靶场介绍
| driftingblues7 | easy | 常规渗透手段、zip2json利用、john爆破利用、msf 利用 |
信息收集
主机发现
nmap -sn 192.168.1.0/24端口扫描
─# nmap -sV -A -p- -T4 192.168.1.190
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-26 05:49 EST
Nmap scan report for 192.168.1.190
Host is up (0.00088s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)
| 256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)
|_ 256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)
66/tcp open http SimpleHTTPServer 0.6 (Python 2.7.5)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.5
|_http-title: Scalable Cost Effective Cloud Storage for Developers
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
|_http-title: Did not follow redirect to https://192.168.1.190/
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2021-04-03T14:37:22
|_Not valid after: 2022-04-03T14:37:22
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
| http-title: EyesOfNetwork
|_Requested resource was /login.php##
|_ssl-date: TLS randomness does not represent time
2403/tcp open taskmaster2000?
3306/tcp open mysql MariaDB (unauthorized)
8086/tcp open http InfluxDB http admin 1.7.9
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
MAC Address: 08:00:27:F9:7E:0F (Oracle VirtualBox virtual NIC)
Device type: general purpose
目录扫描
gobuster dir -u http://192.168.1.190:66/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
http://192.168.1.190:66/index_files/
http://192.168.1.190:66/eon
这里扫描到了一个有用的文件
这里base64解码后可以看到一个文件和和压缩包文件头
我们将base64 转换为压缩包文件
https://base64.guru/converter/decode/file
得到了一个压缩包文件,里面存在一个文件,但是没有密码还需要对压缩包进行爆破。
使用john 爆破成功获取密码,解压后获取一个账号密码
首先使用 zip2john 从 zip 文件创建哈希
zip2john application.zip > hash
然后使用 john 来破解哈希值
john -wordlist= /usr/share/wordlists/rockyou.txt hash
成功登录后台。
权限获取
这里可以看到这个版本cms,还是存在好多漏洞的
这里直接root 权限,我也是没想到
获取FLAG
原文始发于微信公众号(贝雷帽SEC):【OSCP】driftingblues7
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论