HA: Joker

Description

This lab is going to introduce a little anarchy. It will upset the established order, and everything becomes will become chaos. Get your face painted and wear that Purple suit because it’s time to channel your inner Joker. This is a boot2root lab. Getting the root flag is ultimate goal.
ENUMERATION IS THE KEY!!!!!

Write-UP

hausa@debian:~$ fping -asg 172.16.1.1/24
172.16.1.1
172.16.1.134

hausa@debian:~$ nmap -A -p 1-65535 172.16.1.134
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 05:21 EDT
Nmap scan report for bogon (172.16.1.134)
Host is up (0.0034s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
| 256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_ 256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HA: Joker

8080/tcp open http Apache httpd 2.4.29 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Basic realm=Please enter the password.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

查看80,蛮酷的。好多小丑语录。
查看8080,是一个登录页。

hausa@debian:~/tools/dirsearch$ python3 dirsearch.py -u 172.16.1.134 -e *
……
[05:26:54] 200 – 6KB – /index.html
[05:26:55] 200 – 94KB – /phpinfo.php
……

查看phpinfo(),无有用信息

尝试爆破8080口的登录。
结果是joker:hannah
又是joomla。。。弹不来shell的那个
登录页弱口令joomla:joomla
改模板,得命令执行
172.16.1.134:8080/templates/beez3/index.php?hausa=ls
日常弹不来shell。
line表哥指导了下,用172.16.1.1弹来了,我一直以为vmnet1跟主机不是一个东西。。。

lxd提权
cat /usr/share/exploitdb/exploits/linux/local/46978.sh