX\sys (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1008 KIOPTRIX\lp (Local User) S-1-5-21-4157223341-3243572438-1405127623-1009 KIOPTRIX\adm (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1010 KIOPTRIX\sync (Local User) S-1-5-21-4157223341-3243572438-1405127623-1011 KIOPTRIX\tty (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1012 KIOPTRIX\shutdown (Local User) S-1-5-21-4157223341-3243572438-1405127623-1013 KIOPTRIX\disk (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1014 KIOPTRIX\halt (Local User) S-1-5-21-4157223341-3243572438-1405127623-1015 KIOPTRIX\lp (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1016 KIOPTRIX\mail (Local User) S-1-5-21-4157223341-3243572438-1405127623-1017 KIOPTRIX\mem (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1018 KIOPTRIX\news (Local User) S-1-5-21-4157223341-3243572438-1405127623-1019 KIOPTRIX\kmem (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1020 KIOPTRIX\uucp (Local User) S-1-5-21-4157223341-3243572438-1405127623-1021 KIOPTRIX\wheel (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1022 KIOPTRIX\operator (Local User) S-1-5-21-4157223341-3243572438-1405127623-1023 KIOPTRIX\unix_group.11 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1024 KIOPTRIX\games (Local User) S-1-5-21-4157223341-3243572438-1405127623-1025 KIOPTRIX\mail (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1026 KIOPTRIX\gopher (Local User) S-1-5-21-4157223341-3243572438-1405127623-1027 KIOPTRIX\news (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1028 KIOPTRIX\ftp (Local User) S-1-5-21-4157223341-3243572438-1405127623-1029 KIOPTRIX\uucp (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1030 KIOPTRIX\unix_user.15 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1031 KIOPTRIX\man (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1032 KIOPTRIX\unix_user.16 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1033 KIOPTRIX\unix_group.16 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1034 KIOPTRIX\unix_user.17 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1035 KIOPTRIX\unix_group.17 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1036 KIOPTRIX\unix_user.18 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1037 KIOPTRIX\unix_group.18 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1038 KIOPTRIX\unix_user.19 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1039 KIOPTRIX\floppy (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1040 KIOPTRIX\unix_user.20 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1041 KIOPTRIX\games (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1042 KIOPTRIX\unix_user.21 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1043 KIOPTRIX\slocate (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1044 KIOPTRIX\unix_user.22 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1045 KIOPTRIX\utmp (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1046 KIOPTRIX\squid (Local User) S-1-5-21-4157223341-3243572438-1405127623-1047 KIOPTRIX\squid (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1048 KIOPTRIX\unix_user.24 (Local User) S-1-5-21-4157223341-3243572438-1405127623-1049 KIOPTRIX\unix_group.24 (Local Group) S-1-5-21-4157223341-3243572438-1405127623-1050 KIOPTRIX\unix_user.25 (Local User) ============================================== | Getting printer info for 192.168.0.103 | ============================================== No printers returned. enum4linux complete on Wed Apr 1 15:08:38 2020
0x02 漏洞挖掘与利用 进入网页之后一番查找,并无建设性的信息出现,这么来看就是需要凭借之前的扫描信息判断漏洞
复制到文件夹下,编译,查看使用方式
源代码内使用方式
按照要求运行,get root!
复制到文件夹下,编译报错
0x03 总结
samba
这篇说实话有点奇怪,enum4linux居然没有扫描出东西,我和他们的版本差在什么地方啊??
0x04 参考资源 Kioptrix: Level 1-Walkthrough