nmap 扫描 发现smba共享文件 
┌──(root㉿kali)-[~]

└─# nmap -p- -A 192.168.167.64

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 00:33 UTC

Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 92.58% done; ETC: 00:35 (0:00:08 remaining)

Nmap scan report for 192.168.167.64

Host is up (0.072s latency).

Not shown: 65529 filtered tcp ports (no-response)

PORT     STATE SERVICE     VERSION

21/tcp   open  ftp         vsftpd 3.0.3

22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)

|   256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)

|_  256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)

3306/tcp open  mysql?

| fingerprint-strings:

|   LANDesk-RC, NULL:

|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server

8003/tcp open  http        Apache httpd 2.4.38

| http-ls: Volume /

| SIZE  TIME              FILENAME

| -     2019-02-05 21:02  booked/

|_

|_http-title: Index of /

|_http-server-header: Apache/2.4.38 (Debian)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port3306-TCP:V=7.94SVN%I=7%D=11/14%Time=673545BA%P=x86_64-pc-linux-gnu%

SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x

SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDe

SF:sk-RC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x2

SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

No OS matches for host

Network Distance: 4 hops

Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s

| smb2-time:

|   date: 2024-11-14T00:35:26

|_  start_date: N/A

| smb2-security-mode:

|   3:1:1:

|_    Message signing enabled but not required

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.9.5-Debian)

|   Computer name: zino

|   NetBIOS computer name: ZINO\x00

|   Domain name: \x00

|   FQDN: zino

|_  System time: 2024-11-13T19:35:22-05:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 3306/tcp)

HOP RTT      ADDRESS

1   72.46 ms 192.168.45.1

2   72.43 ms 192.168.45.254

3   72.49 ms 192.168.251.1

4   73.13 ms 192.168.167.64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.74 seconds

┌──(root㉿kali)-[~]

└─# 

┌──(root㉿kali)-[~]

└─# ls

enum4linux  katoolin  lab  reports

┌──(root㉿kali)-[~]

└─# cd enum4linux/

┌──(root㉿kali)-[~/enum4linux]

└─# ls

AUTHORS  CHANGELOG  COPYING.ENUM4LINUX  COPYING.GPL  enum4linux.pl  README.md  reports  share-list.txt

┌──(root㉿kali)-[~/enum4linux]

└─# ./enum4linux.pl 192.168.167.64

"my" variable $which_output masks earlier declaration in same scope at ./enum4linux.pl line 280.

WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 14 01:17:02 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.167.64

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===========================( Enumerating Workgroup/Domain on 192.168.167.64 )===========================

[E] Can't find workgroup/domain

 ===============================( Nbtstat Information for 192.168.167.64 )===============================

Looking up status of 192.168.167.64

No reply from 192.168.167.64

 ==================================( Session Check on 192.168.167.64 )==================================

[+] Server 192.168.167.64 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.167.64 )===============================

Domain Name: WORKGROUP

Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 ==================================( OS information on 192.168.167.64 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 192.168.167.64 from srvinfo:

	ZINO           Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian

	platform_id     :	500

	os version      :	6.1

	server type     :	0x809a03

 ======================================( Users on 192.168.167.64 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 1028.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1031.

Use of uninitialized value $users in print at ./enum4linux.pl line 1046.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1048.

 ================================( Share Enumeration on 192.168.167.64 )================================

	Sharename       Type      Comment

	---------       ----      -------

	zino            Disk      Logs

	print$          Disk      Printer Drivers

	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)

Reconnecting with SMB1 for workgroup listing.

	Server               Comment

	---------            -------

	Workgroup            Master

	---------            -------

	WORKGROUP            

[+] Attempting to map shares on 192.168.167.64

//192.168.167.64/zino	Mapping: OK Listing: OK Writing: N/A

//192.168.167.64/print$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

//192.168.167.64/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.167.64 )===========================

[E] Dependent program "polenum" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/

 ======================================( Groups on 192.168.167.64 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 192.168.167.64 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID:

S-1-22-1

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[+] Enumerating users using SID S-1-5-21-3071547070-3972129690-4249512582 and logon username '', password ''

S-1-5-21-3071547070-3972129690-4249512582-501 ZINO\nobody (Local User)

S-1-5-21-3071547070-3972129690-4249512582-513 ZINO\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)

S-1-5-32-545 BUILTIN\Users (Local Group)

S-1-5-32-546 BUILTIN\Guests (Local Group)

S-1-5-32-547 BUILTIN\Power Users (Local Group)

S-1-5-32-548 BUILTIN\Account Operators (Local Group)

S-1-5-32-549 BUILTIN\Server Operators (Local Group)

S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\peter (Local User)

 ==============================( Getting printer info for 192.168.167.64 )==============================

No printers returned.

enum4linux complete on Thu Nov 14 01:22:46 2024
查看共享文件发现信息泄露 
sudo mount -t cifs //192.168.167.64/zino ./mnt -o guest,iocharset=utf8

查看里面的所有log文件 发现有admin:adminadmin 的用户名和密码 猜测是网站的

登录8003端口查看web界面更具cms查看漏洞

发现正好有payload

https://www.exploit-db.com/exploits/50594

直接利用nc 监听端口8003更具exp介绍使用

反弹shell成功

运行pspy64发现存在定时任务



直接修改cleanup.py

等待执行

提权成功

Zino pg walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. php之Opcache深入理解

    PHP项目中,尤其是在高并发大流量的场景中,如何提升PHP的响应时间,是一项十分重要的工作.而Opcache又是优化PHP性能不可缺失的组件,尤其是应用了PHP框架的项目中,作用更是明显. 1. 概述 ...

  2. 分布式服务发现与配置之Consul

    文档: https://www.consul.io/docs/install 一.什么是consul 1.Consul 是 HashiCorp 公司推出的开源软件,用于实现分布式系统的服务发现与配置. ...

  3. 交易系统:电商、O2O、线下门店购物流程详解

    大家好,我是汤师爷~ 新零售业务涉及多个销售渠道,每个渠道都有其独特的业务特点,需要相应的营销方式.运营策略和供应链管理. 主要销售渠道包括:实体门店(包括直营连锁店.加盟门店).电商平台销售(如淘宝 ...

  4. vue 路由的代码实现(转)

    https://juejin.cn/post/6844904051679870984 需要的使用到的知识 地址变化事件监控 vue插件机制 构造地址和组件的映射关系 定义route-view 组件 当 ...

  5. SEEDLab —— 环境变量与 Set-UID 实验

    [软件安全]实验1--环境变量与 Set-UID 实验 Task 1:配置环境变量 使用printenv或env指令来打印环境变量: ​ 如果只想打印特定的环境变量,如PWD变量,可以使用printe ...

  6. idea properties文件乱码解决

    ​java文件是好的,但是遇到properties文件,默认就成了iso制式乱码了. 虽说不影响程序执行,但是看起来真的让人心烦. 问题点是出在properties文件是GBK的,需要单独设置一下. ...

  7. C#调用Python代码的方式(二),以PaddleOCR-GUI为例

    前言 前面介绍了在C#中使用Progress类调用Python脚本的方法,但是这种方法在需要频繁调用并且需要进行数据交互的场景效果并不好,因此今天分享的是C#调用Python代码的方式(二):使用py ...

  8. 【杂谈】服务端能同时处理多少个 Socket 连接?背后的资源与限制分析

    一个服务端进程能同时连接多少个 Socket? 要理解一个服务端进程能同时支持多少个连接,首先我们需要明确一个 socket 连接 的表示方式.一个连接由四个部分组成:[LocalIP:LocalPo ...

  9. ng-alain: 配置开发环境

    配置 ng-alain 开发环境 安装 1. Yarn 官方文档实际上是基于 Yarn 1 的,请从 Yarn 1 开始.在创建项目之后,可以升级到 Yarn 3. 注意:直接通过 npm 安装 ya ...

  10. 中电资讯-乘风破浪数字经济,银行如何Hold数据?

    近期各类规划密集发布人行金融科技发展规划发布 金融标准化"十四五"规划发布 "十四五"信息化规划发布 -- 和数据应用有关的各项政策密集出炉 数字经济发展中如何 ...