端口扫描

sudo nmap --min-rate 10000 -p- 10.10.253.243 
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-29 06:01 UTC
Warning: 10.10.253.243 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.253.243
Host is up (0.35s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sT -sV -sC -O -p22,80 10.10.253.243
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-29 06:02 UTC
Nmap scan report for 10.10.253.243
Host is up (0.25s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: 0day
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (96%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds
sudo nmap --script=vuln -p22,80 10.10.253.243
[sudo] mikannse 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-29 06:02 UTC
Nmap scan report for 10.10.253.243
Host is up (0.26s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /backup/: Possible backup
| /robots.txt: Robots file
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /secret/: Potentially interesting folder
|_ /uploads/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 347.83 seconds

Web

访问web

feroxbuster --url=http://10.10.253.243/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

找到个比较有用的/backup/里面是一个私钥,但是用不了,也爆破不了,而且我们还不知道用户名。鉴于房间标签有一个shellshock,之前浅浅了解过一些

目录扫描中正好有cgi-bin的结果

猜测常见的文件名http://10.10.253.243/cgi-bin/test.cgi,弹出一个Hello World!

说明存在shellshock

Getshell

利用工具:

https://github.com/nccgroup/shocker

python2 shocker.py -H 10.10.253.243 -c /cgi-bin/test.cgi

可以直接命令执行

开启监听,执行一个反弹shell

提权

发现还有一个叫做ryan的用户,但是也许没有什么用。

房间提示操作系统有些老了,传个linpeas看下结果,可以使用linux/local/37292.c进行内核提权,但是不知道为什么在编译的时候报错:

gcc 37292.c -o exp
gcc 37292.c -o exp
gcc: error trying to exec ‘cc1’: execvp: No such file or directory

而且编译脏牛也是失败了

也许是shell环境的原因,于是换用msf中的shellshock

exploit/multi/http/apache_mod_cgi_bash_env_exec

设置RHOSTS和LHOST以及targeturl之后获得shell

gcc 37292.c -o 37292
chmod +x 37292

运行提权成功

碎碎念

第一次遇到大名鼎鼎的shellshock,有必要再去了解一些。然后内核提权那里搞了很久,不知道为什么就是编译不成功