┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -n -sV -sC 192.168.88.129 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-11 20:11 EST Nmap scan report for 192.168.88.129 Host is up (0.00029s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA) |_ 256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519) 113/tcp open ident? |_auth-owners: oident 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) |_auth-owners: root 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) |_auth-owners: root 8080/tcp open http-proxy IIS 6.0 |_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS! |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: IIS 6.0 | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Tue, 12 Nov 2024 01:11:58 GMT | Server: IIS 6.0 | Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT | ETag: "230-57de32091ad69" | Accept-Ranges: bytes | Content-Length: 560 | Vary: Accept-Encoding | Connection: close | Content-Type: text/html | <html> | <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title> | </head> | <body> | <p>Welcome to the Development Page.</p> | <br/> | <p>There are many projects in this box. View some of these projects at html_pages.</p> | <br/> | <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p> | <br/> | <br/> | <br/> | <hr> | <i>Powered by IIS 6.0</i> | </body> | <!-- Searching for development secret page... where could it be? --> | <!-- Patrick, Head of Development--> | </html> | HTTPOptions: | HTTP/1.1 200 OK | Date: Tue, 12 Nov 2024 01:11:58 GMT | Server: IIS 6.0 | Allow: OPTIONS,HEAD,GET,POST | Content-Length: 0 | Connection: close | Content-Type: text/html | RTSPRequest: | HTTP/1.1 400 Bad Request | Date: Tue, 12 Nov 2024 01:11:58 GMT | Server: IIS 6.0 | Content-Length: 293 | Connection: close | Content-Type: text/html; charset=iso-8859-1 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | <html><head> | <title>400 Bad Request</title> | </head><body> | <h1>Bad Request</h1> | <p>Your browser sent a request that this server could not understand.<br /> | </p> | <hr> | <address>IIS 6.0 Server at 192.168.88.129 Port 8080</address> |_ </body></html> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.94SVN%I=7%D=11/11%Time=6732AB5F%P=x86_64-pc-linux-gnu% SF:r(GetRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2012\x20Nov\ SF:x202024\x2001:11:58\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\ SF:x20Wed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de3 SF:2091ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary SF::\x20Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/h SF:tml\r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR SF:\x20OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welc SF:ome\x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20a SF:re\x20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20 SF:these\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20 SF:We\x20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection SF:\x20system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@go SF:odtech\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\ SF:x20by\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20 SF:development\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20 SF:-->\r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</ht SF:ml>\r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x20 SF:12\x20Nov\x202024\x2001:11:58\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow SF::\x20OPTIONS,HEAD,GET,POST\r\nContent-Length:\x200\r\nConnection:\x20cl SF:ose\r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CC,"HTTP/1\. SF:1\x20400\x20Bad\x20Request\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2001: SF:11:58\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20293\r\nCon SF:nection:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\ SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//E SF:N\">\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body> SF:\n<h1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x SF:20that\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p> SF:\n<hr>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.88\.129\x20Po SF:rt\x208080</address>\n</body></html>\n"); MAC Address: 00:0C:29:25:4C:50 (VMware) Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-time: | date: 2024-11-12T01:13:29 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: development | NetBIOS computer name: DEVELOPMENT\x00 | Domain name: \x00 | FQDN: development |_ System time: 2024-11-12T01:13:29+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 99.05 seconds
存在的服务有很多:22:ssh,139/445 smb ,8080: http,
个人倾向喜欢先对web服务进行踩点
对目标主机服务进行信息收集
8080-http
F12中还有一段注释
这里获取到了一个用户名:Patrick。
进行目录扫描。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(root㉿kali)-[/home/kali] └─# gobuster dir -u http://192.168.88.129:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10 -b "" -s "200,301,403" =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.88.129:8080 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,301,403 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /about (Status: 200) [Size: 936] /development (Status: 200) [Size: 576]
System information as of Tue Nov 12 01:34:34 UTC 2024
System load: 1.15 Processes: 174 Usage of /: 30.9% of 19.56GB Users logged in: 0 Memory usage: 44% IP address for ens33: 192.168.88.129 Swap usage: 0%
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch
260 packages can be updated. 137 updates are security updates.
*** System restart required *** Last login: Sun Nov 10 13:14:00 2024 from 192.168.88.128 Congratulations! You tried harder! Welcome to Development! Type '?' or 'help' to get the list of allowed commands intern:~$ id Traceback (most recent call last): File "/usr/local/bin/lshell", line 27, in <module> lshell.main() File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 1165, in main cli.cmdloop() File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 385, in cmdloop stop = self.onecmd(line) File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 503, in onecmd func = getattr(self, 'do_' + cmd) File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 134, in __getattr__ if self.check_path(self.g_line) == 1: File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 303, in check_path item = re.sub('^~', self.conf['home_path'], item) File "/usr/lib/python2.7/re.py", line 155, in sub return _compile(pattern, flags).sub(repl, string, count) TypeError: expected string or buffer Connection to 192.168.88.129 closed.
intern@development:~$ cat work.txt 1. Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.
2. Patrick's start of the third year in this company!
3. Attend the meeting to discuss if password policy should be relooked at.
intern@development:~$ cat local.txt Congratulations on obtaining a user shell. :)
<p> Hi Director! This is the test page to provide Director with eye-catching updates. </p>
<p> We know Director is busy and hence needs updates delivered in a timely manner.</p>
<p> Patrick and I will routinely update this page with a pop-up that details if there is anything important.</p>
<script>alert("Director, there is nothing for your immediate attention.");</script>
<!-- Director's comments: Does this not appear to be rather silly? I think we can make use of shoutbox. --> <!-- Patrick's response: OK. When do you want it? --> <!-- Director's comments: In three months' time. --> <!-- Patrick's response: We are going to trial version 2 at shout.php. I think it's more accessible to all staff members and is no longer in the developersecretpage directory.--> <!-- Director's comments: Approved. -->
<p> Regards <br/> Patrick<br/> Head, Development Network</p>
<p> <a href="<?php echo $slogin_php_self."?logout=1" ?>">Click here to log out.</a> </p>
