文章目录
- 端口扫描
- 目录扫描
- 文件上传漏洞利用
- 查看用户
- 爆破密码
- sudo提权
- flag位置
FunboxEasyEnum writeup walkthrough
Funbox: EasyEnum ~ VulnHub
Enumeration
Brute-force the web server’s files and directories. Be sure to check for common file extensions.
Remote Code Execution
Leverage the file upload vulnerability to obtain RCE.
Privilege Escalation
Enumerate system users. One of them has an easy to guess password that you can use to SSH in. Then, check your sudo permissions.
端口扫描
nmap 192.168.221.132
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
访问80端口,是默认的 Apache 网页
nmap -sV -sC -T4 -p- IP
nmap -p- -sC -sV IP
nmap -p- -sC -sV 192.168.221.132
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-12 08:08 CST
Stats: 0:07:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 21.54% done; ETC: 08:44 (0:28:17 remaining)
Nmap scan report for 192.168.221.132 (192.168.221.132)
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9c52325b8bf638c77fa1b704854954f3 (RSA)
| 256 d6135606153624ad655e7aa18ce564f4 (ECDSA)
|_ 256 1ba9f35ad05183183a23ddc4a9be59f0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
42569/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2086.94 seconds
nmap IP -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
当涉及到 nmap 中的参数时,有一些参数可能会被多次使用,因为它们在不同的命令中有不同的用途。下面是这些参数的含义,其中重复的参数只显示一次:
-sCV:
-s: 指定扫描类型。C 表示连接扫描,即使用 TCP Connect 扫描。
-V: 启用版本探测,nmap将尝试确定目标主机上运行的服务的版本信息。
-p-:
-p: 指定要扫描的端口范围。- 表示扫描所有可能的端口(从端口1到65535)。
-sC:
-s: 指定扫描类型。C 表示连接扫描,即使用 TCP Connect 扫描。
-C: 启用默认脚本扫描。nmap将运行一些默认的脚本来获取更多关于目标的信息。
-sV:
-s: 指定扫描类型。V 表示版本探测扫描。
-V: 启用版本探测,nmap将尝试确定目标主机上运行的服务的版本信息。
-T4:
-T: 设置扫描速度/时间模式。4 表示 "Aggressive" 模式,即较快的扫描速度。
目录扫描
扫不出结果
gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt
[+] Url: http://192.168.221.132
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
/.hta (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/phpmyadmin (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt (Status: 200) [Size: 21]
/server-status (Status: 403) [Size: 280]
必须要加上后缀 -x php,txt,html
gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt -x php,txt,html
//搜索 PHP、文本和 HTML 文件
/.php (Status: 403) [Size: 280]
/.html (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/.hta.php (Status: 403) [Size: 280]
/.hta.txt (Status: 403) [Size: 280]
/.htaccess.php (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/.htaccess.txt (Status: 403) [Size: 280]
/.htpasswd.php (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/.htaccess.html (Status: 403) [Size: 280]
/.htpasswd.html (Status: 403) [Size: 280]
/.htpasswd.txt (Status: 403) [Size: 280]
/.hta.html (Status: 403) [Size: 280]
/index.html (Status: 200) [Size: 10918]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/mini.php (Status: 200) [Size: 3828]
/phpmyadmin (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt (Status: 200) [Size: 21]
/robots.txt (Status: 200) [Size: 21]
/server-status (Status: 403) [Size: 280]
gobuster dir -u http://10.0.2.26/ -w /opt/secLists/Discovery/web
-Content/directory-list-2.3-medium.txt
-t 100
-x php,txt
或
dirb http://ip
dirsearch -u http://192.168.221.132 -w /usr/share/wordlists/dirb/common.txt
python dirsearch.py -u 192.168.221.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --suffix=.php,.html,.aspx,.jsp,.js
curl 192.168.221.132/robots.txt #和访问这个网址效果一样
Allow: Enum_this_Box
或
kali搜索dirbuster
