下载地址
靶场简介
![图片[1]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595492780.jpg)
5个用户
初始shell:简单
提升特权:中级
提示:枚举是关键
启动环境
VMware打开即可,自动分配好IP
![图片[2]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595493052.jpg)
信息收集
![图片[3]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595493171.jpg)
发现目标只开启了22和80
去访问80看看
![图片[4]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595493426.jpg)
只有这张图片,去爆破下目录看看有什么收获
![图片[5]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595493466.jpg)
发现使用了joomla目录,访问目录后确认使用joomla内容管理系统
我默默的掏出joomlascan
![图片[6]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595493795.jpg)
发现了Joomla version=3.7.3rc1 一边寻找可利用的exp一边看目录
有一个登录页面
![图片[7]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595509260.jpg)
无法通过枚举用户名从而爆破密码
![图片[8]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595509364.jpg)
开始尝试撞库
还发现有一个index.php
![图片[9]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595509943.jpg)
一段小丑与警察的对话,还有一段亚瑟与精神科医生的对话
撞库登录
撞库无果后我又试着将index.php中的信息用cewl做成字典进行尝试
![图片[10]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510366.png)
![图片[11]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510375.png)
没想到它成了!
Get Shell
登录后是Super User,直接去get shell
![图片[12]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510508.png)
![图片[13]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510580.jpg)
![图片[14]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510592.png)
![图片[15]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510661.png)
读取configuration.php
![图片[16]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510752.png)
再去看下能不能读取/etc/passwd
![图片[17]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511614.png)
可以读,接下来尝试登录数据库,读取数据库数据
先获取一个交互式外壳(不小心把terminal关掉了,重新连一下)
![图片[18]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595510991.png)
连接数据库
![图片[19]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511670.png)
![图片[20]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511678.png)
![图片[21]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511689.png)
![图片[22]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511696.png)
发现一共6个账户密码,先记录一下
通过比对/etc/passwd ,发现rob用户可利用,顺手把rob的密码解出来
![图片[23]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511825.png)
SSH登录
目标开启了22端口,尝试用ssh去登录rob
![图片[24]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595511903.png)
成功登录
看看有什么线索
![图片[25]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512026.png)
- Abnerineedyourhelp 文件名断句分析 Abner I need your help 像是一封求助信,打开后看到经过了某种编码加密,从一封信的角度来看,对内容做隐藏让我想到了ROT13
-
Howtoberoot 听名字就知道,这应该是提升权限的一个关键点,上面第一个文件应该给到了提示
-
User.txt 应该是第一个flag
线索解密
![图片[26]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512166.png)
解密后发现重要信息在第二段:某人向我求助,并给了我一个密码,告诉我它可以帮助我解决难题。
将最后一行字符解码获取真正的密码
![图片[27]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512349.png){kind=small}
切换Abner登录
![图片[28]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512549.png)
WTF?
又翻回去看了一眼/etc/passwd ,A小写
![图片[29]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512611.png)
看看有什么新的线索
![图片[30]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595512650.png)
拿到了第二个flag,但是这个info.txt也没有什么指引,线索到这里就断了
整理思路,重新来过
返回一开始的路径下翻目录(浪费了好多时间,挠头掉了不少头发),还是没有发现
最后怀疑是不是又隐藏文件被忽略掉了,果然发现了一个zip包
![图片[31]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513111.png)
解压
![图片[32]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513233.png)
还有密码?难道需要爆破?
发现环境中安装了python,get到本地尝试爆破(无果)
重新审题,翻看之前的线索(提示)
尝试使用留言中说到可以帮我解决难题的密码解压
![图片[33]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513578.png)
![图片[34]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513586.png)
又获取到了一串密码,应该是提示中penguin的密码
![图片[35]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513729.png)
![图片[36]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514361.png)
![图片[37]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595513821.png)
这个提示意思是要提权到root
一说到root脑子就发热,之前发现又python环境,直接上传脚本检测、提权,结果没打成功
又上传了一个pspy帮我分析
![图片[38]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514212.png)
![图片[39]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514395.png)
又忽略了一个隐藏文件,我裂开了
提权
利用python反弹shell提权成功
![图片[40]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514664.png)
kali中nc监听端口
再运行一下pspy
![图片[41]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514783.png){kind=small}
![图片[42]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514796.png)
![图片[43]-Vulnhub-GlasgowSmile_1.1-Walkthrough – 作者:kakaka-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20200723/1595514834.png)
提权成功,到此拿到了所有flag。
写在最后
第一次发文章在buff上,重点在于记录靶场练习的过程,写的不好勿喷,大佬勿喷。Orz!
来源:freebuf.com 2020-07-24 00:26:24 by: kakaka
请登录后发表评论
注册