HA Joker Vulnhub Walkthrough

時間 2019-11-08

標籤 joker vulnhub walkthrough 简体版

原文原文鏈接

下載地址：php

https://www.vulnhub.com/entry/ha-joker,379/html

主機掃描：python

╰─ nmap -p- -sV -oA scan 10.10.202.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-23 11:53 CST
Nmap scan report for 10.10.202.132
Host is up (0.0014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.29
MAC Address: 00:0C:29:6E:95:65 (VMware)
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernellinux

http://10.10.202.132/git

目錄枚舉：github

╰─ python3 dirsearch.py -u http://10.10.202.132/ -e .txt,php,json,htmlweb

經過以上可得到網站跟路徑shell

使用dirb 工具繼續探測下目錄json

╰─ dirb http://10.10.202.132/ -X .txt,php,json,htmlubuntu

+ http://10.10.202.132/secret.txt (CODE:200|SIZE:320)

http://10.10.202.132/secret.txt

Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"

http://10.10.202.132:8080

joker/123456

密碼錯誤，這裏使用burp進行爆破

登陸後臺是joomla 的CMS

經過模板編輯獲取shell

編輯index.php文件獲取webshell

本地監聽1234端口，訪問主頁面獲取shell

提權操做

這裏使用LXD 來提高權限

本地先編譯好alpine，而後再使用

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

靶機操做