【pen200-lab】10.11.1.217
🔥系列专栏:pen200-lab
🎉欢迎关注🔎点赞👍收藏⭐️留言📝
📆首发时间:🌴2022年11月30日🌴
🍭作者水平很有限,如果发现错误,还望告知,感谢!
nmap -p- --min-rate 10000 -A 10.10.11.217
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 1af6e54cf5655ca379cee130f95a9caf (DSA)
|_ 2048 b19ec8eaeb4cfc55cb1e4d4c406e80f2 (RSA)
25/tcp open smtp?
|_smtp-commands: hotline.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.11.1.217/
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp open pop3?
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap?
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
|_ssl-date: 2022-12-01T11:32:10+00:00; +4h59m59s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2012-03-23T19:29:13
|_Not valid after: 2013-03-23T19:29:13
836/tcp open status 1 (RPC #100024)
993/tcp open imaps?
995/tcp open pop3s?
3306/tcp open mysql?
4190/tcp open sieve?
4445/tcp open upnotifyp?
4559/tcp open hylafax?
5038/tcp open asterisk Asterisk Call Manager 1.1
总结一下获得的信息
hotline.localdomain
web页面有80以及443,同时存在pop3,smtp,rpc的枚举
以及imap
还有一个5038/tcp open asterisk Asterisk Call Manager 1.1
这在谷歌上显示应该存在exp
自动跳转https,与nmap一致
弱口令admin/admin登陆成功



经过筛选,我选择18650.py作为我首次尝试的payload
再修改了exp中的ip以及端口之后
我获得了一个shell
接下来我使用linpeas来进行枚举
script /dev/null -c bash

我发现这似乎容易收到脏牛的影响
所以我进行尝试
不过却失败了

在linpeas中我还枚举出了许多的似乎可以使用的内核提权漏洞
不过我将不现在就使用他们,除非我无路可走
[1] american-sign-languageCVE-2010-4347Source: http://www.securityfocus.com/bid/45408[2] can_bcmCVE-2010-2959Source: http://www.exploit-db.com/exploits/14814[3] do_pages_moveAlt: sieve CVE-2010-0415Source: Spenders Enlightenment[4] ftrexCVE-2008-4210Source: http://www.exploit-db.com/exploits/6851[5] half_nelson1Alt: econet CVE-2010-3848Source: http://www.exploit-db.com/exploits/17787[6] half_nelson2Alt: econet CVE-2010-3850Source: http://www.exploit-db.com/exploits/17787[7] half_nelson3Alt: econet CVE-2010-4073Source: http://www.exploit-db.com/exploits/17787[8] msrCVE-2013-0268Source: http://www.exploit-db.com/exploits/27297[9] pipe.c_32bitCVE-2009-3547Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c[10] pktcdvdCVE-2010-3437Source: http://www.exploit-db.com/exploits/15150[11] reiserfsCVE-2010-1146Source: http://www.exploit-db.com/exploits/12130[12] sock_sendpageAlt: wunderbar_emporium CVE-2009-2692Source: http://www.exploit-db.com/exploits/9435[13] sock_sendpage2Alt: proto_ops CVE-2009-2692Source: http://www.exploit-db.com/exploits/9436[14] udp_sendmsg_32bitCVE-2009-2698Source: http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c[15] video4linuxCVE-2010-3081Source: http://www.exploit-db.com/exploits/15024[16] vmsplice1Alt: jessica biel CVE-2008-0600Source: http://www.exploit-db.com/exploits/5092
sudo -l
我发现了chmod 具有权限
我将给我的bash赋予最高权限
而后bash -p
我将获得一个root用户