search

digitalworld.local BRAVERY

https://download.vulnhub.com/digitalworld/bravery-improved.7z.torrent

靶场IP:192.168.32.203

扫描对外端口服务

┌──(root💀kali)-[/tmp]
└─# nmap -p 1-65535 -sV  192.168.32.203
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-05 22:13 EDT
Nmap scan report for 192.168.32.203
Host is up (0.00051s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
53/tcp    open  domain      dnsmasq 2.76
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
111/tcp   open  rpcbind     2-4 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     3 (RPC #100227)
3306/tcp  open  mysql       MariaDB (unauthorized)
8080/tcp  open  http        nginx 1.12.2
20048/tcp open  mountd      1-3 (RPC #100005)
45062/tcp open  nlockmgr    1-4 (RPC #100021)
55372/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:34:0B:BA (VMware)
Service Info: Host: BRAVERY

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds

查看nfs

挂载nfs目录

枚举共享目录

image-20220906102112593

使用之前的密码(qwertyuioplkjhgfdsazxcvbnm)登录共享目录

使用David用户访问secured目录

查看三个文件,找到三个路径

image-20220906103112147

访问/developmentsecretpage

image-20220906103138914

访问/devops/directortestpagev1.php

image-20220906103206446

访问/genevieve/

image-20220906103243535

查看目录,找到Cuppa CMS

image-20220906103413100

查找漏洞版本

exp

image-20220906103710819

RFI反弹shell

QQ录屏20220906104051

寻找文件

查看suid

创建密码

查看靶场的passwd文件,并在本地编辑新增用户,给靶场下载覆盖

image-20220906105353158

提权成功

image-20230208134643616
上一页DEVRANDOM SLEEPY下一页digitalworld.local DEVELOPMENT

最后更新于