预备知识
越权、CVE-2018-15133(APP_KEY 泄露情况下的 Laravel RCE 漏洞)、目录爆破(递归)、敏感信息泄露
linPEAS、/var/log/audit等敏感信息泄露
信息收集和获取立足点
nmap基础扫描一下
详细收集信息,先丢在旁边,下面这个proxychains必须在sudo前,含义参见Nmap Cheat Sheet
proxychains sudo nmap -p 1-65535 -sV -sS -T4 10.10.10.215
nmap开了80端口,所以先在后台扫目录
gobuster dir -u 10.10.10.215 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -o academy -q
结果如下
/academy (Status: 301)
/server-status (Status: 403)
burp启动,浏览器访问,发现会跳转到htb的首页,在/etc/hosts 添加10.10.10.215 academy.htb
,这样的话跳academy.htb就会重新回到10.10.10.215
发现注册和登录功能点,另外还识别出是php的网站,这时候在后台开个php的目录爆破
gobuster dir -u 10.10.10.215 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php -o academy_php -q
现在先测试网站功能,先注册个帐号试试,但是没什么发现很多功能点是无效的
gobuster结果已出,没什么发现,考虑换成dirbuster试试,因为gobuster貌似不支持递归扫描,发现了admin.php
后台nmap结果已出,可以看到ssh和http服务,另外还有个改了端口的mysql
Nmap scan report for 10.10.10.215
Host is up (0.30s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=12/16%Time=5FDA2C69%P=x86_64-pc-linux-gnu%r(
SF:NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(Get