writeup walkthrough
Enumeration
Enumerate the web application for a username.
Foothold
Brute-force the SSH service. You can get away with a smaller wordlist if it’s the right one.
Privilege Escalation
Check for SUID permissions. It is very straight-forward to exploit.
192.168.222.142
一、端口扫描
nmap 192.168.222.142
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-11 09:17 CST
Nmap scan report for 192.168.222.142
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -sC -sV -p 22,80 192.168.222.142
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-11 09:30 CST
Nmap scan report for 192.168.222.142
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3ea36f6403331e76f8e498febee98e58 (RSA)
| 256 6c0eb500e742444865effed77ce664d5 (ECDSA)
|_ 256 b751f2f9855766a865542e05f940d2f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.98 seconds
nmap -p- 192.168.222.142 # 全面扫描端口
nmap -sC -sV -p 22,80 192.168.222.142
//
-sC
:此标志启用默认脚本扫描,该扫描针对开放端口运行一组脚本,以收集有关在这些端口上运行的服务的其他信息。-sV
:此标志启用版本检测,该检测尝试确定在开放端口上运行的服务的版本。-p 22,80
:指定要扫描的端口列表,特别是端口 22 (SSH) 和 80 (HTTP)。
22为ssh端口,用于SSH远程链接,攻击方向为爆破,SSH隧道及内网转发 文件存储
80为web服务端口,一般进行Web攻击,爆破,对应服务器版本漏洞
二、目录枚举
gobuster dir -u http://192.168.222.142 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir -e -u http://192.168.222.142/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
自带的字典在/usr/share/dirbuster/wordlists下
===============================================================
2023/08/11 15:52:54 Starting gobuster in directory enumeration mode
==============================================&