1 信息收集
NMAP
指纹识别
21 端口
- anonymous登录 – 失败
- ProFTPD 1.3.5a – 1.3.5 中存在文件复制漏洞。不知是否可利用,暂不测试。
80 端口
echo "10.129.140.177 blocky.htb" | sudo tee -a /etc/hosts
目录爆破
(base) gryphon@wsdl dirsearch %python dirsearch.py -u http://blocky.htb/
/Users/gryphon/Desktop/ATTCK&PT/2.Web Security/2.Tools/1.信息收集/目录扫描工具/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11715
Output: /Users/gryphon/Desktop/ATTCK&PT/2.Web Security/2.Tools/1.信息收集/目录扫描工具/dirsearch/reports/http_blocky.htb/__24-05-30_11-42-35.txt
Target: http://blocky.htb/
[11:42:35] Starting:
[11:43:24] 403 - 296B - /.ht_wsr.txt
[11:43:24] 403 - 299B - /.htaccess.bak1
[11:43:24] 403 - 301B - /.htaccess.sample
[11:43:24] 403 - 299B - /.htaccess.save
[11:43:24] 403 - 299B - /.htaccess.orig
[11:43:24] 403 - 300B - /.htaccess_extra
[11:43:24] 403 - 299B - /.htaccess_orig
[11:43:25] 403 - 297B - /.htaccessBAK
[11:43:25] 403 - 297B - /.htaccess_sc
[11:43:25] 403 - 298B - /.htaccessOLD2
[11:43:25] 403 - 297B - /.htaccessOLD
[11:43:25] 403 - 290B - /.html
[11:43:25] 403 - 289B - /.htm
[11:43:25] 403 - 295B - /.htpasswds
[11:43:25] 403 - 296B - /.httr-oauth
[11:43:25] 403 - 299B - /.htpasswd_test
[11:43:37] 403 - 289B - /.php
[11:43:37] 403 - 290B - /.php3
[11:46:42] 404 - 48KB - /index.php/login/
[11:46:46] 301 - 313B - /javascript -> http://blocky.htb/javascript/
[11:46:48] 301 - 0B - /index.php -> http://blocky.htb/
[11:46:58] 200 - 19KB - /license.txt
[11:47:39] 301 - 313B - /phpmyadmin -> http://blocky.htb/phpmyadmin/
[11:47:51] 200 - 13KB - /phpmyadmin/doc/html/index.html
[11:47:52] 200 - 10KB - /phpmyadmin/
[11:47:52] 301 - 310B - /plugins -> http://blocky.htb/plugins/
[11:47:52] 200 - 745B - /plugins/
[11:47:53] 200 - 10KB - /phpmyadmin/index.php
[11:48:05] 200 - 7KB - /readme.html
[11:48:14] 403 - 299B - /server-status/
[11:48:14] 403 - 298B - /server-status
[11:49:13] 301 - 307B - /wiki -> http://blocky.htb/wiki/
[11:49:13] 200 - 380B - /wiki/
[11:49:14] 301 - 311B - /wp-admin -> http://blocky.htb/wp-admin/
[11:49:14] 200 - 1B - /wp-admin/admin-ajax.php
[11:49:14] 500 - 4KB - /wp-admin/setup-config.php
[11:49:14] 200 - 0B - /wp-config.php
[11:49:15] 200 - 1KB - /wp-admin/install.php
[11:49:17] 200 - 0B - /wp-content/
[11:49:17] 301 - 313B - /wp-content -> http://blocky.htb/wp-content/
[11:49:17] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[11:49:18] 500 - 0B - /wp-content/plugins/hello.php
[11:49:18] 200 - 0B - /wp-cron.php
[11:49:18] 500 - 0B - /wp-includes/rss-functions.php
[11:49:18] 301 - 314B - /wp-includes -> http://blocky.htb/wp-includes/
[11:49:19] 200 - 964B - /wp-content/uploads/
[11:49:19] 302 - 0B - /wp-signup.php -> http://blocky.htb/wp-login.php?action=register
[11:49:19] 200 - 2KB - /wp-login.php
[11:49:21] 302 - 0B - /wp-admin/ -> http://blocky.htb/wp-login.php?redirect_to=http%3A%2F%2Fblocky.htb%2Fwp-admin%2F&reauth=1
[11:49:22] 405 - 42B - /xmlrpc.php
[11:50:32] 200 - 40KB - /wp-includes/
Task Completed
目录1.http://blocky.htb/plugins/
访问 /plugins 目录,存在两个 jar 文件,下载jar文件进行检查
使用 jd-gui 工具查看 BlockyCore.jar 文件,存在sql用户名和密码: root 8YsqfCTnvxAUeduzjNSXe22
ssh登录 – root 用户登录失败
ssh登录 – notch 用户登录成功
root用户无法登录,尝试寻找其他用户,返回网站查看,存在用户 notch,可能是系统用户,尝试使用该用户进行ssh登录
目录2.http://blocky.htb/phpmyadmin/
使用 root 8YsqfCTnvxAUeduzjNSXe22 登录 phpmyadmin,登录成功
2 权限提升
sudo -l
结果显示:User notch may run the following commands on Blocky,notch用户可以在Blocky上运行以下命令,ALL 代表所有命令
sudo su
扫一扫
25
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
