# 靶场搭建
下载:Zero
Nat,IP: 192.168.1.138
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). | |
|_http-server-header: Apache/2.4.56 (Debian) | |
8080/tcp open http PHP cli server 5.5 or later (PHP 8.1.0-dev) | |
|_http-open-proxy: Proxy might be redirecting requests | |
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). | |
MAC Address: 00:0C:29:E1:E3:B3 (VMware) |
没啥思路看一下 UDP
PORT STATE SERVICE | |
68/udp open|filtered dhcpc | |
5353/udp open|filtered zeroconf |
还是没啥思路,8080 版本信息 PHP 8.1.0-dev 搜出来 RCE,起飞
┌──(root㉿kali)-[~] | |
└─# python3 49933.py | |
Enter the full host url: | |
http://192.168.1.138:8080/ |
拿到了 shell,我又弹了一个出来,ps 查看进程的时候发现没有命令,意识到不对,估计是个受限 shell
TMD 绕不出来
history 里面有一组 ssh 的账号: liam/L14mD0ck3Rp0w4
登录拿到初步的 shell
# 提权
sudo -l 后发现 wine,不知道是个啥东西, -h 之后意识到可能是个 windows 模拟器?
加了一个 cmd.exe 参数,直接仅 shell 了,是个 root 权限。6
# 小结
依旧是权限滥用的这么一个东西,需要判断一下受限 shell,不然会浪费时间
要在受限 shell 里面收集信息。
