hmv[-_-]Liceo

Liceo

今天新上的靶场,挺新鲜,打开看一下:

image-20240320172456611

配置靶场

感觉要坏事,扫一下,不能扫出来还是老老实实用virtualbox做吧。。

image-20240320173001693

似乎扫到了主机的 ip :

什么?你怀念那个骷髅头?

sed -i 's/prompt_symbol=㉿/prompt_symbol=💀/' ~/.zshrc
source ~/.zshrc

查看一下那个主机的IP对不对吧:

image-20240320173210897

感觉哪里不对劲。

rustscan -a 10.161.61.78  -- -A -sT -T4 -sV
Open 10.161.61.78:903
Open 10.161.61.78:913
Open 10.161.61.78:4002
Open 10.161.61.78:5040
Open 10.161.61.78:5357

连接上端口看一下有些啥:

nc 10.161.61.78 903
# 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , , NFCSSL supported/t, 

寄,环境没配好一点,淦,早知道看一眼mac地址了。

重新配置,把kali和靶机都搞成NAT+桥接了,然后顺便切换成热点了,试试:

image-20240320180912965

疑似,扫描一下:

image-20240320180943969

应该是这个了。

信息搜集

端口扫描

rustscan -a 10.0.2.7  -- -A -sT -T4 -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.0.2.7:21
Open 10.0.2.7:22
Open 10.0.2.7:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.0.2.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r--    1 1000     1000          191 Feb 01 14:29 note.txt
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 68:4c:42:8d:10:2c:61:56:7b:26:c4:78:96:6d:28:15 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwZ1vknI6B5ldjpFrlrBx3wmdRq0g9D2vHkGSZF0mqDslvgXA+SYmiBN3ETYhTH8Hh1tVKjGtZADp40fHMfQ1I=
|   256 7e:1a:29:d8:9b:91:44:bd:66:ff:6a:f3:2b:c7:35:65 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWFL2zQHLdSxoHaT8QP6jL3ok4bNN0uWWAMCwK7a5Nx
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Liceo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

gobuster dir -u http://10.0.2.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60
/images               (Status: 301) [Size: 305] [--> http://10.0.2.7/images/]
/uploads              (Status: 301) [Size: 306] [--> http://10.0.2.7/uploads/]
/css                  (Status: 301) [Size: 302] [--> http://10.0.2.7/css/]
/js                   (Status: 301) [Size: 301] [--> http://10.0.2.7/js/]
/server-status        (Status: 403) [Size: 273]
feroxbuster -u http://10.0.2.7
200      GET       11l       40w     2246c http://10.0.2.7/images/c2.png
301      GET        9l       28w      301c http://10.0.2.7/js => http://10.0.2.7/js/
301      GET        9l       28w      305c http://10.0.2.7/images => http://10.0.2.7/images/
200      GET        8l       14w      753c http://10.0.2.7/images/call.png
200      GET       13l       60w     4621c http://10.0.2.7/images/c1.png
200      GET       19l       67w     4742c http://10.0.2.7/images/f1.png
200      GET        9l       35w     1909c http://10.0.2.7/images/c4.png
200      GET      191l      308w     3216c http://10.0.2.7/css/responsive.css
200      GET    10038l    19587w   192348c http://10.0.2.7/css/bootstrap.css
301      GET        9l       28w      306c http://10.0.2.7/uploads => http://10.0.2.7/uploads/
200      GET      317l     1858w   171993c http://10.0.2.7/images/experience-img.jpg
200      GET        9l       14w    14126c http://10.0.2.7/css/style.css.map
200      GET        2l     1276w    88145c http://10.0.2.7/js/jquery-3.4.1.min.js
200      GET      229l     1429w   169780c http://10.0.2.7/images/freelance-img.jpg
301      GET        9l       28w      302c http://10.0.2.7/css => http://10.0.2.7/css/
200      GET        3l       13w     1071c http://10.0.2.7/images/linkedin.png
200      GET        4l        7w      256c http://10.0.2.7/images/menu.png
200      GET      569l     3608w   288111c http://10.0.2.7/images/slider-img.png
200      GET        3l       10w      681c http://10.0.2.7/images/c3.png
200      GET        5l       17w      726c http://10.0.2.7/images/location.png
200      GET       12l       38w     3001c http://10.0.2.7/images/f4.png
200      GET        3l       13w      708c http://10.0.2.7/images/quote.png
200      GET       20l       35w      448c http://10.0.2.7/js/custom.js
200      GET        7l       23w     1461c http://10.0.2.7/images/c5.png
200      GET       14l       78w     5070c http://10.0.2.7/images/f3.png
200      GET       10l       35w     1896c http://10.0.2.7/images/c6.png
200      GET        6l       17w      918c http://10.0.2.7/images/mail.png
200      GET      621l     1442w    21487c http://10.0.2.7/index.html
200      GET      878l     1703w    17458c http://10.0.2.7/css/style.css
200      GET     4440l    10999w   131868c http://10.0.2.7/js/bootstrap.js
200      GET      200l     1784w   176281c http://10.0.2.7/images/about-img.jpg
200      GET        4l        7w      497c http://10.0.2.7/images/prev-angle.png
200      GET        5l       26w     2031c http://10.0.2.7/images/instagram.png
200      GET        5l       48w     1493c http://10.0.2.7/images/fb.png
200      GET       13l       56w     3899c http://10.0.2.7/images/logo.png
200      GET        9l       37w     3663c http://10.0.2.7/images/f2.png
200      GET      621l     1442w    21487c http://10.0.2.7/
200      GET      792l     1274w    12988c http://10.0.2.7/css/style.scss
200      GET        3l       11w      353c http://10.0.2.7/images/next.png
200      GET        5l        9w      430c http://10.0.2.7/images/prev.png
200      GET        4l       12w      414c http://10.0.2.7/images/next-angle.png
200      GET        4l       11w     1080c http://10.0.2.7/images/youtube.png
200      GET        8l       23w     1323c http://10.0.2.7/images/twitter.png
200      GET        3l       10w      524c http://10.0.2.7/images/search-icon.png

漏洞利用

image-20240320181510968

访问一下扫出来的目录,没啥收获,尝试ftp连接一下,发现扫描结果显示可以使用Anonymous登录:

image-20240320182829656

尝试获取一下这个文件:

image-20240320183253256

我擦,大概就是安全员要离开一下,让别人帮忙看下机子。。。。

既然有uploads文件夹,那么应该有上传点才对啊,尝试/upload.php发现确实有,真奇怪,居然没扫到:

gobuster dir -u http://10.0.2.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 -r 2 -x php,txt,html,png
/.html                (Status: 403) [Size: 273]
/uploads              (Status: 200) [Size: 739]
/images               (Status: 200) [Size: 6711]
/index.html           (Status: 200) [Size: 21487]
/.php                 (Status: 403) [Size: 273]
/upload.php           (Status: 200) [Size: 371]
/css                  (Status: 200) [Size: 1742]
/js                   (Status: 200) [Size: 1343]
/.php                 (Status: 403) [Size: 273]
/.html                (Status: 403) [Size: 273]
/server-status        (Status: 403) [Size: 273]

这样才扫到,看来以后得小心这种事情发生了。

尝试上传一个一句话木马!发现似乎禁止传输php,换一个名字php4试试,似乎成功了,打开看一下,连接一下,连接不上啊。。。

将文件名不带后缀,然后抓包添加后缀为:phtml,成功

image-20240320192512082

突然想起来可以直接弹shell:

image-20240320194043934

提权

信息搜集

image-20240320194647839

71ab613fa286844425523780a7ebbab2

然后搜集发现:

$ find / -perm -u=s -type f 2>/dev/null
/snap/snapd/20671/usr/lib/snapd/snap-confine
/snap/snapd/21184/usr/lib/snapd/snap-confine
/snap/core20/2105/usr/bin/chfn
/snap/core20/2105/usr/bin/chsh
/snap/core20/2105/usr/bin/gpasswd
/snap/core20/2105/usr/bin/mount
/snap/core20/2105/usr/bin/newgrp
/snap/core20/2105/usr/bin/passwd
/snap/core20/2105/usr/bin/su
/snap/core20/2105/usr/bin/sudo
/snap/core20/2105/usr/bin/umount
/snap/core20/2105/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2105/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/umount
/usr/bin/sudo
/usr/bin/bash
/usr/bin/fusermount3
/usr/libexec/polkit-agent-helper-1

发现bashsuid,利用一下:

image-20240320195344655

BF9A57023EDD8CFAB92B8EA516676B0D
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇