OffSec Labs Proving grounds Play——FunboxEasyEnum

FunboxEasyEnum writeup walkthrough

Funbox: EasyEnum ~ VulnHub

Enumeration

Brute-force the web server’s files and directories. Be sure to check for common file extensions.

Remote Code Execution

Leverage the file upload vulnerability to obtain RCE.

Privilege Escalation

Enumerate system users. One of them has an easy to guess password that you can use to SSH in. Then, check your sudo permissions.

端口扫描

nmap 192.168.221.132
PORT   STATE SERVICE    
22/tcp open  ssh  
80/tcp open  http

访问80端口,是默认的 Apache 网页

nmap -sV -sC -T4 -p- IP
nmap -p- -sC -sV IP



nmap -p- -sC -sV 192.168.221.132
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-12 08:08 CST
Stats: 0:07:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 21.54% done; ETC: 08:44 (0:28:17 remaining)
Nmap scan report for 192.168.221.132 (192.168.221.132)
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9c52325b8bf638c77fa1b704854954f3 (RSA)
|   256 d6135606153624ad655e7aa18ce564f4 (ECDSA)
|_  256 1ba9f35ad05183183a23ddc4a9be59f0 (ED25519)
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
42569/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2086.94 seconds

nmap IP -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
当涉及到 nmap 中的参数时,有一些参数可能会被多次使用,因为它们在不同的命令中有不同的用途。下面是这些参数的含义,其中重复的参数只显示一次:

-sCV:

-s: 指定扫描类型。C 表示连接扫描,即使用 TCP Connect 扫描。
-V: 启用版本探测,nmap将尝试确定目标主机上运行的服务的版本信息。
-p-:

-p: 指定要扫描的端口范围。- 表示扫描所有可能的端口(从端口1到65535)。
-sC:

-s: 指定扫描类型。C 表示连接扫描,即使用 TCP Connect 扫描。
-C: 启用默认脚本扫描。nmap将运行一些默认的脚本来获取更多关于目标的信息。
-sV:

-s: 指定扫描类型。V 表示版本探测扫描。
-V: 启用版本探测,nmap将尝试确定目标主机上运行的服务的版本信息。
-T4:

-T: 设置扫描速度/时间模式。4 表示 "Aggressive" 模式,即较快的扫描速度。

目录扫描

扫不出结果

gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt

[+] Url:                     http://192.168.221.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s

/.hta                 (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 280]

必须要加上后缀 -x php,txt,html

gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt -x php,txt,html

//搜索 PHP、文本和 HTML 文件

/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.hta.txt             (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.txt        (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess.html       (Status: 403) [Size: 280]
/.htpasswd.html       (Status: 403) [Size: 280]
/.htpasswd.txt        (Status: 403) [Size: 280]
/.hta.html            (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10918]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/mini.php             (Status: 200) [Size: 3828]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 21]
/robots.txt           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 280]
gobuster dir -u http://10.0.2.26/ -w /opt/secLists/Discovery/web
-Content/directory-list-2.3-medium.txt
-t 100
-x php,txt

dirb http://ip
dirsearch -u http://192.168.221.132 -w /usr/share/wordlists/dirb/common.txt

python dirsearch.py -u 192.168.221.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --suffix=.php,.html,.aspx,.jsp,.js
curl 192.168.221.132/robots.txt   #和访问这个网址效果一样
Allow: Enum_this_Box


kali搜索dirbuster

拖动大一点,右下角有start

扫描结果

文件上传漏洞

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值