欢迎来到boot2root CTF挑战“LAMPSecurity:CTF8”由madirsh2600上传到vulnhub。因为,有一个主题,你需要获取flag以完成挑战,下载地址。
https://www.vulnhub.com/entry/lampsecurity-ctf8,87/
根据作者描述,该漏洞靶机环境有很多种技术可以获得root权限。但这中间并没有利用开发/缓冲区溢出。因此,根据我们的经验和知识,即可渗透并获取相关flag值。
使用级别: 初学者
渗透方法:
网络扫描(Nmap)
浏览HTTP Web服务
Web漏洞分析(Nikto)
目录扫描(Dirb)
Burpsuite捕获和修改请求
破解密码哈希(John - The Ripper)
SSH暴力(medusa)
在不同阶段搜索并捕获flag
渗透过程
使用IPscan扫描一下ip段
浏览器访问
nmap扫描一下
C:\Users\sec>nmap -A 172.16.1.186
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-29 20:01 ?D1ú±ê×?ê±??
Nmap scan report for 172.16.1.186
Host is up (0.00031s latency).
Not shown: 981 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 Jun 05 2013 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 2.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 5e:ca:64:f0:7f:d2:1a:a2:86:c6:1f:c2:2a:b3:6b:27 (DSA)
|_ 2048 a3:39:2d:9f:66:96:0d:82:ad:52:1f:a1:dc:b1:f1:54 (RSA)
25/tcp open smtp Sendmail
| smtp-commands: localhost.localdomain Hello [172.16.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.2.3 ((CentOS))
|_http-favicon: Drupal CMS
| http-git:
| 172.16.1.186:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: initial commit
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /sites/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /install.php /INSTALL.txt /LICENSE.txt
|_/MAINTAINERS.txt
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: LAMPSecurity Research
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 943/udp status
|_ 100024 1 946/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 36 disallowed entries (1