VulNyx Druid靶机复盘
难度-Easy
VulNyx Druid靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.26.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.26.1 00:50:56:c0:00:08 VMware, Inc.
192.168.26.2 00:50:56:e8:d4:e1 VMware, Inc.
192.168.26.170 00:0c:29:8f:47:15 VMware, Inc.
192.168.26.254 00:50:56:e0:6d:ff VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.679 seconds (95.56 hosts/sec). 4 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
└─# nmap -p- -sC -sV 192.168.26.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 20:24 EST
Nmap scan report for 192.168.26.170 (192.168.26.170)
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Hotel
MAC Address: 00:0C:29:8F:47:15 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.69 seconds
获取webshell
目录扫描
可以去web页面查看一下内容
挨个页面查看应该有线索
存在2个发送界面,测试一下没有什么线索,需要进一步测试
存在域名部分,扫一下子域名
为啥不能访问,缺点东西
用火狐是这个样子
发现是代理没关,整半天。
发现服务版本,可以查一手
一个python脚本可以直接利用
发现有了命令回显,这里可以自己注入一下
有点问题
发现已经注入了,所以应该这样使用
提权
但是没有密码不知道是否是这个提权root
没有找到有用的部分
利用工具进行一下
多了个特殊的权限配置
可以假装uid
可以读取文件,这玩意单纯试出来的,算是一个积累吧
这样是正确的读取示例,
到这里靶场复盘结束
userflag:afa84b24191651454e5d2a80bc930618
rootflag:1261b7a8c3b99b0daded8caca8b4023d
This post is licensed under CC BY 4.0 by the author.