Zino pg walkthrough Intermediate

nmap 扫描 发现smba共享文件
┌──(root㉿kali)-[~]
└─# nmap -p- -A 192.168.167.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 00:33 UTC
Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.58% done; ETC: 00:35 (0:00:08 remaining)
Nmap scan report for 192.168.167.64
Host is up (0.072s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
|   256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
|_  256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   LANDesk-RC, NULL: 
|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server
8003/tcp open  http        Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2019-02-05 21:02  booked/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.38 (Debian)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=11/14%Time=673545BA%P=x86_64-pc-linux-gnu%
SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDe
SF:sk-RC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 4 hops
Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s
| smb2-time: 
|   date: 2024-11-14T00:35:26
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: zino
|   NetBIOS computer name: ZINO\x00
|   Domain name: \x00
|   FQDN: zino
|_  System time: 2024-11-13T19:35:22-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   72.46 ms 192.168.45.1
2   72.43 ms 192.168.45.254
3   72.49 ms 192.168.251.1
4   73.13 ms 192.168.167.64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.74 seconds

┌──(root㉿kali)-[~]
└─# 

┌──(root㉿kali)-[~]
└─# ls
enum4linux  katoolin  lab  reports

┌──(root㉿kali)-[~]
└─# cd enum4linux/

┌──(root㉿kali)-[~/enum4linux]
└─# ls
AUTHORS  CHANGELOG  COPYING.ENUM4LINUX  COPYING.GPL  enum4linux.pl  README.md  reports  share-list.txt

┌──(root㉿kali)-[~/enum4linux]
└─# ./enum4linux.pl 192.168.167.64
"my" variable $which_output masks earlier declaration in same scope at ./enum4linux.pl line 280.
WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 14 01:17:02 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.167.64
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.167.64 )===========================


[E] Can't find workgroup/domain



 ===============================( Nbtstat Information for 192.168.167.64 )===============================

Looking up status of 192.168.167.64
No reply from 192.168.167.64

 ==================================( Session Check on 192.168.167.64 )==================================


[+] Server 192.168.167.64 allows sessions using username '', password ''


 ===============================( Getting domain SID for 192.168.167.64 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 ==================================( OS information on 192.168.167.64 )==================================


[E] Can't get OS info with smbclient


[+] Got OS info for 192.168.167.64 from srvinfo: 
	ZINO           Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03


 ======================================( Users on 192.168.167.64 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 1028.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1031.

Use of uninitialized value $users in print at ./enum4linux.pl line 1046.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1048.

 ================================( Share Enumeration on 192.168.167.64 )================================


	Sharename       Type      Comment
	---------       ----      -------
	zino            Disk      Logs
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            

[+] Attempting to map shares on 192.168.167.64

//192.168.167.64/zino	Mapping: OK Listing: OK Writing: N/A
//192.168.167.64/print$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.167.64/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.167.64 )===========================


[E] Dependent program "polenum" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/



 ======================================( Groups on 192.168.167.64 )======================================


[+] Getting builtin groups:


[+]  Getting builtin group memberships:


[+]  Getting local groups:


[+]  Getting local group memberships:


[+]  Getting domain groups:


[+]  Getting domain group memberships:


 =================( Users on 192.168.167.64 via RID cycling (RIDS: 500-550,1000-1050) )=================


[I] Found new SID: 
S-1-22-1

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-5-21-3071547070-3972129690-4249512582 and logon username '', password ''

S-1-5-21-3071547070-3972129690-4249512582-501 ZINO\nobody (Local User)
S-1-5-21-3071547070-3972129690-4249512582-513 ZINO\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\peter (Local User)

 ==============================( Getting printer info for 192.168.167.64 )==============================

No printers returned.


enum4linux complete on Thu Nov 14 01:22:46 2024

查看共享文件发现信息泄露
sudo mount -t cifs //192.168.167.64/zino ./mnt -o guest,iocharset=utf8
查看里面的所有log文件 发现有admin:adminadmin 的用户名和密码 猜测是网站的

登录8003端口查看web界面更具cms查看漏洞
发现正好有payload
https://www.exploit-db.com/exploits/50594

直接利用nc 监听端口8003更具exp介绍使用
反弹shell成功

运行pspy64发现存在定时任务
image
直接修改cleanup.py
image

等待执行
提权成功
image

image

posted @ 2024-11-14 10:09  WSssSW  阅读(5)  评论(0编辑  收藏  举报