本题是retire的第四题Popcorn
目录
0x00 靶机情况
本题是linux的靶机,整体看起来难度在3-4之间,比之前的题目有了一些难度,不过做过vulnhub的题目之后,linux的题目基本上怎么做都心里有数了。
0x01 扫描端口
先看下端口扫描情况:
root@kali:~# nmap -T5 -A -v 10.10.10.6
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 07:19 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:19
Completed NSE at 07:19, 0.00s elapsed
Initiating NSE at 07:19
Completed NSE at 07:19, 0.00s elapsed
Initiating NSE at 07:19
Completed NSE at 07:19, 0.00s elapsed
Initiating Ping Scan at 07:19
Scanning 10.10.10.6 [4 ports]
Completed Ping Scan at 07:19, 0.57s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:19
Completed Parallel DNS resolution of 1 host. at 07:19, 0.14s elapsed
Initiating SYN Stealth Scan at 07:19
Scanning 10.10.10.6 [1000 ports]
Discovered open port 22/tcp on 10.10.10.6
Discovered open port 80/tcp on 10.10.10.6
Warning: 10.10.10.6 giving up on port because retransmission cap hit (2).
Completed SYN Stealth Scan at 07:20, 4.20s elapsed (1000 total ports)
Initiating Service scan at 07:20
Scanning 2 services on 10.10.10.6
Completed Service scan at 07:20, 7.05s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.6
Retrying OS detection (try #2) against 10.10.10.6
Initiating Traceroute at 07:20
Completed Traceroute at 07:20, 0.66s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 07:20
Completed Parallel DNS resolution of 2 hosts. at 07:20, 0.25s elapsed
NSE: Script scanning 10.10.10.6.
Initiating NSE at 07:20
Completed NSE at 07:20, 15.17s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 2.17s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Nmap scan report for 10.10.10.6
Host is up (0.20s latency).
Not shown: 980 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
85/tcp filtered mit-ml-dev
1067/tcp filtered instl_boots
1213/tcp filtered mpc-lifenet
1717/tcp filtered fj-hdnet
2005/tcp filtered deslogin
2047/tcp filtered dls
2222/tcp filtered EtherNetIP-1
3546/tcp filtered unknown
5988/tcp filtered wbem-http
6646/tcp filtered unknown
8022/tcp filtered oa-system
8654/tcp filtered unknown
9010/tcp filtered sdr
9290/tcp filtered unknown
10617/tcp filtered unknown
32780/tcp filtered sometimes-rpc23
49160/tcp filtered unknown
55056/tcp filtered unknown
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.32 (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Linux 2.6.30 (95%), Linux 2.6.35 (95%), AVM FRITZ!Box FON WLAN 7240 WAP (94%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Android 2.3.5 (Linux 2.6) (94%), Epson WF-2660 printer (94%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.682 days (since Sat Feb 1 14:58:58 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=194 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 446.46 ms 10.10.14.1
2 653.63 ms 10.10.10.6
NSE: Script Post-scanning.
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.44 seconds
Raw packets sent: 1573 (72.608KB) | Rcvd: 1166 (49.960KB)
我们可以看到提供了两个端口22和80。那就是标准的webshell+提权的做法了,三板斧就直接上了。
0x02 web目录文件扫描
我们看下目录扫描情况:
root@kali:~# dirb http://10.10.10.6
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Feb 2 07:21:22 2020
URL_BASE: http://10.10.10.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.6/ ----
*** Calculating NOT_FOUND code...
+ http://10.10.10.6/.bash_history (CODE:200|SIZE:414)
+ http://10.10.10.6/cgi-bin/ (CODE:403|SIZE:286)
+ http://10.10.10.6/index (CODE:200|SIZE:177)
+ http://10.10.10.6/index.html (CODE:200|SIZE:177)
+ http://10.10.10.6/server-status (CODE:403|SIZE:291)
+ http://10.10.10.6/test (CODE:200|SIZE:47330)
==> DIRECTORY: http://10.10.10.6/torrent/
---- Entering directory: http://10.10.10.6/torrent/ ----
==> DIRECTORY: http://10.10.10.6/torrent/admin/
+ http://10.10.10.6/torrent/browse (CODE:200|SIZE:9277) 主要有以下:
test是个phpinfo,简单看了一下,出题者的意图应该不是让我们直接攻击php服务
0x03 get webshell
进入torrent目录之后,看到如下Torrent Hoster站点:
然后去exploitdb上查了一下,应该是在upload文件的地方存在漏洞,没有做文件后缀检查。
但是没有明确的exp给出,所以需要自己尝试一下。
首先注册了一下用户,进入后台,把所有功能都过了一遍之后,发现有两个上传的位置:
- torrent文件上传
- screenshot文件上传
我用burp测试了一下,发现在screenshot做文件上传的时候,可以直接修改文件名称的后缀为php,具体流程如下:
1、随意上传一个torrent,去百度搜索一个就行
2、点击Edit this torrent,选择一个图片文件上传
最低0.47元/天 解锁文章
2239
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
