vulnhub-sickos1.2
forg12
  2022-08-13 09:37:09 2022-08-13 09:37      368 字  

概要

信息收集

主机发现

1
2
3
4
5
sudo nmap -sP 192.168.2.0/24          

Nmap scan report for 192.168.2.181
Host is up (0.11s latency).

端口扫描

1
2
3
4
5
6
7
8
9
nmap -p-  192.168.2.181                   
Starting Nmap 7.92 ( https://nmap.org ) 
Nmap scan report for 192.168.2.181
Host is up (0.013s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

服务探针

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -p22,80 -sV -A -T4  192.168.2.181 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-18 14:17 CST
Nmap scan report for 192.168.2.181
Host is up (0.012s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: lighttpd/1.4.28
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds

80

image-20220818142255086

image-20220818142310685

image-20220818142317988

目录遍历

1
dirsearch -u http://192.168.2.181/ -x 403

image-20220818094023108

image-20220818142234210

漏洞利用

​ 没有其他开放的端口,web下只有一个test路径,下来也没有什么东西,只显示了用的是lighttpdWeb服务器软件。抓包通过OPTIONS方法查看开放的请求方法。

image-20220818142905584

​ 这里面包含put,使用put上传一个phpinfo看看能不能解析。

image-20220818142830176

image-20220818142940186

image-20220818142956793

​ 可以解析,然后上传webshell后,蚁剑连接获得低权限。

image-20220818143337477

权限提升