Pentestit 12 writeup 4

Pentestit 12 writeup 4

从解题的一开始起,官方就给了我们两个IP,这里再重复一下:192.168.101.12和192.168.101.13。当我第一次使用info@test.lab成功登录openVPN时,我就尝试过更改vpn配置从而去连接12网段,然而失败了。从之前我们一系列动作后,我们现在又掌握了sviridov@test.lab的密码,现在我们就可以再去试一下了。

很简单,只需要将之前的配置文件中的IP更改为12,然后用sviridov@test.lab可以成功登录。

仔细看的话,还会发现。这次我们通过vpn进入的网段不仅仅是172.16.0.0/16网段了,而且还多了192.168.0.0/24网段。

既然已经使用了新的账户进入到内网,我们再用nmap进行嗅探一下看看。我分别对172和192两个网段都进行了嗅探。从嗅探的结果来看,172网段的结果明显与之前使用info账号登录嗅探时不一样了。很显然,其网络的访问控制的权限sviridov账号权限明显大于info。这里我也贴一下嗅探结果及使用到的命令。

1
2
nmap -sV -T4 -O -F --version-light 172.16.0.0/16
nmap -sS -n -vvv 192.168.0.0/24 -Pn -p 21,22,80,139,443,445,8080,3389 -open     ###我使用上面那条命令时,一个端口都没有嗅探到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Nmap scan report for helpdesk.test.lab (172.16.0.10)
Host is up (0.82s latency).
Not shown: 99 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.0
Nmap scan report for 172.16.0.14
Host is up (0.97s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
80/tcp open http nginx 1.14.2
Nmap scan report for 172.16.0.17
Host is up (0.61s latency).
Not shown: 93 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4 (Debian Linux)
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2019-06-01 07:53:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: TEST)
389/tcp open ldap (Anonymous bind OK)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: TEST)
Nmap scan report for 172.16.1.10
Host is up (0.83s latency).
Not shown: 99 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
Nmap scan report for 172.16.1.12  
Host is up (0.96s latency).  
Not shown: 99 filtered ports  
PORT   STATE SERVICE VERSION  
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25
Nmap scan report for 172.16.1.15
Host is up (0.96s latency).
Not shown: 99 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
Nmap scan report for 172.16.1.20
Host is up, received user-set (0.087s latency).
Scanned at 2019-01-27 14:26:04 EST for 179s
Not shown: 98 filtered ports
Reason: 98 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8000/tcp open http-alt syn-ack
Nmap scan report for 172.16.1.25
Host is up, received user-set (0.15s latency).
Scanned at 2019-01-27 14:26:04 EST for 177s
Not shown: 99 filtered ports
Reason: 99 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
Nmap scan report for 192.168.0.10
22/tcp open ssh syn-ack ttl 62
Nmap scan report for 192.168.0.15
22/tcp open ssh syn-ack ttl 62
Nmap scan report for 192.168.0.30
22/tcp open ssh syn-ack ttl 62
Nmap scan report for 192.168.0.100
22/tcp open ssh syn-ack ttl 62
Nmap scan report for 192.168.0.205
22/tcp open ssh syn-ack ttl 62
Nmap scan report for 192.168.0.240
22/tcp open ssh syn-ack ttl 62

通过以上端口嗅探,我们又发现了一些资产。现在我们也去访问一下这些资产中的web服务看看。在其中的172.16.1.10看到了token。只有获取sviridov账户VPN权限后才能访问,因此这个应该就是vpn token了。同时也发现my.test.lab之前使用info账号时是无法访问的,而现在就可以了。