nmap 扫描 发现smba共享文件 
┌──(root㉿kali)-[~]

└─# nmap -p- -A 192.168.167.64

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 00:33 UTC

Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 92.58% done; ETC: 00:35 (0:00:08 remaining)

Nmap scan report for 192.168.167.64

Host is up (0.072s latency).

Not shown: 65529 filtered tcp ports (no-response)

PORT     STATE SERVICE     VERSION

21/tcp   open  ftp         vsftpd 3.0.3

22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)

|   256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)

|_  256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)

3306/tcp open  mysql?

| fingerprint-strings:

|   LANDesk-RC, NULL:

|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server

8003/tcp open  http        Apache httpd 2.4.38

| http-ls: Volume /

| SIZE  TIME              FILENAME

| -     2019-02-05 21:02  booked/

|_

|_http-title: Index of /

|_http-server-header: Apache/2.4.38 (Debian)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port3306-TCP:V=7.94SVN%I=7%D=11/14%Time=673545BA%P=x86_64-pc-linux-gnu%

SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x

SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDe

SF:sk-RC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x2

SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

No OS matches for host

Network Distance: 4 hops

Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s

| smb2-time:

|   date: 2024-11-14T00:35:26

|_  start_date: N/A

| smb2-security-mode:

|   3:1:1:

|_    Message signing enabled but not required

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.9.5-Debian)

|   Computer name: zino

|   NetBIOS computer name: ZINO\x00

|   Domain name: \x00

|   FQDN: zino

|_  System time: 2024-11-13T19:35:22-05:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 3306/tcp)

HOP RTT      ADDRESS

1   72.46 ms 192.168.45.1

2   72.43 ms 192.168.45.254

3   72.49 ms 192.168.251.1

4   73.13 ms 192.168.167.64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.74 seconds

┌──(root㉿kali)-[~]

└─# 

┌──(root㉿kali)-[~]

└─# ls

enum4linux  katoolin  lab  reports

┌──(root㉿kali)-[~]

└─# cd enum4linux/

┌──(root㉿kali)-[~/enum4linux]

└─# ls

AUTHORS  CHANGELOG  COPYING.ENUM4LINUX  COPYING.GPL  enum4linux.pl  README.md  reports  share-list.txt

┌──(root㉿kali)-[~/enum4linux]

└─# ./enum4linux.pl 192.168.167.64

"my" variable $which_output masks earlier declaration in same scope at ./enum4linux.pl line 280.

WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 14 01:17:02 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.167.64

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===========================( Enumerating Workgroup/Domain on 192.168.167.64 )===========================

[E] Can't find workgroup/domain

 ===============================( Nbtstat Information for 192.168.167.64 )===============================

Looking up status of 192.168.167.64

No reply from 192.168.167.64

 ==================================( Session Check on 192.168.167.64 )==================================

[+] Server 192.168.167.64 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.167.64 )===============================

Domain Name: WORKGROUP

Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 ==================================( OS information on 192.168.167.64 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 192.168.167.64 from srvinfo:

	ZINO           Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian

	platform_id     :	500

	os version      :	6.1

	server type     :	0x809a03

 ======================================( Users on 192.168.167.64 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 1028.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1031.

Use of uninitialized value $users in print at ./enum4linux.pl line 1046.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1048.

 ================================( Share Enumeration on 192.168.167.64 )================================

	Sharename       Type      Comment

	---------       ----      -------

	zino            Disk      Logs

	print$          Disk      Printer Drivers

	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)

Reconnecting with SMB1 for workgroup listing.

	Server               Comment

	---------            -------

	Workgroup            Master

	---------            -------

	WORKGROUP            

[+] Attempting to map shares on 192.168.167.64

//192.168.167.64/zino	Mapping: OK Listing: OK Writing: N/A

//192.168.167.64/print$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

//192.168.167.64/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.167.64 )===========================

[E] Dependent program "polenum" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/

 ======================================( Groups on 192.168.167.64 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 192.168.167.64 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID:

S-1-22-1

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[+] Enumerating users using SID S-1-5-21-3071547070-3972129690-4249512582 and logon username '', password ''

S-1-5-21-3071547070-3972129690-4249512582-501 ZINO\nobody (Local User)

S-1-5-21-3071547070-3972129690-4249512582-513 ZINO\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)

S-1-5-32-545 BUILTIN\Users (Local Group)

S-1-5-32-546 BUILTIN\Guests (Local Group)

S-1-5-32-547 BUILTIN\Power Users (Local Group)

S-1-5-32-548 BUILTIN\Account Operators (Local Group)

S-1-5-32-549 BUILTIN\Server Operators (Local Group)

S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\peter (Local User)

 ==============================( Getting printer info for 192.168.167.64 )==============================

No printers returned.

enum4linux complete on Thu Nov 14 01:22:46 2024
查看共享文件发现信息泄露 
sudo mount -t cifs //192.168.167.64/zino ./mnt -o guest,iocharset=utf8

查看里面的所有log文件 发现有admin:adminadmin 的用户名和密码 猜测是网站的

登录8003端口查看web界面更具cms查看漏洞

发现正好有payload

https://www.exploit-db.com/exploits/50594

直接利用nc 监听端口8003更具exp介绍使用

反弹shell成功

运行pspy64发现存在定时任务



直接修改cleanup.py

等待执行

提权成功

Zino pg walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. Swagger注解中带有“/”导致SwaggerUI显示异常

    日常开发中一直使用swagger作为接口文档工具使用,这次在使用过程中发现一个问题. 正常情况下显示如下图 代码配置如下图 Controller Model 如果在Swagger注解中使用" ...

  2. iconfont图标库的使用

    https://www.iconfont.cn/ -- 点击链接进入官网 择自己需要的图标加购物车 点击资源管理->我的项目 选择你需要的项目->下载到本地 将下载的压缩包进行解压,解压后 ...

  3. delphi Image32 动画演示2

    Image 32 自带的Demo,添加一些注解. unit uFrmAnimation2; interface uses Winapi.Windows, Winapi.Messages, System ...

  4. fork父子进程执行顺序

    使用一段代码来检查父子进程执行顺序 <?php $str = "hello world!" . PHP_EOL; // 派生一个子进程,子进程会复制主进程中的上下文 // p ...

  5. 一款绘制3D架构图的在线神器:iCraft Editor

    在软件开发的世界里,架构图是系统设计的蓝图,它们不仅帮助团队理解系统的整体结构,还能提升沟通效率,确保项目的顺利推进.然而,绘制一张清晰.直观的架构图,往往需要大量时间和专业工具.面对繁琐的操作和复杂 ...

  6. Mybatis【11】-- Mybatis Mapper动态代理怎么写?

    目录 1.回顾Mybatis执行sql的流程 2.mapper动态代理怎么写? 3.mapper动态代理怎么做的? 1.回顾Mybatis执行sql的流程 在之前的代码中我们的运行过程再梳理一下,首先 ...

  7. HarmonyOS Next 集成支付宝SDK后无法在模拟器上安装调试的问题

    之前使用模拟器调试都正常,在集成支付宝SDK后,同事说在模拟器上无法安装调试,因为真机资源不够,模拟器不能用实在耽误事,所以就花了点时间研究一下. 报错原因 官方文档的解释 根据文档的说明,应该是cp ...

  8. 关于Popup的小坑坑

    在做一个自定义的输入搜索框,用textbox+popup来实现.其中有一个小需求,当textbox激活并且没有文本输入的时候,也要显示popup.很自然的想到了使用IsKeyboardFocusedC ...

  9. Taro微信小程序获取Tab页可视区域高度

    前情 公司有自己的小程序项目,因公司主要技术栈为react,所以选择了Taro来开发,Taro是京东出品的多端统一开发解决方案,用来开发小程序也相比用原生开发,在开发体验上好很多,而且还能使用成熟的R ...

  10. 6.MySQL性能优化

    参数 作用范围 全局:对实例的所有会话起作用 会话级:只对当前会话起作用 set session binlog_rows_query_log_events = on; set global binlo ...