咸鱼社

SfTian

Vulnhub-AI Web

# Typhoon ## 资产扫描 ```shell netdiscover -r 192.168.0.0/24 nmap -p- 192.168.0.137 #masscan -p 0-65535 192.168.0.136 nmap -sV -sC -p- -A 192.168.0.137 ``` | 端口 | 服务 | | ----- | --------------- | | 21 | ftp(可匿名登录) | | 22 | ssh | | 25 | smtp | | 53 | dns | | 80 | http | | 110 | pop3 | | 111 | rpc | | 139 | netbios | | 143 | imap | | 445 | ds | | 631 | ipp | | 993 | imapssl | | 995 | pop3ssl | | 2049 | nfs | | 3306 | mysql | | 5432 | pgsql | | 6379 | redis | | 8080 | | | 27017 | mongodb | | 34185 | | | 45020 | | | 45958 | | | 48572 | | | 53165 | | ## FTP FTP可匿名登录，但是没有内容 ## Web搜集 | 目录 | | ---------- | | phpmyadmin | | mongoadmin | | cms | | drupal | | calendar | robots.txt中发现不允许追踪`/mongoadmin/` 使用Wappalyzer发现drupal使用的版本为8在msf中可以搜索到drupal_drupalgeddon2的远程执行漏洞  查看内核版本尝试提权   ```shell cat root-flag <Congrats!> Typhoon_r00t3r! </Congrats!> ``` 在root目录中有相关的历史操作文件 ```sql cat .mysql_history create database drupal; create database dvwa; create database calendar; create database data; use data; CREATE TABLE data (id INT, data VARCHAR(50)); show tables ; INSERT INTO data (id,data) VALUES(1,"an0ther_fl4g_br0!"); select * from data; drop database drupal; create database drupal; UPDATE variable SET value = 's:1:"0";' WHERE name = 'clean_url'; use drupal; UPDATE variable SET value = 's:1:"0";' WHERE name = 'clean_url'; ls exit ; ls exit; drop database drupal; create database drupal; ``` 拿到MySQL的flag ``` an0ther_fl4g_br0! ``` ## 永恒之蓝 由于445端口是开的，所以就可以尝试使用永恒之蓝直接getshell  ## SSH爆破 使用msf的auxiliary/scanner/ssh/ssh_enumusers可以爆破用户名，然后再进行hydra的密码爆破即可getshell `admin/metallica` 在.ssh/.secret拿到flag ``` ph00n_typ_p0st_flag! ``` ## Tomcat 访问8080端口发现是tomcat7.0.52而且可以使用`tomcat/tomcat`登陆到/manager，使用msf来getshell，提权直接使用内核漏洞  ## NMAP的详细信息 ``` PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.0.128 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 02:df:b3:1b:01:dc:5e:fd:f9:96:d7:5b:b7:d6:7b:f9 (DSA) | 2048 de:af:76:27:90:2a:8f:cf:0b:2f:22:f8:42:36:07:dd (RSA) | 256 70:ae:36:6c:42:7d:ed:1b:c0:40:fc:2d:00:8d:87:11 (ECDSA) |_ 256 bb:ce:f2:98:64:f7:8f:ae:f0:dd:3c:23:3b:a6:0f:61 (ED25519) 25/tcp open smtp Postfix smtpd |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=typhoon | Not valid before: 2018-10-22T19:38:20 |_Not valid after: 2028-10-19T19:38:20 |_smtp-commands: typhoon, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN 53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: Typhoon Vulnerable VM by PRISMA CSI | http-robots.txt: 1 disallowed entry |_/mongoadmin/ |_http-server-header: Apache/2.4.7 (Ubuntu) 110/tcp open pop3? | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server | Not valid before: 2018-10-22T19:38:49 |_Not valid after: 2028-10-21T19:38:49 |_ssl-date: TLS randomness does not represent time 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server | Not valid before: 2018-10-22T19:38:49 |_Not valid after: 2028-10-21T19:38:49 445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP) 631/tcp open ipp CUPS 1.7 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: CUPS/1.7 IPP/2.1 |_http-title: Home - CUPS 1.7.2 | http-methods: |_ Potentially risky methods: PUT 993/tcp open ssl/imap Dovecot imapd |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server | Not valid before: 2018-10-22T19:38:49 |_Not valid after: 2028-10-21T19:38:49 995/tcp open ssl/pop3s? |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server | Not valid before: 2018-10-22T19:38:49 |_Not valid after: 2028-10-21T19:38:49 2049/tcp open nfs_acl 2-3 (RPC #100227) 3306/tcp open mysql MySQL (unauthorized) 5432/tcp open postgresql PostgreSQL DB 9.3.3 - 9.3.5 | ssl-cert: Subject: commonName=typhoon | Not valid before: 2018-10-22T19:38:20 |_Not valid after: 2028-10-19T19:38:20 |_ssl-date: TLS randomness does not represent time 6379/tcp open redis Redis key-value store 4.0.11 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-open-proxy: Proxy might be redirecting requests | http-methods: |_ Potentially risky methods: PUT DELETE |_http-title: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 27017/tcp open mongodb MongoDB 3.0.15 3.0.15 | mongodb-info: | MongoDB Build info | OpenSSLVersion = OpenSSL 1.0.1f 6 Jan 2014 | compilerFlags = -Wnon-virtual-dtor -Woverloaded-virtual -std=c++11 -fno-omit-frame-pointer -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -pipe -Werror -O3 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-but-set-variable -Wno-missing-braces -fno-builtin-memcmp -std=c99 | javascriptEngine = V8 | loaderFlags = | sysInfo = Linux ip-10-71-195-23 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49 | ok = 1.0 | maxBsonObjectSize = 16777216 | version = 3.0.15 | versionArray | 2 = 15 | 3 = 0 | 0 = 3 | 1 = 0 | gitVersion = b8ff507269c382bc100fc52f75f48d54cd42ec3b | debug = false | bits = 64 | allocator = tcmalloc | Server status | opcountersRepl | insert = 0 | command = 0 | getmore = 0 | query = 0 | delete = 0 | update = 0 | network | bytesOut = 10237 | numRequests = 2 | bytesIn = 128 | storageEngine | name = mmapv1 | locks | Global | acquireCount | r = 928 | w = 9 | W = 5 | acquireWaitCount | W = 1 | timeAcquiringMicros | W = 142 | MMAPV1Journal | acquireCount | r = 455 | w = 22 | R = 61 | acquireWaitCount | R = 1 | timeAcquiringMicros | R = 100914 | Collection | acquireCount | R = 473 | Database | acquireCount | r = 455 | W = 9 | R = 2 | version = 3.0.15 | extra_info | note = fields vary by platform | heap_usage_bytes = 63068376 | page_faults = 173 | writeBacksQueued = false | host = typhoon.local | globalLock | activeClients | readers = 0 | writers = 0 | total = 9 | currentQueue | readers = 0 | writers = 0 | total = 0 | totalTime = -28547020000 | uptime = -28547.0 | connections | available = 51199 | totalCreated = 3 | current = 1 | ok = 1.0 | localTime = 1721288262305 | metrics | repl | apply | ops = 0 | batches | num = 0 | totalMillis = 0 | preload | docs | num = 0 | totalMillis = 0 | indexes | num = 0 | totalMillis = 0 | network | bytes = 0 | getmores | num = 0 | totalMillis = 0 | readersCreated = 0 | ops = 0 | buffer | sizeBytes = 0 | count = 0 | maxSizeBytes = 268435456 | document | returned = 0 | deleted = 0 | updated = 0 | inserted = 0 | getLastError | wtime | num = 0 | totalMillis = 0 | wtimeouts = 0 | storage | freelist | search | bucketExhausted = 0 | requests = 0 | scanned = 0 | cursor | open | noTimeout = 0 | total = 0 | pinned = 0 | timedOut = 0 | ttl | deletedDocuments = 0 | passes = 4 | operation | fastmod = 0 | writeConflicts = 0 | idhack = 0 | scanAndOrder = 0 | queryExecutor | scannedObjects = 0 | scanned = 0 | commands | collMod | failed = 0 | total = 0 | grantRolesToUser | failed = 0 | total = 0 | replSetHeartbeat | failed = 0 | total = 0 | getLastError | failed = 0 | total = 0 | replSetInitiate | failed = 0 | total = 0 | replSetGetConfig | failed = 0 | total = 0 | cleanupOrphaned | failed = 0 | total = 0 | cloneCollectionAsCapped | failed = 0 | total = 0 | replSetGetStatus | failed = 0 | total = 0 | grantPrivilegesToRole | failed = 0 | total = 0 | replSetMaintenance | failed = 0 | total = 0 | createIndexes | failed = 0 | total = 0 | authSchemaUpgrade | failed = 0 | total = 0 | usersInfo | failed = 0 | total = 0 | getLog | failed = 0 | total = 0 | rolesInfo | failed = 0 | total = 0 | group | failed = 0 | total = 0 | resetError | failed = 0 | total = 0 | replSetUpdatePosition | failed = 0 | total = 0 | dropRole | failed = 0 | total = 0 | dropAllUsersFromDatabase | failed = 0 | total = 0 | planCacheSetFilter | failed = 0 | total = 0 | features | failed = 0 | total = 0 | dbHash | failed = 0 | total = 0 | connectionStatus | failed = 0 | total = 0 | logRotate | failed = 0 | total = 0 | convertToCapped | failed = 0 | total = 0 | saslContinue | failed = 0 | total = 0 | hostInfo | failed = 0 | total = 0 | getShardVersion | failed = 0 | total = 0 | _isSelf | failed = 0 | total = 0 | clone | failed = 0 | total = 0 | copydbgetnonce | failed = 0 | total = 0 | _recvChunkStart | failed = 0 | total = 0 | <UNKNOWN> = 0 | appendOplogNote | failed = 0 | total = 0 | parallelCollectionScan | failed = 0 | total = 0 | handshake | failed = 0 | total = 0 | invalidateUserCache | failed = 0 | total = 0 | availableQueryOptions | failed = 0 | total = 0 | collStats | failed = 0 | total = 0 | ping | failed = 0 | total = 0 | listDatabases | failed = 0 | total = 1 | createUser | failed = 0 | total = 0 | filemd5 | failed = 0 | total = 0 | copydb | failed = 0 | total = 0 | cloneCollection | failed = 0 | total = 0 | grantRolesToRole | failed = 0 | total = 0 | cursorInfo | failed = 0 | total = 0 | unsetSharding | failed = 0 | total = 0 | explain | failed = 0 | total = 0 | setShardVersion | failed = 0 | total = 0 | medianKey | failed = 0 | total = 0 | mapReduce | failed = 0 | total = 0 | count | failed = 0 | total = 0 | getParameter | failed = 0 | total = 0 | delete | failed = 0 | total = 0 | planCacheListFilters | failed = 0 | total = 0 | insert | failed = 0 | total = 0 | copydbsaslstart | failed = 0 | total = 0 | renameCollection | failed = 0 | total = 0 | geoSearch | failed = 0 | total = 0 | getnonce | failed = 0 | total = 0 | planCacheClear | failed = 0 | total = 0 | _getUserCacheGeneration | failed = 0 | total = 0 | planCacheClearFilters | failed = 0 | total = 0 | setParameter | failed = 0 | total = 0 | findAndModify | failed = 0 | total = 0 | dropIndexes | failed = 0 | total = 0 | reIndex | failed = 0 | total = 0 | mergeChunks | failed = 0 | total = 0 | getPrevError | failed = 0 | total = 0 | find | failed = 0 | total = 0 | driverOIDTest | failed = 0 | total = 0 | isMaster | failed = 0 | total = 0 | connPoolSync | failed = 0 | total = 0 | updateRole | failed = 0 | total = 0 | aggregate | failed = 0 | total = 0 | geoNear | failed = 0 | total = 0 | replSetSyncFrom | failed = 0 | total = 0 | dropDatabase | failed = 0 | total = 0 | currentOpCtx | failed = 0 | total = 0 | replSetFreeze | failed = 0 | total = 0 | distinct | failed = 0 | total = 0 | mapreduce | shardedfinish | failed = 0 | total = 0 | _migrateClone | failed = 0 | total = 0 | replSetReconfig | failed = 0 | total = 0 | validate | failed = 0 | total = 0 | splitVector | failed = 0 | total = 0 | applyOps | failed = 0 | total = 0 | update | failed = 0 | total = 0 | touch | failed = 0 | total = 0 | top | failed = 0 | total = 0 | replSetFresh | failed = 0 | total = 0 | _mergeAuthzCollections | failed = 0 | total = 0 | revokeRolesFromRole | failed = 0 | total = 0 | dropUser | failed = 0 | total = 0 | serverStatus | failed = 0 | total = 2 | updateUser | failed = 0 | total = 0 | splitChunk | failed = 0 | total = 0 | saslStart | failed = 0 | total = 0 | shutdown | failed = 0 | total = 0 | revokeRolesFromUser | failed = 0 | total = 0 | shardingState | failed = 0 | total = 0 | shardConnPoolStats | failed = 0 | total = 0 | revokePrivilegesFromRole | failed = 0 | total = 0 | dropAllRolesFromDatabase | failed = 0 | total = 0 | profile | failed = 0 | total = 0 | connPoolStats | failed = 0 | total = 0 | whatsmyuri | failed = 0 | total = 0 | resync | failed = 0 | total = 0 | listCollections | failed = 0 | total = 0 | compact | failed = 0 | total = 0 | repairCursor | failed = 0 | total = 0 | _recvChunkCommit | failed = 0 | total = 0 | diagLogging | failed = 0 | total = 0 | create | failed = 0 | total = 0 | drop | failed = 0 | total = 0 | writebacklisten | failed = 0 | total = 0 | listCommands | failed = 0 | total = 0 | _transferMods | failed = 0 | total = 0 | getCmdLineOpts | failed = 0 | total = 0 | planCacheListPlans | failed = 0 | total = 0 | authenticate | failed = 0 | total = 0 | repairDatabase | failed = 0 | total = 0 | checkShardingIndex | failed = 0 | total = 0 | dbStats | failed = 0 | total = 0 | forceerror | failed = 0 | total = 0 | listIndexes | failed = 0 | total = 0 | buildInfo | failed = 0 | total = 0 | replSetElect | failed = 0 | total = 0 | getShardMap | failed = 0 | total = 0 | _recvChunkAbort | failed = 0 | total = 0 | replSetGetRBID | failed = 0 | total = 0 | logout | failed = 0 | total = 0 | fsync | failed = 0 | total = 0 | moveChunk | failed = 0 | total = 0 | _recvChunkStatus | failed = 0 | total = 0 | planCacheListQueryShapes | failed = 0 | total = 0 | createRole | failed = 0 | total = 0 | replSetStepDown | failed = 0 | total = 0 | dataSize | failed = 0 | total = 0 | eval | failed = 0 | total = 0 | record | moves = 0 | uptimeMillis = -28547001 | mem | supported = true | bits = 64 | mappedWithJournal = 320 | resident = 73 | virtual = 514 | mapped = 160 | opcounters | insert = 0 | command = 3 | getmore = 0 | query = 1 | delete = 0 | update = 0 | uptimeEstimate = 240.0 | process = mongod | backgroundFlushing | total_ms = 0 | flushes = 4 | last_ms = 0 | last_finished = 1721288250365 | average_ms = 0.0 | cursors | note = deprecated, use server status metrics | timedOut = 0 | totalOpen = 0 | clientCursors_size = 0 | pinned = 0 | totalNoTimeout = 0 | asserts | user = 0 | rollovers = 0 | msg = 0 | regular = 0 | warning = 0 | pid = 1632 | dur | compression = 0.0 | journaledMB = 0.0 | writeToDataFilesMB = 0.0 | earlyCommits = 0 | commits = 30 | commitsInWriteLock = 0 | timeMs | prepLogBuffer = 0 | writeToJournal = 0 | writeToDataFiles = 0 | commitsInWriteLock = 0 | dt = 3089 | commits = 0 |_ remapPrivateView = 0 | mongodb-databases: | totalSize = 167772160.0 | databases | 0 | sizeOnDisk = 83886080.0 | empty = false | name = credentials | 1 | sizeOnDisk = 83886080.0 | empty = false | name = local |_ ok = 1.0 34185/tcp open mountd 1-3 (RPC #100005) 45020/tcp open mountd 1-3 (RPC #100005) 45958/tcp open nlockmgr 1-4 (RPC #100021) 48572/tcp open mountd 1-3 (RPC #100005) 53165/tcp open status 1 (RPC #100024) ```

取消回复

发表新评论

提交评论