打靶记录 SickOS 1.1
https://www.vulnhub.com/entry/sickos-11,132/主机发现端口扫描
[*]探测存活主机,136是靶机,因为靶机是我最后添加的
nmap -sP 192.168.75.0/24
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:36 CST
Nmap scan report for 192.168.75.1
Host is up (0.00038s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00031s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.136
Host is up (0.00049s latency).
MAC Address: 00:0C:29:62:FB:04 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00027s latency).
MAC Address: 00:50:56:F8:B3:1A (VMware)
Nmap scan report for 192.168.75.131
Host is up.
[*]扫描靶机全部开放端口
nmap -sT -min-rate 10000 -p- 192.168.75.136
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
Nmap scan report for 192.168.75.136
Host is up (0.00075s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATESERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)
[*]查看服务版本以及系统版本
nmap -sT -min-rate 10000 -p- 192.168.75.136
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
Nmap scan report for 192.168.75.136
Host is up (0.00075s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATESERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)
[*]使用脚本扫描漏洞
nmap -script=vuln -p 22,3128,8080 192.168.75.136 -oA Desktop/test/vuln
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:46 CST
Nmap scan report for 192.168.75.136
Host is up (0.00085s latency).
PORT STATESERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)
web渗透
[*]只有8080是关闭的,打开的只有3128 端口运行着squid署理服务和ssh,访问3128 ,返回
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: /
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol (should be "http://" or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed.
Your cache administrator is webmaster.
Generated Sun, 22 Sep 2024 06:03:35 GMT by localhost (squid/3.1.19)可知版本是3.1.19 ,因为他是个署理服务器,所以大概会署理着什么,大概就是80端口
[*]因为我的火狐毗连着的是burp的署理地点,如果想要再通过署理访问别的网站并且能抓包的话,就需要设置burp上游署理服务器
大概在:network->connection->upstreamserver 把署理地点192.168.75.136:3128 添加上去即可
[*]访问192.168.75.136 ,页面有回显了,那就表示80在192.168.75.136:3128 下署理着
# 内容
BLEHHH!!! 是个网路用词
[*]扫描目录,需要指定署理服务器
python .\dirsearch.py -u http://192.168.75.136 --proxy 192.168.75.136:3128
//
403 -243B- /cgi-bin/
200 -109B- /connect
403 -239B- /doc/
403 -242B- /doc/api/
403 -247B- /doc/html/index.html
403 -249B- /doc/en/changes.html
403 -247B- /doc/stable.version
200 - 58B- /robots.txt
403 -242B- /server-status
403 -242B- /server-status/发现robots.txt以及connect
[*]connect内容
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"
[*]robots.txt 内容
User-agent: *
Disallow: /
Dissalow: /wolfcms给我们提示wolfcms
[*]访问/wolfcms ,是一个内容管理cms,爆破目录
python .\dirsearch.py -u http://192.168.75.136/wolfcms --proxy 192.168.75.136:3128
//
200 -403B- /wolfcms/composer.json
....
200 - 4KB - /wolfcms/CONTRIBUTING.md
301 -253B- /wolfcms/docs->http://192.168.75.136/wolfcms/docs/
200 -512B- /wolfcms/docs/
200 - 2KB - /wolfcms/docs/updating.txt
200 -894B- /wolfcms/favicon.ico
301 -257B- /wolfcms/public->http://192.168.75.136/wolfcms/public/
200 -462B- /wolfcms/public/
200 - 2KB - /wolfcms/README.md
200 - 20B- /wolfcms/robots.txt发现robots.txt以及readme.md
访问后robots.txt 是空的,readme.md 为设置阐明
[*]通过查阅得知后台登岸地点在/wolfcms/?/admin/login
https://img2024.cnblogs.com/blog/3504763/202409/3504763-20240922154838965-1091929498.png
网路搜刮默认账号暗码尝试,登岸失败
使用burp进行爆破,指定账号为admin ,通过暗码字典爆破
爆破乐成,账号暗码都是 admin
获得初级shell
<ul>登岸进去后探求可利用点,找到 uploadfile
在 file→Uploadfile
上传反弹shell代码文件
//getshell.php
页:
[1]