信息收集:
# nmap --min-rate=10000 -p- 192.168.137.144
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 13:47 CST
Nmap scan report for 192.168.137.144 (192.168.137.144)
Host is up (0.00014s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:B3:15:CC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds
22,3128,开放,8080关闭。
使用TCP扫描端口版本系统信息:
# nmap -sT -sV -O -p22,3128,8080 192.168.137.144
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 13:52 CST
Nmap scan report for 192.168.137.144 (192.168.137.144)
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
MAC Address: 00:0C:29:B3:15:CC (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.80 seconds
可以看到,3128是Squid,好像是代理。
再用UDP扫描端口信息:
# nmap -sU -p22,3128,8080 192.168.137.144
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 13:56 CST
Nmap scan report for 192.168.137.144 (192.168.137.144)
Host is up (0.00031s latency).
PORT STATE SERVICE
22/udp open|filtered ssh
3128/udp open|filtered ndl-aas
8080/udp open|filtered http-alt
MAC Address: 00:0C:29:B3:15:CC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
没有其他信息。
web渗透:
. 打开浏览器访问192.168.137.144:3128
发现页面信息中包含
多次出现Squid,去网上搜索得知Squid是代理服务。
猜测如下:
-
此代理下是否存在其他页面。
-
可能需要时使用此代理才能进一步访问网页。
进行爆破。
# dirb http://192.168.137.144 -p 192.168.137.144:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Feb 2 14:04:37 2023 URL_BASE: http://192.168.137.144/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 192.168.137.144:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.137.144/ ---- + http://192.168.137.144/cgi-bin/ (CODE:403|SIZE:291) + http://192.168.137.144/connect (CODE:200|SIZE:109) + http://192.168.137.144/index (CODE:200|SIZE:21) + http://192.168.137.144/index.php (CODE:200|SIZE:21) + http://192.168.137.144/robots (CODE:200|SIZE:45) + http://192.168.137.144/robots.txt (CODE:200|SIZE:45) + http://192.168.137.144/server-status (CODE:403|SIZE:296) ----------------- END_TIME: Thu Feb 2 14:04:40 2023 DOWNLOADED: 4612 - FOUND: 7
通过将浏览器也设置192.168.137.144:3128为代理,访问到了http://192.168.137.144/robots文件。
通过访问http://192.168.137.144/wolfcms/,进入到主页。
主页到处都在提示Wolf CMS ,马上想到找管理员页面和默认账号密码。
访问http://192.168.137.144/wolfcms/?/admin/login进入到了管理员登录页面。并且尝试admin,admin成功利用默认密码进入后台。
在页面代码里添加了
进行反弹shell。
getshell:
# nc -lvnp 1234 │
listening on [any] 1234 ...
l攻击机利用nc开启1234端口进行监听。回到网页点击写入shell的地方,攻击机收到反弹:
查看./config.php文件,得到了数据库的账号密码。但是也可以尝试ssh或者其他账户。
提权:
查看/etc/passwd文件
发现几个可以尝试的账号
逐一进行尝试登录。
最后发现sickos可以利用刚刚的密码进行登录成功。
查看权限。
发现是全权限。
进行提权:sudo /bin/bash
提权成功。
查看flag:
root@SickOs:/root# cat ./a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying
靶机总结:
靶机涉及到代理扫描。dirb
代理扫描用-p
。