nmap 扫描 发现smba共享文件 
┌──(root㉿kali)-[~]

└─# nmap -p- -A 192.168.167.64

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 00:33 UTC

Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

SYN Stealth Scan Timing: About 92.58% done; ETC: 00:35 (0:00:08 remaining)

Nmap scan report for 192.168.167.64

Host is up (0.072s latency).

Not shown: 65529 filtered tcp ports (no-response)

PORT     STATE SERVICE     VERSION

21/tcp   open  ftp         vsftpd 3.0.3

22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)

|   256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)

|_  256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)

3306/tcp open  mysql?

| fingerprint-strings:

|   LANDesk-RC, NULL:

|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server

8003/tcp open  http        Apache httpd 2.4.38

| http-ls: Volume /

| SIZE  TIME              FILENAME

| -     2019-02-05 21:02  booked/

|_

|_http-title: Index of /

|_http-server-header: Apache/2.4.38 (Debian)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port3306-TCP:V=7.94SVN%I=7%D=11/14%Time=673545BA%P=x86_64-pc-linux-gnu%

SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x

SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LANDe

SF:sk-RC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x2

SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

No OS matches for host

Network Distance: 4 hops

Service Info: Hosts: ZINO, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: 0s

| smb2-time:

|   date: 2024-11-14T00:35:26

|_  start_date: N/A

| smb2-security-mode:

|   3:1:1:

|_    Message signing enabled but not required

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.9.5-Debian)

|   Computer name: zino

|   NetBIOS computer name: ZINO\x00

|   Domain name: \x00

|   FQDN: zino

|_  System time: 2024-11-13T19:35:22-05:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 3306/tcp)

HOP RTT      ADDRESS

1   72.46 ms 192.168.45.1

2   72.43 ms 192.168.45.254

3   72.49 ms 192.168.251.1

4   73.13 ms 192.168.167.64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 164.74 seconds

┌──(root㉿kali)-[~]

└─# 

┌──(root㉿kali)-[~]

└─# ls

enum4linux  katoolin  lab  reports

┌──(root㉿kali)-[~]

└─# cd enum4linux/

┌──(root㉿kali)-[~/enum4linux]

└─# ls

AUTHORS  CHANGELOG  COPYING.ENUM4LINUX  COPYING.GPL  enum4linux.pl  README.md  reports  share-list.txt

┌──(root㉿kali)-[~/enum4linux]

└─# ./enum4linux.pl 192.168.167.64

"my" variable $which_output masks earlier declaration in same scope at ./enum4linux.pl line 280.

WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 14 01:17:02 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.167.64

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===========================( Enumerating Workgroup/Domain on 192.168.167.64 )===========================

[E] Can't find workgroup/domain

 ===============================( Nbtstat Information for 192.168.167.64 )===============================

Looking up status of 192.168.167.64

No reply from 192.168.167.64

 ==================================( Session Check on 192.168.167.64 )==================================

[+] Server 192.168.167.64 allows sessions using username '', password ''

 ===============================( Getting domain SID for 192.168.167.64 )===============================

Domain Name: WORKGROUP

Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

 ==================================( OS information on 192.168.167.64 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 192.168.167.64 from srvinfo:

	ZINO           Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian

	platform_id     :	500

	os version      :	6.1

	server type     :	0x809a03

 ======================================( Users on 192.168.167.64 )======================================

Use of uninitialized value $users in print at ./enum4linux.pl line 1028.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1031.

Use of uninitialized value $users in print at ./enum4linux.pl line 1046.

Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 1048.

 ================================( Share Enumeration on 192.168.167.64 )================================

	Sharename       Type      Comment

	---------       ----      -------

	zino            Disk      Logs

	print$          Disk      Printer Drivers

	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)

Reconnecting with SMB1 for workgroup listing.

	Server               Comment

	---------            -------

	Workgroup            Master

	---------            -------

	WORKGROUP            

[+] Attempting to map shares on 192.168.167.64

//192.168.167.64/zino	Mapping: OK Listing: OK Writing: N/A

//192.168.167.64/print$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

//192.168.167.64/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.167.64 )===========================

[E] Dependent program "polenum" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/

 ======================================( Groups on 192.168.167.64 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 192.168.167.64 via RID cycling (RIDS: 500-550,1000-1050) )=================

[I] Found new SID:

S-1-22-1

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[I] Found new SID:

S-1-5-32

[+] Enumerating users using SID S-1-5-21-3071547070-3972129690-4249512582 and logon username '', password ''

S-1-5-21-3071547070-3972129690-4249512582-501 ZINO\nobody (Local User)

S-1-5-21-3071547070-3972129690-4249512582-513 ZINO\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)

S-1-5-32-545 BUILTIN\Users (Local Group)

S-1-5-32-546 BUILTIN\Guests (Local Group)

S-1-5-32-547 BUILTIN\Power Users (Local Group)

S-1-5-32-548 BUILTIN\Account Operators (Local Group)

S-1-5-32-549 BUILTIN\Server Operators (Local Group)

S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\peter (Local User)

 ==============================( Getting printer info for 192.168.167.64 )==============================

No printers returned.

enum4linux complete on Thu Nov 14 01:22:46 2024
查看共享文件发现信息泄露 
sudo mount -t cifs //192.168.167.64/zino ./mnt -o guest,iocharset=utf8

查看里面的所有log文件 发现有admin:adminadmin 的用户名和密码 猜测是网站的

登录8003端口查看web界面更具cms查看漏洞

发现正好有payload

https://www.exploit-db.com/exploits/50594

直接利用nc 监听端口8003更具exp介绍使用

反弹shell成功

运行pspy64发现存在定时任务



直接修改cleanup.py

等待执行

提权成功

Zino pg walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. 居然都到 7.x版本了!!!雷池 WAF 社区版 7.x 的体验记录

    雷池 WAF 简介 雷池 WAF,英文名 "SafeLine",由长亭科技出品的一款 Web 应用防火墙,可以保护 Web 服务不受黑客攻击,早年就以 "智能语义分析技术 ...

  2. FFmpeg转码音视频时间戳设置分析

    音频时间戳设置 以下代码基于FFmpeg n5.1.2进行分析 以下文档中有关音频的具体时间戳数据来自以下转码命令: ./ffmpeg_g -rw_timeout 5000000 -i 'rtmp:/ ...

  3. 告别繁琐的云平台开发!IoT_CLOUD之【百度云】

    ​ 众所周知,市面上有很多云平台,阿里云.腾讯云.中移OneNET.华为云.百度云.涂鸦云.Tlink云等等......并且每家云平台都有自己的协议,工程师要移植不同的SDK代码或基于各家的手册文档对 ...

  4. git 拉取或者推送代码报错问题解决

    报错截图: 当推送远程时,提示无法访问github地址 原因:在拉取或者是提交项目时,会发生git的http和https代理,我们电脑本地已经存在SSL协议的协议,可以取消http和https代理 在 ...

  5. P5524 Ynoi2012 NOIP2015 充满了希望

    P5524 Ynoi2012 NOIP2015 充满了希望 数组开大见祖宗. 思路 不难发现只有询问才会产生贡献,而询问的值来自于距离它最近的且能覆盖这个询问的点的覆盖操作. 可以每个询问操作保存一个 ...

  6. Eclipse JDT--AST入门

    最近做program analysis,需要解析Java的源代码,于是就去看了看Abstract Syntax Tree(AST,中文为抽象语法树).有点无奈的是,网上关于这方面的资料比我想象中的少, ...

  7. ContosoRetailDW数据库恢复问题

    https://www.microsoft.com/en-us/download/details.aspx?id=18279 下载 ContosoBIdemoBAK.exe和ContosoBIdemo ...

  8. Postgresql——postgis安装

    PostGIS安装 PostGIS 是一个开源数据库拓展,它为 PostgreSQL 数据库增加了对地理空间数据的支持.PostGIS 使得空间数据的存储.查询和分析变得简单高效. PostGIS 是 ...

  9. AI产品落地的多角度探索与实践

    AI产品落地的多角度探索与实践是一个复杂而多维的过程,它涉及技术创新.行业应用.人机协作等多个方面.在构建多智能体平台Agent Foundry的基础上,我们可以将其应用于制造业.教育.政府.跨境电商 ...

  10. uni-app小程序项目使用iconfont字体图标

    前情 uni-app是我比较喜欢的跨平台框架,它能开发小程序/H5/APP(安卓/iOS),重要的是对前端开发友好,自带的IDE让开发体验非常棒,公司项目就是主推uni-app. 为什么要这么做? 借 ...