HTB Linux Beep

Posted on | In
Words count in article: 995 | Reading time ≈ 5

简介
收集信息,尝试N Day,拿到账号密码,登陆SSH。

文章目录

  • 信息收集
  • 漏洞利用

信息收集

1.nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Nmap 7.70 scan initiated Sun Dec  8 16:08:10 2019 as: nmap -sC -sV -p22,25,80,110,111,143,443,878,993,995,3306,4190,4445,4559,5038,10000 -oA Beep/scan/Beep-vul 10.10.10.7
Nmap scan report for localhost (10.10.10.7)
Host is up (0.31s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://localhost/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: EXPIRE(NEVER) PIPELINING USER LOGIN-DELAY(0) APOP RESP-CODES STLS AUTH-RESP-CODE UIDL IMPLEMENTATION(Cyrus POP3 server v2) TOP
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            875/udp  status
|_  100024  1            878/tcp  status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed ID OK BINARY URLAUTHA0001 ANNOTATEMORE LISTEXT IMAP4rev1 LIST-SUBSCRIBED THREAD=REFERENCES THREAD=ORDEREDSUBJECT MAILBOX-REFERRALS X-NETSCAPE CONDSTORE CHILDREN RENAME CATENATE STARTTLS NO LITERAL+ IDLE SORT ATOMIC ACL IMAP4 SORT=MODSEQ MULTIAPPEND NAMESPACE QUOTA UIDPLUS UNSELECT RIGHTS=kxte
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2019-12-08T09:10:54+00:00; +1h00m00s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com; OS: Unix

Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec  8 16:13:00 2019 -- 1 IP address (1 host up) scanned in 289.81 seconds

端口数量有点多啊,一个一个看吧,
22端口,ssh服务,版本:OpenSSH 4.3
25端口,smtp服务,版本:Postfix smtpd
80端口,http服务,版本:Apache httpd 2.2.3
110端口,pop3服务,版本:Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111端口,rpcbind服务
143端口,imap服务,版本:Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443端口,ssl/http服务,版本:Apache httpd 2.2.3
878端口,rpc代理的服务,忽略
993端口,ssl/imap服务,版本:Cyrus imapd
995端口,pop3服务,版本:Cyrus pop3d
3306端口,mysql服务
4190端口,sieve服务,版本:Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
4445端口,可能是upnotifyp服务
4559端口,hylafax服务,版本:HylaFAX 4.3.10
5038端口,asterisk服务,版本:Asterisk Call Manager 1.1
10000端口,http服务,版本:MiniServ 1.570

2.历史漏洞查找

1
$ searchsploit <server version>

没有发现可以直接利用的RCE,于是放弃;

3.WEB站点信息搜集
访问80和443端口,发现是Elastix系统,Elastix是一款用于通信的服务器软件,具体介绍可以查看官网或者wikipedia
查找Elastix系统的N Daysearchsploit Elastix,发现本地文件包含、SQL盲注、PHP代码执行和远程代码执行四个漏洞;
查找默认账号密码elastix default credentials,找到admin:palosanto,同时找到Sugar CRM系统默认密码admin:password,Operator Flash Panel系统的密码admin:mypassword,FOP系统的密码:admin:eLaStIx.2oo7
尝试默认密码登陆系统,失败,于是尝试exploit-db中找到的N Day,一个接一个的尝试,最后发现本地文件包含可以成功执行,读取Elastix系统的配置文件”/etc/amportal.conf”,找到账号密码;

通过账号密码直接登陆ssh,拿到root权限。当然可以登陆Elastix然后利用其他的N Day获取root权限。

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%