注:tryhackme的第二个靶机
nmap
用nmap扫描开放的端口
nmap -T5 -sV 10.10.146.140 -Pn -sT
目标机器为linux主机,并且开放了两个端口:22、80、8000。
端口 | 服务 |
---|---|
22 | ssh |
80 | http |
8000 | http |
#1 What port number has a web server with a CMS running?
8000
22端口爆破无果,访问80端口,为apache的默认页面,没有什么可利用的信息。访问8000端口,找到CMS的指纹信息。
bolt漏洞利用
#2 What is the username we can find in the CMS?
bolt
在文章里面找到用户名和密码–bolt:boltadmin123
#3 What is the password we can find for the username?
boltadmin123
谷歌搜索一波该CMS的知名漏洞
#4 What version of the CMS is installed on the server? (Ex: Name 1.1.1)
Bolt 3.7.1
按提示在Exploit db寻找该漏洞信息
#5 There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?
48296
msf拿shell
在kali打开msf寻找该漏洞的exp,按提示设置好需要的参数
#6 Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/…)
Note: If you can’t find the exploit module its most likely because your metasploit isn’t updated. Run apt update
then apt install metasploit-framework
exploit/unix/webapp/bolt_authenticated_rce
#7 Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
因为拿到的shell直接是root权限,故直接用find命令查找。
#8 Look for flag.txt inside the machine.
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
这个靶机也是比较入门的没有涉及提权什么的,值得一试。
ps:
个人站点博客:XingHe,欢迎来踩~